Edit tour

Windows Analysis Report
1wYGO0mAN2.exe

Overview

General Information

Sample name:	1wYGO0mAN2.exe renamed because original name is a hash value
Original sample name:	436B2F74CD97649E20CED1DC65FB0B95.exe
Analysis ID:	1582911
MD5:	436b2f74cd97649e20ced1dc65fb0b95
SHA1:	f96367071a2f3aa91a6c82968d542c80e670f1fe
SHA256:	e5bcb2a1cdf6cab62da5b7c8e8d78c25acb5627be5028fd5499df561fd4f24df
Tags:	AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM autoit script

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Autoit Injector

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Protects its processes via BreakOnTermination flag

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ipconfig to lookup or modify the Windows network settings

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1wYGO0mAN2.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\1wYGO0mAN2.exe" MD5: 436B2F74CD97649E20CED1DC65FB0B95)

wscript.exe (PID: 1120 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3720 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 5488 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

cmd.exe (PID: 5420 cmdline: "C:\Windows\System32\cmd.exe" /c pjcvfvnncx.icm vvcrvhm.bmp MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pjcvfvnncx.icm (PID: 2676 cmdline: pjcvfvnncx.icm vvcrvhm.bmp MD5: 0ADB9B817F1DF7807576C2D7068DD931)

RegSvcs.exe (PID: 3620 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 6540 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 6056 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "195.26.255.81", "Port": "6606,7707,8808,0077,1996,2106,7777", "Version": "| Edit by Vinom Rat", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc022:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc372:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xcfa8:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10258:$a2: Stub.exe 0x102e8:$a2: Stub.exe 0x9724:$a3: get_ActivatePong 0xd1c0:$a4: vmware 0xd038:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa747:$a6: get_SslClient
00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd03a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd108:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d910:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xffb8:$a2: Stub.exe 0x10048:$a2: Stub.exe 0x207c0:$a2: Stub.exe 0x20850:$a2: Stub.exe 0x24590:$a2: Stub.exe 0x9884:$a3: get_ActivatePong 0x1a08c:$a3: get_ActivatePong 0xd320:$a4: vmware 0x1db28:$a4: vmware 0xd198:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d9a0:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa8a7:$a6: get_SslClient 0x1b0af:$a6: get_SslClient
00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd19a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d9a2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd118:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d920:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xffc8:$a2: Stub.exe 0x10058:$a2: Stub.exe 0x207d0:$a2: Stub.exe 0x20860:$a2: Stub.exe 0x9894:$a3: get_ActivatePong 0x1a09c:$a3: get_ActivatePong 0xd330:$a4: vmware 0x1db38:$a4: vmware 0xd1a8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1d9b0:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa8b7:$a6: get_SslClient 0x1b0bf:$a6: get_SslClient
00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd1aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1d9b2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xcf88:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10238:$a2: Stub.exe 0x102c8:$a2: Stub.exe 0x9704:$a3: get_ActivatePong 0xd1a0:$a4: vmware 0xd018:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa727:$a6: get_SslClient
0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd01a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: pjcvfvnncx.icm PID: 2676	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: pjcvfvnncx.icm PID: 2676	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
Process Memory Space: pjcvfvnncx.icm PID: 2676	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: pjcvfvnncx.icm PID: 2676	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 3620	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3620	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1abab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.3.pjcvfvnncx.icm.197c798.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.3.pjcvfvnncx.icm.197c798.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.3.pjcvfvnncx.icm.197c798.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd188:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x9904:$a3: get_ActivatePong 0xd3a0:$a4: vmware 0xd218:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa927:$a6: get_SslClient
8.3.pjcvfvnncx.icm.197c798.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x9904:$str01: get_ActivatePong 0xa927:$str02: get_SslClient 0xa943:$str03: get_TcpClient 0x8df7:$str04: get_SendSync 0x8ef1:$str05: get_IsConnected 0x962d:$str06: set_UseShellExecute 0xd4ae:$str07: Pastebin 0xeb46:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0xd298:$str10: timeout 3 > NUL 0xd188:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xd218:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
8.3.pjcvfvnncx.icm.197c798.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd21a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
8.3.pjcvfvnncx.icm.195b788.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.3.pjcvfvnncx.icm.195b788.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xb388:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xe238:$a2: Stub.exe 0xe2c8:$a2: Stub.exe 0x7b04:$a3: get_ActivatePong 0xb5a0:$a4: vmware 0xb418:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x8b27:$a6: get_SslClient
8.3.pjcvfvnncx.icm.195b788.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x7b04:$str01: get_ActivatePong 0x8b27:$str02: get_SslClient 0x8b43:$str03: get_TcpClient 0x6ff7:$str04: get_SendSync 0x70f1:$str05: get_IsConnected 0x782d:$str06: set_UseShellExecute 0xb6ae:$str07: Pastebin 0xcd46:$str08: Select * from AntivirusProduct 0xe238:$str09: Stub.exe 0xe2c8:$str09: Stub.exe 0xb498:$str10: timeout 3 > NUL 0xb388:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xb418:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
8.3.pjcvfvnncx.icm.195b788.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb41a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
13.2.RegSvcs.exe.f00000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
13.2.RegSvcs.exe.f00000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.RegSvcs.exe.f00000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd188:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x9904:$a3: get_ActivatePong 0xd3a0:$a4: vmware 0xd218:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa927:$a6: get_SslClient
13.2.RegSvcs.exe.f00000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x9904:$str01: get_ActivatePong 0xa927:$str02: get_SslClient 0xa943:$str03: get_TcpClient 0x8df7:$str04: get_SendSync 0x8ef1:$str05: get_IsConnected 0x962d:$str06: set_UseShellExecute 0xd4ae:$str07: Pastebin 0xeb46:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0xd298:$str10: timeout 3 > NUL 0xd188:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xd218:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
13.2.RegSvcs.exe.f00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd21a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
8.3.pjcvfvnncx.icm.195b788.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.3.pjcvfvnncx.icm.195b788.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.3.pjcvfvnncx.icm.195b788.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd188:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x13e08:$a2: Stub.exe 0x9904:$a3: get_ActivatePong 0xd3a0:$a4: vmware 0xd218:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa927:$a6: get_SslClient
8.3.pjcvfvnncx.icm.195b788.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x9904:$str01: get_ActivatePong 0xa927:$str02: get_SslClient 0xa943:$str03: get_TcpClient 0x8df7:$str04: get_SendSync 0x8ef1:$str05: get_IsConnected 0x962d:$str06: set_UseShellExecute 0xd4ae:$str07: Pastebin 0xeb46:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0x13e08:$str09: Stub.exe 0xd298:$str10: timeout 3 > NUL 0xd188:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xd218:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
8.3.pjcvfvnncx.icm.195b788.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd21a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1120, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 3720, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\1wYGO0mAN2.exe", ParentImage: C:\Users\user\Desktop\1wYGO0mAN2.exe, ParentProcessId: 6576, ParentProcessName: 1wYGO0mAN2.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , ProcessId: 1120, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\1wYGO0mAN2.exe", ParentImage: C:\Users\user\Desktop\1wYGO0mAN2.exe, ParentProcessId: 6576, ParentProcessName: 1wYGO0mAN2.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , ProcessId: 1120, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\1wYGO0mAN2.exe", ParentImage: C:\Users\user\Desktop\1wYGO0mAN2.exe, ParentProcessId: 6576, ParentProcessName: 1wYGO0mAN2.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , ProcessId: 1120, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: pjcvfvnncx.icm vvcrvhm.bmp, CommandLine: pjcvfvnncx.icm vvcrvhm.bmp, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c pjcvfvnncx.icm vvcrvhm.bmp, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5420, ParentProcessName: cmd.exe, ProcessCommandLine: pjcvfvnncx.icm vvcrvhm.bmp, ProcessId: 2676, ProcessName: pjcvfvnncx.icm

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\1wYGO0mAN2.exe", ParentImage: C:\Users\user\Desktop\1wYGO0mAN2.exe, ParentProcessId: 6576, ParentProcessName: 1wYGO0mAN2.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe" , ProcessId: 1120, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T20:51:33.222041+0100	2035595	1	Domain Observed Used for C2 Detected	195.26.255.81	77	192.168.2.5	49737	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T20:51:33.222041+0100	2035607	1	Domain Observed Used for C2 Detected	195.26.255.81	77	192.168.2.5	49737	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T20:51:33.222041+0100	2842478	1	Malware Command and Control Activity Detected	195.26.255.81	77	192.168.2.5	49737	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "195.26.255.81", "Port": "6606,7707,8808,0077,1996,2106,7777", "Version": "| Edit by Vinom Rat", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"}

Multi AV Scanner detection for submitted file

Source: 1wYGO0mAN2.exe

ReversingLabs: Detection: 67%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: 1wYGO0mAN2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1wYGO0mAN2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 1wYGO0mAN2.exe

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D6F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00D6F826
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D81630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	0_2_00D81630
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D91FF8 FindFirstFileExA,	0_2_00D91FF8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0053E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0053E387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0054A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0054A0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0054A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_0054A488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_005465F1 FindFirstFileW,FindNextFileW,FindClose,	8_2_005465F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0050C642 FindFirstFileExW,	8_2_0050C642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00547247 FindFirstFileW,	8_2_00547247
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00547248 FindFirstFileW,FindClose,	8_2_00547248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_005472E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_005472E9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0053D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0053D836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0053DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0053DB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00549F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00549F9F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 195.26.255.81:77 -> 192.168.2.5:49737
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 195.26.255.81:77 -> 192.168.2.5:49737
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 195.26.255.81:77 -> 192.168.2.5:49737
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 195.26.255.81:77 -> 192.168.2.5:49737

Yara detected Generic Downloader

Source: Yara match	File source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49737 -> 195.26.255.81:77

Source: Joe Sandbox View

ASN Name: KCOM-SPNService-ProviderNetworkex-MistralGB KCOM-SPNService-ProviderNetworkex-MistralGB

Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81
Source: unknown	TCP traffic detected without corresponding DNS query: 195.26.255.81

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0054D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

8_2_0054D7A1

Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RegSvcs.exe, 0000000D.00000002.4483490736.0000000005BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegSvcs.exe, 0000000D.00000002.4483371017.0000000005B99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabo
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RegSvcs.exe, 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjcvfvnncx.icm PID: 2676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0054F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

8_2_0054F45C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0054F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

8_2_0054F6C7

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

8_2_0054F45C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0053A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

8_2_0053A54A

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_00569ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

8_2_00569ED5

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D69B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00D69B5C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_00531A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_00531A91

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0053F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

8_2_0053F122

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D7355D	0_2_00D7355D
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D7B76F	0_2_00D7B76F
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D6BF3D	0_2_00D6BF3D
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D8C0D6	0_2_00D8C0D6
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D7A008	0_2_00D7A008
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D892D0	0_2_00D892D0
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D7C27F	0_2_00D7C27F
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D75214	0_2_00D75214
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D7A222	0_2_00D7A222
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D94360	0_2_00D94360
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D986D2	0_2_00D986D2
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D746CF	0_2_00D746CF
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D648AA	0_2_00D648AA
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D9480E	0_2_00D9480E
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D65AFE	0_2_00D65AFE
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D7ABC8	0_2_00D7ABC8
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D67CBA	0_2_00D67CBA
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D7BC05	0_2_00D7BC05
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D63D9D	0_2_00D63D9D
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D74D32	0_2_00D74D32
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D8BEA7	0_2_00D8BEA7
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D75F0B	0_2_00D75F0B
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D65F39	0_2_00D65F39
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F2007	8_2_004F2007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F8037	8_2_004F8037
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004EE0BE	8_2_004EE0BE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004DE1A0	8_2_004DE1A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004D225D	8_2_004D225D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F22C2	8_2_004F22C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0050A28E	8_2_0050A28E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004EC59E	8_2_004EC59E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0055C7A3	8_2_0055C7A3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0050E89F	8_2_0050E89F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0054291A	8_2_0054291A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00506AFB	8_2_00506AFB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00538B27	8_2_00538B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004FCE30	8_2_004FCE30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00507169	8_2_00507169
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_005651D2	8_2_005651D2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004D9240	8_2_004D9240
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004D9499	8_2_004D9499
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F1724	8_2_004F1724
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F1A96	8_2_004F1A96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004D9B60	8_2_004D9B60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F7BAB	8_2_004F7BAB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F1D40	8_2_004F1D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F7DDA	8_2_004F7DDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_019E4158	13_2_019E4158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_019E4A28	13_2_019E4A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_019E5FE8	13_2_019E5FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_019E3E10	13_2_019E3E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_07C31B10	13_2_07C31B10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: String function: 00D86630 appears 31 times
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: String function: 00D857A5 appears 34 times
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: String function: 00D857D8 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: String function: 004EFD60 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: String function: 004F0DC0 appears 46 times

Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs 1wYGO0mAN2.exe

Source: 1wYGO0mAN2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, cSqZGleJeFOouKW.cs	Base64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, cSqZGleJeFOouKW.cs	Base64 encoded string: 'U4Qta5NOYCAKfRX3jC33qn4iJmvlCu3+2OlNIb1ADi+bvYieIcjUASxy5Hfo/XsgU7sgeUhgbJoLqqK6FQ/5r9OKS7NB9ZwWVp3KswitIvfT9K0q2NNyKFIzjqpcLCva', 'k7K5ec59J6HG1d81wJWz4Ic4HulFyNRW3RGnTifOLJwybrjai/FKGT6BmKJll6227+dWDp0iw4AFIjjVC/UrKA==', 's7rNf6/P8RM612hbWaxbCsb08OwXa34ps3eEDuZZY7IeY2pYcxpjoLBsSy/NzP9gOJmy/tfMwY9cl9YTFkew6wIppiVgdh/eNfo+DBcw07k=', 'iDlwO66ny21yQKZu4/1Ack0jrqESKR2xX3BaBTW4EFWxVZ2ldP8KL6FB7zcvAmfq2zTPGLcXEmuBDUvAQJbepOEPnOkU7BEzGhSJz8w5y13ZPW6laLvDWs0rXKet9Pc78qzBPszH4QZYWzchZSuDkF7YQ6H7JVYlOOQp+ToLzM65mtX458HfPHPBfQBQDffJztfx/aZdCA2bd7R1/dN8SYoWCJi6+cPz14anguEjY1N3/wFtx3VUqoRTYZloCtHPeF2gfmIgAzafMVTy/WMgei2n+UN3UJUwn2OWDB035vMadsziLIvCB68NzElYFNpQTs8CRnTyVnYtI7J1dAGgEhm8BfV/ubEx0vFkNIWQOjGdUMx4qyZ+txfeeDPp3y6G/RQX2k1wChTiHqfibGq80sK9e8047Rr0TfEQmbMmNQrfp3gPbBhpYYNoZCoK7Uh99AUEo/s3dovxjhhM5oklLeBszsLrYvMsLhwdy32mpQhO8TYIWS2Ce1/Vjan2kIbmV6Fuc6ncz/fcXR4oXheSuS7eTg9Y5A6LFqSB89K4xIlMDHt5lDb+QupAJJ2yzM4Z3LEid9BZvpJ4YSqqUggNx9us0njwXh3Gt2Swqf5+gX3XKHdF0sxDQG+Tklwu7FFzsU2OvBFLQ7Z2RT7ArdK6gCyMvK4Gj9imsqT8QDLfllIXhLikTAyR2haH0GDfzz1pXODpL6IU5F32qEB2Fo/JBD3nts5YaEH0xYliqTH40DR2S6adAbE3gpiJpauX3Vfmkul6OsuaBLWwdlTOIpCMQRx7OqFi8T4w8ddnLL/ou3mHHvGKKkGTPbO1LxMN7bZmK1oKP2CzIh8qAm1pz+Mzt5k1EdCAtXflRy5VDEEWNsuHqlX1gTH+r5yC/W1gzxskQpxxQiqL0zYedMh2X96DnCIMyO3QzTlN3JvGLwst4Ov5rgiEo1kOuAQ84YnjCkikoZX7y7Fj7xxPxHbYPQF2HFqcN+XvdG4YhA9bXxjUL7DnykeRZrFlwhGNgxhan7MlfZd3FCZZPEPb1IQ/xZQighzPBvPdnHSaSS2YcdStncZ7lpWio62y86/6pwkriWMraHSk52yIMk0ohApRz/0LGv1pqESZUhEfsIUfpS39NNlqoqQNAMC5QHpFBWA8mdfRblUuZO6/3jsjyQ7+8KH2HN1j4OfFSs4LCnSwuoQUmSDorQE6wUbJ+Nkh+dqmeXaZXKQx0J6EUXCj4QfOg5zXnYQcWogT4W/r2X4CJOKaA4FTEBbskBNP5b5MSgMr2KXCEoMU8GH0Ci4HSOPE+Do4Tqy/KB50JyroBib9xQjZme0w9vp0rYxIShH9MCVcRFBYDctoNpP9DQaQ2dge+yXi5sVVcf1or2Z9TzH52Xenx0bVTEySSaaa+LNjynqn3Iuf0K170/LU+u1meBmYFdALfkil0UKo+siN/DMJpXprYRbrE9KsoU3ojt1RMPR+BVCWwrp6jRU3gRKdXHTiqMpi/fFqvBL+PBpHMCn5VJZJVezv2+KsA15BhVG7i6gNAeVU4QREmZw2Kf3WkHp0D94IcyAJeMREMubYVc/UlhjBXGaSz30WvdKrnGZm/8VRU7SpMM6cybjYuQBk0jDWpxYMgBcWSWjVozg10mYTPyVvcedvV8XYxhmUg1EdaNm44xadYTE5rskTuCyQCbtLxO5N7cbj7HKzCZK8E3AQ54bwVJkFp6Cf5bxhY0Ryka3vUFvCr43v4f0pyr63S7cC5+9e8T3/axZ5ZcxMYiY4/yN/U+MRGXNW/mmQiIIaJFwfwhPjYG8f+8B0q5AZLcEtrZa/NkyNs4Suk0ggoHSIi1kmtSDsFcRQZ+MIx0uVIYaDDj2s1o/b7yacwVBcLFUNMDy/KR3Q+OrSjH8XuTk38S8cXHaKsqcjdYYIc+CKtup2Do+bvxRhz7pXkWO0C+YBZEFX9qKAo1XzKhDjU70rY0hwXKYuzbJKIMovVM0At/81wadsoAqzTs9sOZCyDx10NVo6lLEQ5WsvvpFD/2gMkIKyQo9mDmXRs6Z6sEWwEgOdNBQtgMQGTLjePe/4Hx9SbnTJe8QJETj+ORvWkEfWwB8rVjIZyli2jafIGorww1GVCI8gcp0vn0w8HhonGZewQksJEuevOaoTp4LvPZXRjpJSbIZ5cYHLltz/Tt7zjjKp2TMTT7X39qklInJ7OK9OkDLvbun3TaGPGklEiqTJMyuehpVqaLq+e43KPTIZH7E6tICrWcuebQh+ib8XWFox4H/tD3PIWU/8cAA8mJ8XGelXrsYonSITRG5Vd4G1j64R8AnaoOV1ipcc/WQZW0JksPZJoM65/I3fNyc4Uwwb147UlSE=', 'jQ/BmvL3ZCQLV4bB+QYYm7GW6hANmnzIA4Y6ukYIrlJ4Js6dp/GISJc138goE8jgchUQQqzT7ySejVuWvihZ4SXoyFtz6YLkDbG7/gazS1TaX+OQLiDzWtuOtABEMFBU7E4DnGu7VvRnMr/YevA6ugNI4cAqdUyk76fhx1rz7Y9aGWzaiELaJm+llyU8HDDqurzLQJ7NXjM4+b81VIiZ4PMB0yxe3KQJlD83597oCSMkMASxP1GMi0V6tHFq0gdCMlfLc0fX5oyyw2o8H+CxdlXQqI7lmi40T8nWXevid+GVxJIe4nQhT9x

Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, RsIiOhNZgBqD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, RsIiOhNZgBqD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, RsIiOhNZgBqD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, RsIiOhNZgBqD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/31@0/1

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D6932C GetLastError,FormatMessageW,_wcslen,LocalFree,

0_2_00D6932C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0053194F AdjustTokenPrivileges,CloseHandle,		8_2_0053194F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00531F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		8_2_00531F53

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_00545B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_00545B27

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0053DC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

8_2_0053DC9C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_00554089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

8_2_00554089

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D7EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00D7EBD3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Command line argument: sfxname	0_2_00D8454A
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Command line argument: sfxstime	0_2_00D8454A
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Command line argument: STARTDLG	0_2_00D8454A

Source: 1wYGO0mAN2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1wYGO0mAN2.exe

ReversingLabs: Detection: 67%

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

File read: C:\Users\user\Desktop\1wYGO0mAN2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1wYGO0mAN2.exe "C:\Users\user\Desktop\1wYGO0mAN2.exe"
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c pjcvfvnncx.icm vvcrvhm.bmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm pjcvfvnncx.icm vvcrvhm.bmp
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c pjcvfvnncx.icm vvcrvhm.bmp	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm pjcvfvnncx.icm vvcrvhm.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1wYGO0mAN2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1wYGO0mAN2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1wYGO0mAN2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1wYGO0mAN2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1wYGO0mAN2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1wYGO0mAN2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1wYGO0mAN2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 1wYGO0mAN2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 1wYGO0mAN2.exe

Source: 1wYGO0mAN2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1wYGO0mAN2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1wYGO0mAN2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1wYGO0mAN2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1wYGO0mAN2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, MbvpxzoYoElhnE.cs	.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, MbvpxzoYoElhnE.cs	.Net Code: xnzMYjnJtuXB System.AppDomain.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_004D5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_004D5D78

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_7402343

Jump to behavior

Source: 1wYGO0mAN2.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D86680 push ecx; ret	0_2_00D86693
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D85773 push ecx; ret	0_2_00D85786
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00520332 push edi; ret	8_2_00520333
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F0E06 push ecx; ret	8_2_004F0E19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004EDBF6 push cs; iretd	8_2_004EDBFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_07C32968 push esp; retf	13_2_07C32975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_07C3193A push esp; retf	13_2_07C31941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_07C328F0 pushad ; retf	13_2_07C328FD

Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, nEUsGCMtCWeF.cs	High entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
Source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, utoIMOcfPuYy.cs	High entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, nEUsGCMtCWeF.cs	High entropy of concatenated method names: 'MkcRCSWyaQ', 'QJrsxPjyHPP', 'aqxJnMSPXGzizqqE', 'BdiZOqLbMQAS', 'fvjMXFzRonmCT', 'HtyOywHBFsudJzv', 'xClNxgMlMfLm', 'aeSEXTiqerkRs', 'xhCRVbSciuMm', 'JDxUVjtXpVIckT'
Source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, utoIMOcfPuYy.cs	High entropy of concatenated method names: 'OERpoxwXlZYf', 'ddFaDMrhFJfCyvv', 'DbnvmKANtKCZBK', 'TKQelXawMCLja', 'sqKyuhccwsYU', 'QrIYISIdbPF', 'FcfYiHtDofMwv', 'WVjMeBvRagZAQF', 'mqsMnazHHfpS', 'mCSmJupfHPx'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Jump to dropped file

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjcvfvnncx.icm PID: 2676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_005625A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		8_2_005625A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004EFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		8_2_004EFC8A

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match

File source: Process Memory Space: pjcvfvnncx.icm PID: 2676, type: MEMORYSTR

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: pjcvfvnncx.icm PID: 2676, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjcvfvnncx.icm PID: 2676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: pjcvfvnncx.icm, 00000008.00000003.2250994867.000000000183A000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2253756718.0000000001843000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246774402.0000000001836000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246712346.000000000182D000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2183627043.0000000001814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: pjcvfvnncx.icm, 00000008.00000003.2253949553.0000000001840000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2250994867.000000000183A000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246774402.0000000001836000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246712346.000000000182D000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000002.2255045252.0000000001841000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2183627043.0000000001814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE").H%
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, vvcrvhm.bmp.0.dr	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251145527.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251485137.00000000018DA000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE'T
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251145527.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251485137.00000000018DA000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEQT
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, vvcrvhm.bmp.0.dr	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: pjcvfvnncx.icm, 00000008.00000003.2246712346.0000000001867000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000002.2255067581.0000000001867000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2183627043.0000000001867000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2253756718.0000000001867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251145527.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251485137.00000000018DA000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES
Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, vvcrvhm.bmp.0.dr	Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window / User API: threadDelayed 9555

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

API coverage: 4.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D6F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00D6F826
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D81630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	0_2_00D81630
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D91FF8 FindFirstFileExA,	0_2_00D91FF8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0053E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0053E387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0054A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0054A0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0054A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_0054A488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_005465F1 FindFirstFileW,FindNextFileW,FindClose,	8_2_005465F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0050C642 FindFirstFileExW,	8_2_0050C642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00547247 FindFirstFileW,	8_2_00547247
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00547248 FindFirstFileW,FindClose,	8_2_00547248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_005472E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_005472E9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0053D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0053D836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_0053DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0053DB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00549F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00549F9F

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D84E14 VirtualQuery,GetSystemInfo,

0_2_00D84E14

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: pjcvfvnncx.icm, 00000008.00000003.2246712346.000000000182D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: RegSvcs.exe, 0000000D.00000002.4483490736.0000000005BB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!+
Source: RegSvcs.exe, 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: pjcvfvnncx.icm, 00000008.00000003.2246712346.000000000182D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
Source: pjcvfvnncx.icm, 00000008.00000003.2183627043.0000000001814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenU$0
Source: vvcrvhm.bmp.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7
Source: pjcvfvnncx.icm, 00000008.00000003.2183627043.0000000001814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenc$0
Source: vvcrvhm.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: pjcvfvnncx.icm, 00000008.00000003.2253211058.000000000187E000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251598278.0000000001872000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2253333297.0000000001882000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe;
Source: pjcvfvnncx.icm, 00000008.00000003.2183627043.0000000001814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thend$0
Source: pjcvfvnncx.icm, 00000008.00000003.2246712346.000000000182D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: vvcrvhm.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe
Source: pjcvfvnncx.icm, 00000008.00000003.2253549764.0000000001827000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2253622931.0000000001827000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2253995330.0000000001827000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2250969174.0000000001826000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000002.2254880056.0000000001827000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2183627043.0000000001814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: vvcrvhm.bmp.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

API call chain: ExitProcess graph end node

graph_0-29940

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_019E1CE8 CheckRemoteDebuggerPresent,

13_2_019E1CE8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0054F3FF BlockInput,

8_2_0054F3FF

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D86878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D86878

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_004D5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_004D5D78

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D8ECAA mov eax, dword ptr fs:[00000030h]		0_2_00D8ECAA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F5078 mov eax, dword ptr fs:[00000030h]		8_2_004F5078

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D92CE0 GetProcessHeap,

0_2_00D92CE0

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D86878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D86878
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D8AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D8AAC4
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D86A0B SetUnhandledExceptionFilter,	0_2_00D86A0B
Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Code function: 0_2_00D85BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D85BBF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_005029B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_005029B2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_004F0BCF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F0D65 SetUnhandledExceptionFilter,	8_2_004F0D65
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_004F0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_004F0FB1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F00000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F00000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F00000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C9E000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

8_2_00531A91

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_004D3312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_004D3312

Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: winmgmts:\\localhost\root\securitycenter25733c/648b7/3ww	memstr_7ccce17a-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06in	memstr_46217684-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\users\user\appdata\local\temp\rarsfx0\ogjh.bin	memstr_42702854-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -command add-mppreference -exclusionpath "w	memstr_f5b0b637-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1b92a6dc1e62af4b9c434069fa3w	memstr_8bd96878-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\temp\rarsfx0\ogjh.binnsi	memstr_3f3e5655-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006	memstr_cc4ae65e-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jthzmqqiaytoymaujnudhh.exe	memstr_8247d08b-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofrvaandsizesnrsionl\temp\rarsfx0\smmetgr.fqg	memstr_5eb0d217-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9db20eeab5f7c770ab38aea25559365ae7f7e49faiv	memstr_854d62c7-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss$v	memstr_f1923ee5-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershelle	memstr_82062acb-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process explorer	memstr_24dc1b46-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exes	memstr_2d72de3a-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirusfu	memstr_0ae54c39-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.execu	memstr_e1db43d0-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitems\|u	memstr_12b2df31-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss2u	memstr_8ce02d0c-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objantivirusproduct	memstr_dd0836f3-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: usbrn	memstr_21598fbf-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exett	memstr_6fc743b5-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processhacker.exeqt	memstr_24cb74fe-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe't	memstr_a7e12707-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antianalysis	memstr_71c7e8d4-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smartsniff	memstr_d653da9f-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss	memstr_cdc175b1-b
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disabler	memstr_8b9524b3-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp64.exeb	memstr_46e634b9-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process hacker	memstr_f77758ec-b
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exes5	memstr_d38679a0-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark	memstr_39ae6c90-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smartsniff~	memstr_285775a5-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyee	memstr_5c303894-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeye.exee	memstr_601de9af-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gwk&c[?	memstr_5581d11b-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyets	memstr_24713f29-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h[t@t^t	memstr_9eaf964f-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h[t@t^tk	memstr_263f5bc8-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_allocateexespace	memstr_a25e74e5-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorc	memstr_39ad6a03-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41	memstr_44b87440-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41m	memstr_470c9eca-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b8f	memstr_30dd819f-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixreloc	memstr_b4fc6a3a-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea1030299	memstr_9aed884f-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0ae6bc5141	memstr_3392e7a4-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541[	memstr_fdb04275-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae2a444794bt	memstr_86b50639-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dll	memstr_4ad27d42-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c717*	memstr_a102fbf8-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029	memstr_e159b6d4-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06	memstr_792182e0-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da0be9ba597d610c	memstr_b0c6af75-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c708eba95741	memstr_a3db6c6d-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_allocateexespaceataddress	memstr_a00fc81a-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae6bc5141l	memstr_6630f1ad-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41i	memstr_c3d4881c-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: error	memstr_fb5db13d-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae6bc5141	memstr_30bb6b10-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c418	memstr_af4372b1-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetdataa	memstr_e7644956-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellz	memstr_09f0a859-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_unmapviewofsectionw	memstr_86eb5e5c-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __runpe	memstr_bbd57b33-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binary-	memstr_528cc274-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process	memstr_9ba534a0-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetdata	memstr_6c0a65a8-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sssssso	memstr_195132fc-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssssh	memstr_ff479f37-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasm;	memstr_d7cd8806-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntdll.dll	memstr_f384bdd7-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41@	memstr_2b8028b1-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbuffer]	memstr_4f849b70-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorv&8	memstr_47871313-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: egxui.exelhandled ad	memstr_00e4dcc8-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_decryptdata	memstr_96e8ea7a-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountdecad	memstr_24370b58-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execquery////6b//65//7,	memstr_8bbc6774-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: displayname5	memstr_adab1f81-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastui.exeountdec:	memstr_0b7954a4-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandle	memstr_3f42b441-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastsvc.exexreloc ad	memstr_716b4f8b-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgui.exe	memstr_5fb3ea27-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgsvc.exelocalhost\ro	memstr_4be846cd-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe	memstr_22749c51-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptdir	memstr_0a86764b-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandlesetre	memstr_d6a112c9-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3499bfda1b69b8irpc	memstr_81423772-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sssssseplace	memstr_5bf42727-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountecrus	memstr_73a308f9-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_derivekey851e87	memstr_0433928e-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountinc	memstr_37a3f77b-b
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x385xxx6f9fe1cc8047c	memstr_3f257c5a-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y08644747068671a053ha	memstr_9f48d254-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodulef	memstr_0564217b-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetptro	memstr_8ce7dfcd-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablesysrestorend adt	memstr_c17f6f5b-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixrelocad]	memstr_0bbd304f-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_contextsetb	memstr_5de34e36-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitemsk	memstr_186b18e9-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocexp	memstr_ca28885e-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iswow64process5a7537d6y	memstr_8e69e1a7-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dll~	memstr_13a754c2-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntunmapviewofsection#	memstr_d212d44c-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c708eba95741(	memstr_820c214c-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c411	memstr_7ddb963e-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocex?	memstr_7052d2da-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword_ptr	memstr_d70d7343-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofblock	memstr_36ef6d8f-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword_ptrc61ef5a7537d6	memstr_23b9a63b-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word[uctcreatea4516c7	memstr_09056260-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541	memstr_8a16d7a2-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c717a89775d4	memstr_dd9a5577-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ptrtructcreatea5527d6	memstr_4302a85a-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualaddress	memstr_281b0b77-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dllef5a7537d6	memstr_774634c0-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dllfe3ac427d6	memstr_440777bc-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541b	memstr_b47ee898-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocexeb255777k	memstr_2eb33a4e-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user32.dllp	memstr_2b0f4a84-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreatey	memstr_9249069b-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreate^	memstr_626c692c-b
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asmryleng	memstr_66d30478-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndowprocwl	memstr_1c0f7c6c-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetptru	memstr_14b1e93c-b
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodulez	memstr_8abcbc0f-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binaryen	memstr_95e73905-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 68`n\|	memstr_05fa0864-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: thread	memstr_f0f6b886-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sw_hide	memstr_8959ffca-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: machine	memstr_66efff86-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process	memstr_d968f3be-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare	memstr_a1c2b102-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mutantp	memstr_5a443a6f-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magicd	memstr_619f10a8-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic	memstr_28157205-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x65	memstr_1a393e7f-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x3h5	memstr_41cd08df-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ptrel3	memstr_4c6faa26-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x@f5[	memstr_da6c31a5-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: handleb	memstr_e49b3cdf-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ptrualm	memstr_f566a7d1-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword	memstr_80c5f8df-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pages	memstr_0f625408-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: handle	memstr_404f26d9-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssword}	memstr_3715515c-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ptr3@	memstr_4d6cc857-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword5g	memstr_b0443807-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: checkins	memstr_4372ead9-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mutexpy	memstr_7617ef9d-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: loopin	memstr_80ea17b4-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: runonce	memstr_d6784ff3-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _msgbox	memstr_e43fe301-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dr68h	memstr_9ea160d7-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mainpe	memstr_c88d1524-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: denario	memstr_96e7d9a2-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: delaye$	memstr_c01a8697-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startup/	memstr_a67713fc-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runpe	memstr_a78ac3e1-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: proch	memstr_84c20bf2-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inte(	memstr_95a34351-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shell	memstr_491dec83-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe	memstr_6a3aa63c-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bool*(	memstr_e12e1f50-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ncalrpc	memstr_b57cd6d7-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 302494	memstr_a957ded9-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exest	memstr_72ae4aaa-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: teg@o	memstr_a02dabd7-5
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binary6	memstr_8e6842cd-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagword	memstr_6134af75-b
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: overlay	memstr_112fc281-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startup	memstr_68e43c34-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startup^	memstr_4a3db20b-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binary	memstr_c57b0c54-e
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runpeh	memstr_e06e87a7-f
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mutex	memstr_b3660194-8
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellok	memstr_696fd80f-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: closeq	memstr_0d62a002-b
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msgboxx	memstr_82fc2426-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: checkin	memstr_6ff29b3a-1
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: callwi	memstr_7d317c06-9
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uwrb0	memstr_aac1fddf-7
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segcs	memstr_d2a3fbb2-2
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eflagst	memstr_62568b34-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segss	memstr_7a70d783-d
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: titlex	memstr_2ea2005a-0
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop	memstr_18e4370e-c
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sw_hide5	memstr_36f89573-a
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbsize	memstr_4f256d0e-4
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xsize	memstr_8ecd7271-6
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: flags0	memstr_294b1866-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ysize	memstr_ddf0b74a-3
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare2	memstr_e3595707-b
Source: pjcvfvnncx.icm, 00000008.00000003.2185471708.0000000001794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\machine\software\wow6432node\microsoft\windows\currentversion\explorer\knownfoldersettings\registry\machine\software\wow6432node\microsoft\windows\currentversion\explorer\knownfoldersettingsg	memstr_0143a767-4
Source: pjcvfvnncx.icm, 00000008.00000003.2185471708.0000000001794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y\machine\software\microsoft\windows\currentversion\explorer\knownfoldersettings	memstr_efef80fd-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .text	memstr_63c6a0ff-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h.text	memstr_ad3b9f50-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `.rsrc	memstr_1ed66261-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `.rsrc	memstr_df80c806-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @.reloc	memstr_76bda1cb-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @@.reloc	memstr_12b44bf7-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xc=vd	memstr_0751fbc9-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9a./\	memstr_cd3d188e-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %r="po	memstr_67f6288f-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ru"po	memstr_64f31d63-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r/"p((	memstr_41b43038-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rk"po	memstr_4f23ce72-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %re"po	memstr_b3871078-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rw"po`	memstr_3ce87365-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &8r~h	memstr_ecfabdf5-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rm#p(k	memstr_7070d1c5-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rq#p(r	memstr_94f7c2c4-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r{#pot	memstr_e2af57d2-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *adq(y	memstr_806eed43-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r5$po	memstr_7ca6529c-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ro$p((	memstr_3db903c3-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9$r{$po	memstr_f0e6a02e-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r{$po	memstr_2191bb69-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r="po	memstr_43012b5f-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r/%p(	memstr_b09c6d3b-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r3%pr=%po	memstr_3a149a04-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ri%pru%po	memstr_886e3ae5-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra%po	memstr_dbb272da-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rk%po	memstr_6de96eac-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rw%prk%po	memstr_2d99032c-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ri%po	memstr_f7e80756-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rm)p(r	memstr_4dd73a8d-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r(*p(r	memstr_b17c6cde-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rw0po	memstr_cff4d34c-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rh1po	memstr_72f6a47f-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ry2po	memstr_e07ef54d-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ry2po	memstr_67d169a8-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rn3po	memstr_d987716c-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rh3po	memstr_4c0ed5ff-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r74po	memstr_6831f677-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rq4po	memstr_b047efac-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ri4p(r	memstr_b8aa469a-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r 5po	memstr_bed6c4ee-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r<5po	memstr_e525052a-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rv5p(r	memstr_64854e92-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r#6po	memstr_1a7769af-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r76p(r	memstr_b325f049-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r07p(r	memstr_08eb058a-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r%8po	memstr_de1f3f0d-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r=8po	memstr_41263f62-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs8p(r	memstr_00755df7-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rm8po	memstr_f4d4b54e-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r19po	memstr_4d46e825-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra9p(r	memstr_1709d5e5-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs9po	memstr_a29b0cf0-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rm9po	memstr_13028769-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: re"po	memstr_fa403218-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =%rm:p	memstr_2e668a01-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rq:p(k	memstr_373451aa-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ru:p((	memstr_0e2b87dc-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra:p((	memstr_4318096e-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ro:p((	memstr_84fef7f5-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r}:p((	memstr_f5d91078-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8or!;p	memstr_a9c56e1c-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8dr-;p	memstr_e9d98bd7-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8yr-;p	memstr_b3aaf3e0-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8nr;;p	memstr_84453144-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8cr;;p	memstr_976e0502-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 88rk;p	memstr_cd2c5c24-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8-ry;p	memstr_41d3f043-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8"re;p	memstr_55da1ca9-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yl#n@[(	memstr_a048232e-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yl#8@[(	memstr_023d92d9-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r=<ps	memstr_9508c655-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r{<po	memstr_ffa2ea35-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hou;&	memstr_49480a62-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r)=p((	memstr_c9fae74d-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rg=p((	memstr_9b699578-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rw=p((	memstr_68130f5f-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rk=p((	memstr_bae326bb-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r'>p((	memstr_b40e430d-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r5>p((	memstr_a0075332-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra>p((	memstr_b32bd2d0-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rw>po	memstr_960d8a21-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r_>po	memstr_8605c4a2-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ru>po	memstr_975e1a93-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r)=po	memstr_75e69e1d-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rg=po	memstr_3e79a7ca-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r!?po	memstr_23bbe306-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r+?po	memstr_5f1519af-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r1?po	memstr_7c47564a-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r_?po	memstr_13283d40-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ri?po	memstr_d8954c97-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs?po	memstr_998eab16-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r'>po	memstr_7977aa8a-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %r#@po`	memstr_f51f216d-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %r3@pod	memstr_362dfd68-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rw@po	memstr_4cab46c3-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rmaps	memstr_a7e5e42e-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r{aps	memstr_0d06c166-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k8iz8f	memstr_78156082-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rr'3@8m	memstr_5ea43324-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nn'8ib8i	memstr_346a9134-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r#bps-	memstr_06518d1b-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0btfy	memstr_5b53074a-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v4.0.30319	memstr_0ed2c7ad-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ##~@$	memstr_337f4c37-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #strings	memstr_f09d77dd-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .#strings	memstr_910f2d5b-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rlb#ush	memstr_99215831-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #guid	memstr_7a4fbedc-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #guidx	memstr_9f6f6ebe-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #blob	memstr_72f5213a-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >fu	memstr_e7f3bb58-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p ap [	memstr_daefed8c-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: action`10	memstr_3009281e-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <read>b__0	memstr_e6271b1c-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <read>b__2_1	memstr_45042869-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ienumerable`1	memstr_801c2b0c-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: callsite`1	memstr_f737c227-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: list`1	memstr_5403e105-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.win32	memstr_2bbb9a3b-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user32	memstr_f7db1608-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: touint32	memstr_277ed754-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readint32	memstr_d8f5c4df-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: toint32	memstr_1e779ac9-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x509certificate2	memstr_a37e3b01-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: touint64	memstr_16b160d0-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: toint64	memstr_182cd927-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: touint16	memstr_4c19f89f-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: toint16	memstr_881bda7b-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hmacsha256	memstr_2d0b924c-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: get_utf8	memstr_366c01e8-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <module>	memstr_52b9147a-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yfgljoecjvmfa	memstr_788c6387-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: faobyadxqyta	memstr_f6ced5f8-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: belvobibzgada	memstr_86b3ef0c-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yksxqkwrlbkfa	memstr_492ee22c-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: systemparametersinfoa	memstr_8c1f372c-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nkgwkjknra	memstr_668aa29e-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nlkkhobopra	memstr_33d31727-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: whmjkplioaixusa	memstr_983309a7-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pmwgcbpncb	memstr_a667cf34-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noqtjyclkwfb	memstr_21d22a68-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lwapoxsfib	memstr_eddfc4ce-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jkvfzcwvrqmhvb	memstr_c3e9bec8-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xnzmyjnjtuxb	memstr_02a1cb3b-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cdxpjqodbsbcyb	memstr_f298e7bc-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: thjntaljsdb	memstr_6363ba77-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xlcobtrxexewugb	memstr_e3a7a6ca-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: egshoskepeukb	memstr_9fb42058-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xxdptrvbqkqunb	memstr_abdd90ad-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hixvzvidjwqb	memstr_31b0edc6-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: esbclkbdtsb	memstr_e87c602b-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbzplrrrguc	memstr_c5f6a3bb-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sknopdtcqzc	memstr_9afa0f38-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: whmqemhfdwhyexpdhd	memstr_a3f130ab-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mapnametooid	memstr_91b17463-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: get_formatid	memstr_66d172e1-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lhginhyfgltd	memstr_7fd0422f-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zzviigyurnarmd	memstr_6e42832e-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsiiohnzgbqd	memstr_6858aa8a-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ltfcyggmwgrd	memstr_42e111fc-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xzaaahurfrmeyd	memstr_52af83a9-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ewtzbvktqide	memstr_9a841df4-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nxzmdvrfxmowee	memstr_d9ec1646-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mbvpxzoyoelhne	memstr_295a2347-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aqxjnmspxgzizqqe	memstr_c1e6ce0d-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: chpxxdzxcccxre	memstr_5ca5da9a-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qmwfiobriohaf	memstr_7dc22c92-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rgmlxnerlif	memstr_b9134358-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lmublyyctteqmxnf	memstr_2a647d60-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: delxirbykvmnf	memstr_21a7da2f-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: skhxdqbznf	memstr_d900e8f9-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qriyisidbpf	memstr_0336054c-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wvjmebvragzaqf	memstr_9c2db5ca-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndtutnbelwf	memstr_c56f7bc5-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: neusgcmtcwef	memstr_c5cc1626-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xsghlwoctlf	memstr_71def095-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shtxwcdrqqmf	memstr_10d080dc-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ivrbvdfnhkmhag	memstr_2992eb05-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dplvoyazigycg	memstr_5bbd758d-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cfqkmiaekfdg	memstr_4de6e7e8-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iljmhamnig	memstr_4b59b5ea-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rdwtmovixqog	memstr_cdc27a55-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: azhoarzzpvhlvog	memstr_6457c457-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mvejgtnbewpg	memstr_b951b0bf-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uapfvsfiug	memstr_afcc9570-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qlavravchgh	memstr_c2e8da36-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: snbrigletkvhzih	memstr_ee397f69-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: syxazogkcnh	memstr_b7376cbf-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: threcskyihewph	memstr_7bef7add-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qjsecsznsnvh	memstr_46b52cca-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mnkdysxugjcbeh	memstr_bfe35997-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iysnnfqosfh	memstr_9b7c7579-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mbfvimjkkhrgh	memstr_d93b96ae-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ikvenwbphqzhh	memstr_71c42e03-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nxrozzcxakkauh	memstr_6d46d29d-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yixzaotyopbzh	memstr_0b4aba8c-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tboxobnnneounoai	memstr_5b866232-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: erbiderktursei	memstr_531cc730-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: get_ascii	memstr_ec36241c-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cworiungbiki	memstr_5d2b81ea-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vzjxdhcqxjyivti	memstr_4d22c555-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qbfzhchttxkwui	memstr_f88e027e-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hcixesvwaitqjii	memstr_4c7b0ed3-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kmbmsubkcj	memstr_d9cc87af-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osyqvlaqdzrcjj	memstr_131d8fcd-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sbpbufgrnvbgvj	memstr_9c739245-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zejnqjdrewj	memstr_01bc3037-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fcyaeaayxaj	memstr_46cf42a7-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: peudmykjogj	memstr_6de67f00-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hhexjcanagwj	memstr_5663852b-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dbnvmkantkczbk	memstr_d6e9cff0-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ngtdyvcdnqk	memstr_2d77effe-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ipveyfwavok	memstr_c09bc6be-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccyclhnedwadbl	memstr_283fd012-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kaookfuxrjpqwbll	memstr_df06789a-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nsufmvajxawbonl	memstr_6e3323c8-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wyhgijkewpqanl	memstr_eb77951d-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fgqaggzxnl	memstr_889bca42-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: thcotjcuyql	memstr_f708d2f8-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kxrkumvcqdl	memstr_4e22a8ac-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hujvfvmzluyjl	memstr_810a3a6c-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wgrdkvcmodhvml	memstr_9d027e57-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ehgzbldvimol	memstr_d3add69e-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jtavkveeruvulkwl	memstr_4951fd67-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: krzfsdlolbcrvham	memstr_806a90a6-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ifqwssdmtewgm	memstr_ba8a8f50-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dcphyggbmm	memstr_e244dc85-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rceagoyvgxmm	memstr_d17df72b-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zmtmexagceeknm	memstr_ba1fe2db-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: quzajxbaxepbtm	memstr_f70c2054-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoklygsqwm	memstr_56700333-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: syxubsyltxm	memstr_36fc126f-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oxmzimjdbm	memstr_70691d59-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wvxgrkyplvhim	memstr_b08c5a8d-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mwjnifkuffnkn	memstr_f9ffc9c8-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtgjemnpgcwn	memstr_2f69cbc9-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gpqhpyipxffn	memstr_9ae93453-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gzabgxvpeemn	memstr_11e870af-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pzgmqvtufznn	memstr_af3f8582-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pguxggozzwsn	memstr_f345135e-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vuhfxuopulun	memstr_a5907061-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: owhccxmelaivvn	memstr_f1b4e5f5-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ivtoxfqpvn	memstr_8bb4a4ba-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wqehyrgnjdxn	memstr_84c701f9-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: otxszubxyn	memstr_d86bf787-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bygoumnzfjydjbo	memstr_f4c90584-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: luvkqqaipwmpueo	memstr_2b495de9-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: system.io	memstr_cf99be01-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zvnirrjyvkomvplo	memstr_e5b44bc3-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fbckouotswno	memstr_b95c6cec-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cogoectvavmdjpo	memstr_d0ad333d-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zgzdbibcovwso	memstr_320943bf-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zcrultcpzuwto	memstr_1902fc47-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yhephowrihxmxo	memstr_63ab6a2c-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rwsttucgjzo	memstr_30f62024-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjbgjlreioadp	memstr_cc36feb6-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wdzdmtlblfdoop	memstr_f1529b0a-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qjrsxpjyhpp	memstr_91c0c556-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vfygppzpjmcqpp	memstr_4c48c5d4-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fbpgrmfplwzywlhqp	memstr_0208df33-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wfdwtczpzaup	memstr_dd1b9b95-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oaweuebpwzigp	memstr_9ee1d00a-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ypjcktdazlbsxp	memstr_9f0550d2-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: foyaowuotkq	memstr_d8711fc5-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qveqyouossnfamq	memstr_e4b161ed-c
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oscdfdcvvomuq	memstr_81daf876-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mkcrcswyaq	memstr_d511f340-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kptcbbbqvobbbq	memstr_5c9758ff-f
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wxtimjjmckq	memstr_5c884aa1-0
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vwizolnthlpyulq	memstr_54fb25f2-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jxixgaidpcsq	memstr_50ce6d16-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ugnyjnfxewq	memstr_f6dfe3bc-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rwnkkqyllxq	memstr_a6944e23-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mlxuittqphyq	memstr_5e899f2e-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lmakcnvcarcr	memstr_5ee11a17-e
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ueegnatvhkygr	memstr_88e5671e-1
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imihpqvaksur	memstr_d6ef369f-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: srooxnwergeylhr	memstr_97881277-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tqhkmcbcinur	memstr_e1bdf0c1-2
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdizoqlbmqas	memstr_44826201-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jeszfvjeltis	memstr_06e39cb3-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yxqjspooxdqcs	memstr_b7da864d-8
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xuxqtdxabfks	memstr_1ad3f598-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mxkctsdzucukxks	memstr_ecf96fe7-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: icspnxoygskps	memstr_48aa1162-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mqsmnazhhfps	memstr_1d8ed0e0-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oylqqgnsrrs	memstr_fdcd54c1-5
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zslhianaudruws	memstr_9b777c25-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: htvvwiggemfvizs	memstr_f5ab071b-4
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uqgwcxypyborzs	memstr_03feaec4-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fvjmxfzronmct	memstr_1de9e8ff-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sqvxaavtrlppt	memstr_49d96241-a
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kwiocivbufyuvpt	memstr_f781b4ec-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omzurdtott	memstr_afabe1c6-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jdxuvjtxpvickt	memstr_4762f391-7
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vfwnongrlcett	memstr_3bc10063-3
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iponlbpikmifu	memstr_2577cdf7-9
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ekvjjetaenu	memstr_6edabdce-b
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: puctwjbsshkvyu	memstr_80b6d4b5-6
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sqkyuhccwsyu	memstr_bc4f2090-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asahgldmuoykdvmau	memstr_32fb15ab-d
Source: pjcvfvnncx.icm, 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spmshwtwtju	memstr_5665f9b8-2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0053BB02 SendInput,keybd_event,

8_2_0053BB02

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0053EBE5 mouse_event,

8_2_0053EBE5

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c pjcvfvnncx.icm vvcrvhm.bmp	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm pjcvfvnncx.icm vvcrvhm.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_005313F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

8_2_005313F2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_00531EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_00531EF3

Source: 1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D54000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000000.2170787318.0000000000593000.00000002.00000001.01000000.0000000A.sdmp, pjcvfvnncx.icm.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: pjcvfvnncx.icm, 00000008.00000003.2253211058.000000000187E000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251598278.0000000001872000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: pjcvfvnncx.icm	Binary or memory string: Shell_TrayWnd
Source: pjcvfvnncx.icm, 00000008.00000002.2254880056.00000000017F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: vvcrvhm.bmp.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then

Language, Device and Operating System Detection

Yara detected Autoit Injector

Source: Yara match

File source: Process Memory Space: pjcvfvnncx.icm PID: 2676, type: MEMORYSTR

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D86694 cpuid

0_2_00D86694

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00D7FD34

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D8454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00D8454A

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0052E5F8 GetUserNameW,

8_2_0052E5F8

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Code function: 8_2_0050BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_0050BCF2

Source: C:\Users\user\Desktop\1wYGO0mAN2.exe

Code function: 0_2_00D703BE GetVersionExW,

0_2_00D703BE

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 8.3.pjcvfvnncx.icm.197c798.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.pjcvfvnncx.icm.195b788.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjcvfvnncx.icm PID: 2676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR

Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251145527.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251485137.00000000018DA000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251145527.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251485137.00000000018DA000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: pjcvfvnncx.icm, 00000008.00000002.2255260671.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2247571762.0000000001871000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251145527.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2251485137.00000000018DA000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000003.2246626915.000000000186A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGUI.exe
Source: RegSvcs.exe, 0000000D.00000002.4483371017.0000000005B82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: pjcvfvnncx.icm	Binary or memory string: WIN_81
Source: pjcvfvnncx.icm	Binary or memory string: WIN_XP
Source: pjcvfvnncx.icm.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: pjcvfvnncx.icm	Binary or memory string: WIN_XPe
Source: pjcvfvnncx.icm	Binary or memory string: WIN_VISTA
Source: pjcvfvnncx.icm	Binary or memory string: WIN_7
Source: pjcvfvnncx.icm	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00552163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		8_2_00552163
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	Code function: 8_2_00551B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		8_2_00551B61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	121 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	11 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 DLL Side-Loading	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Masquerading	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1wYGO0mAN2.exe	68%	ReversingLabs	Win32.Backdoor.Asyncrat

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm, 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmp, pjcvfvnncx.icm.0.dr	false	high
https://www.autoitscript.com/autoit3/	1wYGO0mAN2.exe, 00000000.00000003.2060928240.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, pjcvfvnncx.icm.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.26.255.81	unknown	United Kingdom		8897	KCOM-SPNService-ProviderNetworkex-MistralGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582911
Start date and time:	2024-12-31 20:50:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1wYGO0mAN2.exe renamed because original name is a hash value
Original Sample Name:	436B2F74CD97649E20CED1DC65FB0B95.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/31@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 170 Number of non-executed functions: 228
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 1wYGO0mAN2.exe

Simulations

Behavior and APIs

Time	Type	Description
14:51:24	API Interceptor	1x Sleep call for process: 1wYGO0mAN2.exe modified
14:52:03	API Interceptor	7126555x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.26.255.81	yjOJ1YK5M3.exe	Get hash	malicious	AsyncRAT	Browse
195.26.255.81	QHLQyYBiH7.exe	Get hash	malicious	AsyncRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KCOM-SPNService-ProviderNetworkex-MistralGB	yjOJ1YK5M3.exe	Get hash	malicious	AsyncRAT	Browse	195.26.255.81
	u233hvgTow.exe	Get hash	malicious	RedLine	Browse	212.56.41.77
	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	195.200.31.22
	xd.x86.elf	Get hash	malicious	Mirai	Browse	194.164.201.126
	0Ty.png.exe	Get hash	malicious	Xmrig	Browse	194.164.234.171
	https://a41c415c7bccad129d61b50d2032009e.aktive-senioren.biz/de/st/1?#bqcnl4tocgzq65tck3bv	Get hash	malicious	Unknown	Browse	194.164.200.113
	ub8ehJSePAfc9FYqZIT6.arm.elf	Get hash	malicious	Mirai	Browse	195.26.252.19
	ub8ehJSePAfc9FYqZIT6.sh4.elf	Get hash	malicious	Unknown	Browse	195.26.252.19
	ub8ehJSePAfc9FYqZIT6.ppc.elf	Get hash	malicious	Unknown	Browse	195.26.252.19
	ub8ehJSePAfc9FYqZIT6.m68k.elf	Get hash	malicious	Mirai	Browse	195.26.252.19

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm	yjOJ1YK5M3.exe	Get hash	malicious	AsyncRAT	Browse
	Rage.exe	Get hash	malicious	Unknown	Browse
	Rage.exe	Get hash	malicious	Unknown	Browse
	copia111224mp.hta	Get hash	malicious	Unknown	Browse
	FX6KTgnipP.exe	Get hash	malicious	FormBook	Browse
	uhbrQkYNzx.exe	Get hash	malicious	FormBook	Browse
	qPLzfnxGbj.exe	Get hash	malicious	FormBook	Browse
	ngPebbPhbp.exe	Get hash	malicious	RHADAMANTHYS	Browse
	FS04dlvJrq.exe	Get hash	malicious	FormBook	Browse
	M1Y6kc9FpE.exe	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\RarSFX0\bsfwaouaf.ppt

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	526
Entropy (8bit):	5.609142618915075
Encrypted:	false
SSDEEP:	12:FnvqWua7mmUsdWCGR2aWVRW5wp3WdMcY2T3CRqvYQkQPv:3uaamoCY245C+5lCRZQkyv
MD5:	8E9FDFCD200596BB3D295D701EFDD295
SHA1:	EF7164E10C9D68569CC6F9719523DAA77144FA6B
SHA-256:	18F2D0D2EC83B3F4F811AC5399AF7530470E140500735CF2B7D4CC84C2242918
SHA-512:	9E6D8FB63D0554916A6E1BDDAAD4FCE54386DA167230A0CD0FDDC8F106538946873D5C911AEFE6B35585B489C38672D282AD0422F8181F30B81C002E2B2EA4D9
Malicious:	false
Preview:	7GF07n094t1cSI05M5244s2M2b2368S68o5S5576OQ16M61U25l483395P7P86Lvcr6DR9c12M5rq7U07054713JBxM4Ii7e22T995UhJ3bH360IkGZokkeO8st56as43u1678O599iup0BF3809H703f3zy..StructureConstants ToolbarConstants..4mtgP8337yV9r25Fn7Y0AcbL369wY5ND86nI6nG7DU39L6121H67JYS9b32a0I52l9mxx06pX4E3Vq01w5ncD2..DateTimeConstants GuiDateTimePicker..J32f3T97Y93yV5aL5Ni18134Bj7Z747fbBHg404ZvxSIBSLLq6D4e12819KEyJa8rs884j7Jz4Nswx..ButtonConstants FontConstants..x0l1JCwXLX6I30863T7wmx0ew5Fh0wz3D353V191CrD6X1dQ95444AW11Yj..ComboConstants GuiDateTimePicker..

C:\Users\user\AppData\Local\Temp\RarSFX0\csjnimed.pdf

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.542606760251132
Encrypted:	false
SSDEEP:	12:qTs/9CZVjYDT9oCBT2BTlh6dxfyttXAmc2UqX0R782VWd:qTs/96G2TlUwXAmHLd
MD5:	E4D68B658FA34C6DC2E0025519E6BDB3
SHA1:	22A275FDEC8334221A86BF000ED31D1C3FDDE641
SHA-256:	FCF5CBD820A3587FAF54F0D6C0B7E264195D24C401C64B3E4BFCF4E28A8DD1F7
SHA-512:	F0F4308AF4F7D924CAA37E4C77510D5AA6765FAF0AA6503A7E222539E471DF7E76E6B12003F1F6E2551A6A79E7F6FE607556F76756465651CF052DF12F8D9DAF
Malicious:	false
Preview:	7e0804B7v3w..StructureConstants DateTimeConstants..2UJ34YD13McvS36RW60i9n0iwhdw7Q1sg58iq721Uhw0R588uh4P4L47SW94Z00CFUPfJPmC4Pdd705R5Q01vqkUQ43W..ComboConstants FileConstants..N9rH3cUWT1My47716M88J8A870DxC8Au6Z3jV6207zrx8412g61v47Wi229J53vg438o7pB2362964XI48477zl08Th70P50g7Yk36S0z8i3Kd4pC1r5UJ2jeAH8U4tT6347cjp0q65408F78T905b24gwn2953G9T970Vqq1W235EM4..DateTimeConstants ToolbarConstants..4Wu7YrT0145THO5c1JjF478ADn5dv8029n5675i52622u40c1qg09EK77k487vCzHM7..ColorConstants ComboConstants..YG8BdaqLR4E0c1d008v04c1K6BAV5539X6..ComboConstants ButtonConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\dtjhghvbme.dll

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	578
Entropy (8bit):	5.584668338629392
Encrypted:	false
SSDEEP:	12:mZ7obtcCRLP4HWsdk/VE4wlsx88LhwmSB07DEAeGt:mdkuWq+Vzwlsx88umSB0MvU
MD5:	04A32611FE3C56284FDA4F045E41D263
SHA1:	41E0B5B4E4C2E27721F5C2E14CE2430452145CB2
SHA-256:	3C635A9AAD0066916D7CBB8D2AA46751DE5482D07D3DE93006EE507A8D961011
SHA-512:	C2EFD0F2FB937ED2FB85677104039FFE56C595BE865E4238E277C11AD945B25D66D4E3810336AF02C98B0CF0DE0E5499A273CABDB47B08F0835D9A93F13BBD84
Malicious:	false
Preview:	8i85atZ9IQ6Xz66cm0Itk7Z79T6UULe..UpDownConstants ToolbarConstants..ak9154t0i61266IN4CpOZ68h1909p39r9U3rHr9SpOWkTMcT3UE6MQ4cBQEQrqel63G29a32kc1g60q93641..TreeViewConstants ColorConstants..6x544mXzgUFQ4h47Gy11Ya453xJ3051xCvb50760j9d17nF95GSJ8QX4KS92qX85HbQ4546D18j05Vg6DE4g0ZR9zu7eeTIF5UX49152X21S57V7O90..ToolbarConstants FileConstants..z82DFn5v73IJ2MkP3626UxL9YzrK1l0IpvMkGB819U74Zo9u61n1n0JQr052v4w68vcQu4rtGf0PJXY22Cc4661K21j67EGlre34f94YN4f9k4o6zlUQzqaN1g1GP8..ButtonConstants UpDownConstants..p42019Qn4bW286fHW97tm9k7V20tC19I9956Djd07Ihk4..DateTimeConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\egagvdxtir.exe

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	5.615861878026584
Encrypted:	false
SSDEEP:	12:xBjCqxY+RpcDa5/fsWBPbfCHUMwPcyboxVQ:xsqOYt5sWsHUhD8TQ
MD5:	45874CF12784A8793E2979D9B8A86B6D
SHA1:	425B57FB8562C334CE5A9A472FA8878F9D153EBB
SHA-256:	7AF18DC05BF950987AE7BA4A72E6C276B9CBB8DFC822E44AA3C47BC1AD900D82
SHA-512:	2CAD309F9589C52427BD26C920F8EC58AC3D6C54D9210591E9CF8D3A98BD993E35D3B38F6BA56BB39068EB372732561069D54BDA1EF12944DDBBE71D5AEA9AED
Malicious:	false
Preview:	M90z8sKod5L6yd7ohw..StructureConstants GuiDateTimePicker..Y376Mg9Eck7256bR943219I0rb1CL5I9ak29M6d68p94xN931Nf2FL5Q4Yi6kH856th37rlfrmOsQ51Oo75552tA50Wy93xmBrcC10Q486WR5Ief6sEb3S76Q64XIh1j1a9849233D1962736I586w0D73WCl04wA220y2410..ColorConstants TreeViewConstants..55NB9q9103Y3aL51AlH6l3bk58rhbh4qLSR098j8pswb3a4Ibl3KS3l734FDxF6DKg34567Ao473bO6246Z6lQ9dK0sHPY9kHMbWK8WxOqDzBsGlO879jfx5729RMb9154jp80Y7V6654729LqH8E1u..BorderConstants FontConstants..H03fq0k1x20sQwWn4WVx0AWV..FileConstants DateTimeConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\fghwgffef.dll

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	575
Entropy (8bit):	5.608505888809514
Encrypted:	false
SSDEEP:	12:MNjr+6EZu8s8tOUqWKnTCCxHCNSIQFE1UEWwS1ox5zHc:0hCu8R8NWKuCxHXvE1Utbo3zHc
MD5:	DA5901B29765E106CD5B9748E05243B3
SHA1:	8DDEEDF2D2825B961C9D9529E594DA1ACB1F43B3
SHA-256:	BBB44E2E85E463D1ACA8FA3E51E50777E2DA5C5B979B9D42385276B05CFF7277
SHA-512:	5EB247764D0A9173982DC7993840B299BFA9E86A806D62D4390F13DAEDFE9FD03BAF96EC7BF54394BB276A443EDB9A047FF8E7BB830E84374A5167079D1918A0
Malicious:	false
Preview:	338307SKn99A2acg06Df1AVyvs69DaO87Wb038di8gR0zA2T028F3k8pC0w38gO9jn3F8xrz8699WH20l9c65D1GefM0KFn73g1885cfI6qQYyQnHyjKd522004Dj03g5Uv81d5Vh6HWnB5qdn1V8QHr909g..DateTimeConstants ComboConstants..ZRX8l76G0EG4102czR47Pz5K3x6064Z3qkPA6..ToolTipConstants DateTimeConstants..6Gx4i980X4oU18y6xM70Pal730t4hsqcNF22VF91I690716E1xq4A45707H0uo4Dq97j63o75045kuyjU9rcy768D6S5k1731Py4444592i548x2HWiJ2V54p9K2Y54ue50a70Uqf5Zm0g3B62xMHe41n619bexxQjiq..FontConstants BorderConstants..Y2w74Z96W1C1A1hd4zpjP3s94Y77P978Z47VG5s0P842ZiZ59uSy56a5417rvSx00091525..GuiDateTimePicker StructureConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\fshefj.bmp

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.525187843934755
Encrypted:	false
SSDEEP:	12:XZ02XUStGAAFPYJcFi2t5ZTRIdWZfChXbaJfl1GUd4dd50lmR:XZ0oklycFi2tTRIdqfChXb8tUHxjR
MD5:	B857415BE9FF6FAD8304D42DB5A7D759
SHA1:	7A382BD4CFA12606DCFF1559A94048A974D864A7
SHA-256:	999AE452F380331CE38B998A25847F26A369545D2732FEF912A0C62812BBA471
SHA-512:	5C3F9CC08F7B3C77FCB96EE3E13FAA21E865359348D436AD00E853D90B833DE1FF3F9DDCD3C090CC15388756695AD8FAC1E8CF957FB782710957D81827FDD014
Malicious:	false
Preview:	U6YsjLQRR960uwm6LBaR75113..ColorConstants ToolbarConstants..D8rb4..DateTimeConstants ButtonConstants..i9gzDzj347j1GT4N6699h..TreeViewConstants FileConstants..476b69UY03325MaOk696848px3LX32456pu35bH7K128iBYJNR5F183UZo4qk4xhpa604a043UT3283aU78B280P3092Gm5BT6Z910h3K332P9P2I9D7..DateTimeConstants FontConstants..20Wt6i4813r7BrqpU6W9MOMc91ZL759gEdTdDRw27Jh57w02ZlkH453u16sF828S1..GuiDateTimePicker FileConstants..uOn8s05442H402x21pH18A0Ggd951lM1jrDk5J0Fz4..UpDownConstants ToolbarConstants..A67Y2d0GC91210M67231hZp2gmv57gzC6u41a2HDFDai5c4LxFAh30Sw1D1h7Mq0Ur8dE7S4858w8S2ND613l7894p4z9l7j021O4U906S1N..FontConstants ToolbarConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\ftqorsmss.exe

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	515
Entropy (8bit):	5.491608079508514
Encrypted:	false
SSDEEP:	12:pHOtTqxcYuUyPEW4yPUwqlOe21CmCBjQb3fkEC8J:A4xZwqFtOe20mCBjskENJ
MD5:	0F8E3A1042FEC224A546C2702470D050
SHA1:	BB9C92F2F65CD91111A6390A78FB765940005CB9
SHA-256:	66AD0D0E52690B96AA9CCF0AAB396BC64564E9A08A667DC971F2B348F9859289
SHA-512:	4879562FBFF873E9A915DF692F967A5B87D77D20236121180407F970D4DCC5727098194DA62004804B5D6993C59FAF0B2471F5FBEEDA818CB2B80ED99F6DE4DC
Malicious:	false
Preview:	915N39tWa8NH8SVp4Xpx0ZTD3U7L75911829IdU44BXY0ZNTCLnx6o03J4610Ol205l034DlW6x22Vi68..BorderConstants FileConstants..ujdOz74y3w2627t8P113WI7D982c146UY39oI0v3cX02W..BorderConstants ButtonConstants..wn25342Ia78B7e6849958EHYb9bq8T2q4C9..TreeViewConstants FontConstants..3u7967RtL4Q258T3E6259H89makt3N3T1J7b74MA515CY..StructureConstants FileConstants..0GYY2C1p706AXhY748S5u02t9xxV683114nt5y91zY3f24nP6tYop8954tqO2tf4w1Zce4rT70f3A2k75989uy66Q8tCT0h60OqdB306KU8O7eK8AF43zBA079Pd8O5M26DvS32..ToolbarConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\fvgmmo.xls

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	587
Entropy (8bit):	5.49701055125167
Encrypted:	false
SSDEEP:	12:MCntEEBGsv0IL7xR6VrGDZsKORwvvURXTUFXpLW+Im:MncG27xR61GDZ1gauWLW3m
MD5:	74D5043B48EA06428CEDAD8BD21013E4
SHA1:	5536E1F5D3803B6FD5A6C34EEBB97AB6EA0759D9
SHA-256:	F8018A3028E99A01BA4A9F285AF951F964EE80F73E287F267D9326FAE73AA26C
SHA-512:	F010C98568A135909307BDA3350BCF91EE8158F1C258F36991C61D30F57CFC231EC84011FA618C773B0C9EA56700195B7678B52FDBB37B39E9E536409B8FFB4D
Malicious:	false
Preview:	q0D7N659963W57H5NiLF0s5o3dH2oc9UPn707z4N2iW7518m7i6d1x8..FontConstants ColorConstants..UPE14r4bRQ..ToolbarConstants UpDownConstants..4t94py69I1J76NMUA0PVQ661E06H4wXUdfehuW4K2vX8v72tM208I1V4vv415CLh4wy7zw29Vk7eVq084894Y..ToolbarConstants ToolbarConstants..e62X3H8S4..ButtonConstants FontConstants..gBfwk80m43H1NH82tKBst79z8I8d9B6YR762V29E8L25Z8F96514c39H8LPN76hPnn71511HYmf2G3279a..ToolbarConstants StructureConstants..y8696pYVC2QXr9A00713Pn05f9Y56JH8g05a7l4cP6Q68w5ui3bi3f1hDs324eQI8U2I3E77mbJ5UK1S57E61da3b64vIPdp3bq39C15Bgo896zf3508r7ma0h2s6n14H58..StructureConstants UpDownConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\fxmmd.xls

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	552
Entropy (8bit):	5.522366636609422
Encrypted:	false
SSDEEP:	12:9YVgKmEOYs5v2SMc+FeCChTzIeRwV25hCmQ54yYeKboYz:2R1PKv2SMc+c1hnlw25hiyFz
MD5:	88925FD91096E99B74876ACEC3E38CAC
SHA1:	F63839632CE4D1803DEF64F30369DC195A13FC64
SHA-256:	D129F2CBDB4712A8DEFD5365979FFCD4F782A78BFB774CF262D153B7701A7C50
SHA-512:	BD141B4131EB06C4BDD141823F0C4C479485ABCCFE5DDC2B0EAB01AD6F61E43AED34B1CA2922F7FD915560558ED03D6098422389591865B7D4F2D3E21CF5E757
Malicious:	false
Preview:	52P90t3187Bo0gYJ55vqG98e8531b6029474iy68..UpDownConstants DateTimeConstants..8n127g16aOCX2y61932V30D442k8NE20toU641LK0..StructureConstants FileConstants..M84j6AR990c78f6484D6PcXD6NVd1i4u6P59TX204l48886Dk5WG69633378Ji7gX2T598d205mlb79bS277977901w61NB0FT8IdT4d6PM4U847t0A9yx4r6LB999GHF96r72W3r56rP3sWd1965090k18E267J514M08N..UpDownConstants BorderConstants..RR5F5p75s93Z80Lhjd9881LZr52YRF1244380w19vuGH151ma5NF552Am..ToolTipConstants GuiDateTimePicker..47wa1ysf3bF2iSf8aLV2HQTD9JVn5x05461035O4e0VS503aY25g0787pnJSXXRKD1..BorderConstants ButtonConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\gjfvqp.xls

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	626
Entropy (8bit):	5.499303384306603
Encrypted:	false
SSDEEP:	12:qycnOs9jF6DgBlqnQfXHUTObFd/dUrdP2hBdsnoQb3:pcnOejI8DgKX0qbFdltzdsnD
MD5:	4B2C8E743EB4EDB1A928824E0F567C35
SHA1:	A89FE685B5D35FD7EF9DD4956C27A8C6C3BAE525
SHA-256:	5A1C32F4D7BE737E000A6E77248B4C1651E0100CB21F88CC04DDEC5124F7C54A
SHA-512:	57C6DAE4E991B48C8FD49F0DBE200BAA3054DCF912D8A314FF0DC9927F0263E5E70871F7D27A81BD49F7C8699657188996616BDFBA24AEAB4D62C699961BBF33
Malicious:	false
Preview:	JbBw3vG6jh3RBW1112oB73Kg0gr3132619Bi..ButtonConstants FontConstants..q00OPC226r643G7H93raC4G246507pc460TY70t36u369q5k1z9h2986V6c0H468PtB3f3220I05p1jwx5K7q11973893jPt64nx..GuiDateTimePicker BorderConstants..vbJ0bGQu2H4MK0B6etJe89t5f745iccDgW6w6dm5P7wA55180An96s5OjI515D949tRU730VmHrNph2Zu2N917y1P33aO693298ChsN68C97yDpU452f90649440ryUN8b7zk86T9qe76C622780NOfcu4Yn9261hdsrz4e269B14H92..ComboConstants BorderConstants..4uX4580oig35oU08lb0139826Te6XkWVs259iOSL107Z4..TreeViewConstants ToolbarConstants..WZ11T8389668w052706a222v16415007B5J61722806z3L5390o725MqjENe86ikwn1T3LJNCU3xbHGR8o5813QC930gs3..FileConstants ButtonConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\jdhltah.docx

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.621784547740191
Encrypted:	false
SSDEEP:	12:FQlcHBmVtuF+BM5gp1E+HvASYHMn/eqsT0cu0RQIZALOBPc:v2iYM5S1E+HvmX4cu0RnO
MD5:	32CE892FB2F1EA83C96718E8A1B484D7
SHA1:	3DD4C084A09D1A218C11812E42131D3250111780
SHA-256:	92A7756A056C061EF2419C40568511ADA4E78E5081AAE5B77CFD119B7D257D48
SHA-512:	CCAF4DD1441D1FCCC73804F5335C494261A3717CF4DBB678C25AFC6EFC0D68EFEEF04BDD6F5A356D42489A9E0CD881CB2A014F76090747CD688E4C00FBAE4879
Malicious:	false
Preview:	96C4r30AX3rjlo4x56k2M165K7WcV109Bv3KD94E380x71434n98T8869856dNpqT2LR4805kU7a3g95703W93j7ZwO410D9ym7Tl367p665Fv6996EfIBa0Ox4T3NO5805hJ93298c4kk670129877..UpDownConstants FontConstants..g7Z1y9BwZ4O2vLB4JC079n8Xy0ah5Vo..ToolTipConstants ComboConstants..P5YCy5N..DateTimeConstants GuiDateTimePicker..8syf2n4QyGtrJf219c9k18y8oF292lb2Z14EW5w4i15Ur1phTLAA83buTS3Q5p1u5u132F2GvJY26Kij9Q3R83k6U090HyaPM5652j1y7mbq50AG32g8Z96Z320fn148QQ0ea497j..ButtonConstants FileConstants..6FA3cLlIfRXi0QQ16988617W04uPOn22uj8d6VUN8i285pv01P2MTejP3Px380519r0X9dd8D35D6rt5lQIH4K1LGq4T24hqC53tsv0H3Wk065531KQJ050P48m1Ej7bZx8JZiwv7oio012225..DateTimeConstants TreeViewConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\joglr.mp2

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	544
Entropy (8bit):	5.509601786657226
Encrypted:	false
SSDEEP:	12:SbYBdxG7BjRHtPk9uRUrYBDbRtRZQ7PU5FJQZwt:fxG7B1i9AUMtbN1
MD5:	9B574D3C62F846CA895E782B7F71CF24
SHA1:	0DB4BB352E1BEB8EA05FFA22AAFB2FCC857497CE
SHA-256:	4C65429BBBFF42BCC1242D7DFE78A2D08F61854AC227D40FCB2559546A8D86D2
SHA-512:	A939759C4ED07B566C4756DD9F9F85AFD385A297B037B6A739D9BF7D17451C807B4432940E30614B59384B3808BB70D981C32FD146F5AE6B473309269B6881E2
Malicious:	false
Preview:	9G9G6g3Y4u44dIp323372Rt3B7c4N4093638Q882f95uJ0Q12pm5E3G3VW6c8nq81..ToolbarConstants DateTimeConstants..yi5s44UC2nX5K58i7716j726Lj51uejSEk6l9T5dtO97P543B5AJ20Lc3JzRc6xM43NhwB8B33BUGUA29X8d5ZZLC2..TreeViewConstants FileConstants..q8Icp0J6MMc..FileConstants StructureConstants..6n349C60g7e36MZjUgCdN74m38C4570KBa8y8b64DR9S19600r806AKm2bM2iaUJV026X7Ozg068..UpDownConstants StructureConstants..MG91QR42u4R22Q0iB5C6586QL04nQ895329k8quK852LdM..TreeViewConstants FontConstants..v3SNpf0b38UBKGIiJ80p8V591722U852r9C6oK..DateTimeConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\kjorhf.xl

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	618
Entropy (8bit):	5.547313237238842
Encrypted:	false
SSDEEP:	12:DwrR3TUar56HjuPIj6PFhgwnauV5VPbdEk2dOIk1pAWHWJciyPrBPc:DaRAa96Duwj2gwRbPbdEkTpzHWJnCO
MD5:	545D7D102C3A48B2639E7F2382296EA8
SHA1:	1215C32DFDE84B5ABDAC8793471A748F4DDFFF72
SHA-256:	0FB463E42A35E65104E50416245E81530EDAA5BDE5D155D461D2684FC0DBF304
SHA-512:	7DC15A6A24594C179644A5D1C3E5926A2DDA8E439CEC79F725FF437FC58AE5E29745C3B0D499EE2ACB012C03380953E2892D17C6D7FE5F45651F74CEB709AB5B
Malicious:	false
Preview:	VIl95mBo3vT9Wi7L307V0N62t33..StructureConstants DateTimeConstants..1e6zIf19YA747v1761B2M2N67Y..ComboConstants GuiDateTimePicker..1eTVz929QlHOR91r206sO88037I0Xr44p1139wuc6U434Uekfm4eK44m8yx5685M3rU0S73L0tANO51xNZq38192r5wc602665g83nMKcu14h1qOKKK496L56ID4R4M291z94..FileConstants BorderConstants..k65yQIQ91936rUQE91940785W3IOxh38R7OH23KQ845i4795X6D5H7847e04jo45Rp7HLi6z0gz3M62551eO6NZ0DRD11m815584Z11m71n261jB784N4W6Kt8n8k..ButtonConstants FontConstants..5N8X16Cu9GTj93ih5xw44718HoD67N7SUBMqk680I5Kp1fRu7J9Y5889z9z6993O0CwjkM32955SkLnQlN47pr1l569D2uoQIl12H937x77zI7B4072m2X2t84947Y..TreeViewConstants TreeViewConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\lqqd.jpg

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	523
Entropy (8bit):	5.452504389304269
Encrypted:	false
SSDEEP:	6:FGjLW9cWiB08fJVCf0ZeAAFScrBScJTmfKcGdv88dxDxUb0ho/i/jMicWc:MqRiBkfqelFPrBPJOKcGt/x9UAhfnRc
MD5:	1163AEBC09E46839263D5D70C7ACB973
SHA1:	4BA9EB857C9C96C02CD9A3366FB7382D0A45A471
SHA-256:	D5A4882ADF7CAA297D610399AD2A115A5AD66D5F8A499BA4E5A02B303E33876B
SHA-512:	8C14D08F32DF73F5C6775D33574105CB6EA659DA94202F8E6527899835BE8CB49A9F2EEB01122671A9AE8A667C4ED76884A23CB7782D90C6AFE0C545ECCFA35C
Malicious:	false
Preview:	GN67397p7Ad5X5DmAQwDdZ9G..DateTimeConstants StructureConstants..47W7TDG48q7qt92z037LfpnN55Rgy1g65g8dz38035DK10aS7bZ13EV144p0oj3C7nw8m8G59eO1962qrm358673P322b8d8..TreeViewConstants TreeViewConstants..39so76v0w77c6Q1730JlB59e01233zf576aA0J1Tp92W8003wqcMj57f37467254Z0n575u9567z4..ComboConstants ColorConstants..50GoDFi11vXdJ3WUy52i..GuiDateTimePicker FontConstants..r3c1ut5Oa34Hx74Tzyb8GzGFjZ37ROW055N1dlm137HR117772f94f9juQ5725232Cq5..FileConstants ComboConstants..f7N71443KFNrV727Z7niM..UpDownConstants StructureConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\nfioj.mp3

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	547
Entropy (8bit):	5.486033748710765
Encrypted:	false
SSDEEP:	12:w/lzY1pPrBPMC2GqBkh7ahZPTs3AQdJATi:w/ZY1xinGqGahRsQ9e
MD5:	1447DA15BE20BE9CC07192F34C097409
SHA1:	01A42794AC31CD029FAA411AF7216FDBE57FEA0C
SHA-256:	56DB027F9858785542E92B97B443BB98023C1D06275901C5A19AEF22CAA9E45E
SHA-512:	B462D108D5C324D9866445ED9225985C0900B1CDBAE2E9C836E46C1A64D8A0C7F157EFB3244EF825307FF861054169D5DE1B65DF61B581637AFC4EF8AD4D36FE
Malicious:	false
Preview:	Yk5310Ukh3m1Grd12k05kL82H0r7243lA8479T42e8MR9637IV48HoV2WH713X77SPM4iQ017a07S796zx2iteGeunD37..TreeViewConstants TreeViewConstants..4rZ368s9042Cqw6U1QTClSY0gg497z6bo57pa47I2nY7i5GDfUao668ncHx4XX126FE757Yc02i2Uz3C4650m5fd17xL419A1u3wzO0ak916KC8V5V291FbxEI6axA5t8U139JX47..ToolTipConstants ColorConstants..sC3K0d4678Y2w32L074O2..GuiDateTimePicker ToolbarConstants..77a648d9961W9..FontConstants DateTimeConstants..tT501Q5e227r34df47H880XV17078a34167AC9084mUnp1y807S0X5x4fG990guL0sTdHRP4IU691w98wT3DYduJ23PTf8O30nq2860..FileConstants ButtonConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\ogjh.bin

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40122
Entropy (8bit):	5.586289114180869
Encrypted:	false
SSDEEP:	768:+a5+CrAuUltyq79tPI2arB33kindEDL0qldyf/K6uVEalzDUDGdwCblu:VPgFXaN33Hnnqlgf/K6JalzDyGeE0
MD5:	14EF93269646D40310CEEA92AE9339B4
SHA1:	B61363E6DB7307ACBFE6BBF8230F754F5EEE6C88
SHA-256:	40DBC8112E05344401EA3F49652E14C23AB129C39678BF508AE99B7EA4226A73
SHA-512:	DCC9E187E565184DD12C22EB292911A8CBEE6F65CC4F3B66355578F68CFA8CB723843E8B21B3CF6B12A998ACD7062A47927CF57B33A12AF5BFDFB056A6FF6335
Malicious:	false
Preview:	t0368B84..Vce8E3G112484uqVcg739213a83NGC7loaFmqrw705mwl8EM31HE435V50..I7S9UHO9M64y8Rgw3gP2gbg83tk..Ps402O18z99x8FM93Sjb3R551wFnE1sQ5diL2ztGrO4H36c02961sj0x1K486A3ec05..m2Ro6X3GSn58yfnhPNSloL66t76R1J0Su..0tW711y459I05E41G233A2d00801JQYlVx20m0TkW5qjv612n4s2B4UF8416qQ18uY742XXS9Gl7X28d11kQ..qIk15mXv018kI8awrzT80D263eQ1cEqyI3y7x509BT60hpZ3Qx12Y4h1o..62YjSV2k9329A6g538J651f341C428bD989m5b58A2sTUSB1Eop3XoGW8uyuCH3i83lJ..2Km158j4d3S01s15G5UPJ7sb4033kl5f6z2ozVM1Fos2CyWt600TlsT6zcFK8I3u8SzMEsa..8W96K195j3y95rv5d983V29O965N249MLdeSC4r3UG08I60yxl6EHsV6S04Z9vBy2e4j..8u7750F4w6q68972sE2KyF3305U2S4M0p3nof520o4784lR8QDf97I1Y3..4EF3T5O8m6647HO568K88x5JRVS4dnRGc6s22xKJ6ixY5210N7..2a316j89ZEV3q0oc5jg944kW..D693D61469E0pF6x7BN1c082P1NSVS99j95K1C395g34D9JsZduq94H5u..8X343a15583N99kU791EKS8K3B5ob7YFDDuo7863a21jyO1K555x5324u0B8h6SBG8MDVx3lY..768CEP0I6o9oJ5R858wEYQ7I1giD295PU4N7Nd1mtvP114LEM12QN0948Iwc1y0N0..Lc2nau9Fjh84gd53YF0144o2S5IW..mq1oatz08eUxW161Pid4p02Ntw23OK3339KeIRQL4wcpr5HAm5x5OO8v3z00nQy0o024v55

C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.629681466265794
Encrypted:	false
SSDEEP:	24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
MD5:	0ADB9B817F1DF7807576C2D7068DD931
SHA1:	4A1B94A9A5113106F40CD8EA724703734D15F118
SHA-256:	98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
SHA-512:	883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: yjOJ1YK5M3.exe, Detection: malicious, Browse Filename: Rage.exe, Detection: malicious, Browse Filename: Rage.exe, Detection: malicious, Browse Filename: copia111224mp.hta, Detection: malicious, Browse Filename: FX6KTgnipP.exe, Detection: malicious, Browse Filename: uhbrQkYNzx.exe, Detection: malicious, Browse Filename: qPLzfnxGbj.exe, Detection: malicious, Browse Filename: ngPebbPhbp.exe, Detection: malicious, Browse Filename: FS04dlvJrq.exe, Detection: malicious, Browse Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................\|....P..P............N..X&...0..Pv...........................C..........@............................................text...\|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\pmvof.docx

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.623829319850138
Encrypted:	false
SSDEEP:	12:LTbwonrjDdcjC1g/hRqr0mtqmXOzI2QLZ6GYxbmgjJmsvLs+qdt:37rjZf1yHq5OQLgm2Lwf
MD5:	FF7046CC1288C5C9C596943A198A2D79
SHA1:	88933FBDC773B8C8FA3DD620F2C4088460B4DE12
SHA-256:	10EA86B4E0DFE44326A6F99BA428CEC3F3F370BF56C881AAE8DBC3394399B908
SHA-512:	2215279A25EE80E0260BD9D8EF5C770A7CF389EDE1C9F86FC1D3466580C9EC59EBB73FCCB01DDA6FC1853DF6105911F8CF362B3EDB5E8A0DFFDF829D19409E21
Malicious:	false
Preview:	73tG96yTwO6wd1t6ozuOAt989C1ZR5yL7878S1jTT7PW3V43k6leP6Q7N10c6xh45uwF6Vg35Uj2r1t33S466m3Y7ZAv7N9F0M0hKD8ZQC530P4S9A07tJNC6KC7088u135jPk8047B009003857458EL65..FontConstants ToolTipConstants..hJEB5E67QyE435u2I3Hw89yJH87q0WzXBM8R2FrEIC3zR58392O26voi034u96ZJ772ZBA05UdX4q8530Gd07OH07Jj432FS1w7GHB03b1gm9b8J9h4eZ6726T4siN5r77n90j61O4CH38mpK0LXahdUj3Q21899W8j9..StructureConstants FileConstants..251E8U738ibd30528T7e9074l702r0iy12ev84..ButtonConstants GuiDateTimePicker..5I8r1u1U9Jtq70RL9UfMXVmwR9q5w5ut7AF391w0CVrKOFjlZ0..UpDownConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\pplbawfug.ppt

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	564
Entropy (8bit):	5.567320651056784
Encrypted:	false
SSDEEP:	12:7f9TdR2iDPyUa43H9VMPX435GSuPJnDvWhkIRooUtBc:7VTd1DPbawH4KYtDa1g2
MD5:	A5B69010476DFA974972B47D115F6103
SHA1:	022E3C9575BCB309FDDE210388EB6EC38DECDBA4
SHA-256:	22FAACE097E012A3D7CE5FD3D79D38569B080C13D20B1218324641A59FC5E962
SHA-512:	CCF370434891BA7378425CC3071FB6C9F079CDF93E9FCFC1227BFF6AAC77DFB6053959793E4D2D82163A397DFF07161101A27041A951F0391E4CA05A3ADD288D
Malicious:	false
Preview:	w9455CC7dU5v2yBqsyA4w08k6Wfi3W191z4iM5D3YY7zm946HcHEfN99977J9780rxqS18766V..ColorConstants UpDownConstants..b3660B0a7684292e2cl5t31NtoAl0x86z9B900629rv7WL85aT4821692g4Z2h6m82s33xe6s8lR65zP666x9Q2p528yRx45DZ1WNO..BorderConstants GuiDateTimePicker..q8J654Gcc7cL5s85tY65029tUlTGJtvhNnTER6q090317a79v42Z558R403E7Qh2Dy4Z34c73Z25c72AK015r166BPl5rq9O98y7A11Z99wp3IunF884Q1098DsG4qCq73c86G0QX5040XkNc33626D631uF..ButtonConstants StructureConstants..X2qVXKtg2245CP322u6G41u7723M82521fIY2293M1J67tTm7x5kpG9I8W647b5ffn4Ks8GYrP4rP86gJS78q6ilZw6..FileConstants ComboConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\qdqggfrc.txt

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	5.536492221883502
Encrypted:	false
SSDEEP:	12:jd/VOBP5kqndwrIObbnHSIGhXOJafnV6sHFB2z:K/k8dwrBqIeXIat6sHFB2z
MD5:	435357F3B985DFA8D2D9302AE6361AD1
SHA1:	8545B25B12A5CC490272C3ECE513699B9A69736D
SHA-256:	734802EBCB6A6BD61496F0EA70F5F5A78FBF754B0DCDAD810518D1C7FA9E680C
SHA-512:	33B9F92EEC9F885F96737D20ECE427D67C0C3045EAB2CE51B2C914AB16E5DD527BA4D791051EEF5F76F7D1A8D864BEBEA3BE423CD11BF4117E1EC3DE8A62AC15
Malicious:	false
Preview:	wm2Mh36mf63844B9CW786jh9i3in22Y47HqoZq4y19rZc118C..DateTimeConstants TreeViewConstants..N04Nu3RQ9VzWhP1BYe5dX8TLKH86628880AOX9ugJ2Aufo9CeT31gj7Y7F46rRV9021I321b4h997R39e5SW8iX425QBJ7M4oh8SqO..StructureConstants BorderConstants..4800l74opU654rbO5rAPu361xV95v40F10rPpF6s39miY44u4733654398B0w89L075472d534g9o992ISP24UP0UH0V7LlX023Gi79828ecq278V4A32k85iw2iHX88q5X649224d6Z36XnF6K7Avbenaz2C6JWSqq930Zbjo2TPf06n3P..ButtonConstants ComboConstants..4qO8rBl530oi6oOwY015Q22b383f4..ButtonConstants ToolTipConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\qfjixjw.exe

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	519
Entropy (8bit):	5.549190611316752
Encrypted:	false
SSDEEP:	12:TXE/lMcPzRutZ2R2LE6Q7jHa0L7PaQ5u7:TSlHg9EnHaGk7
MD5:	10EF9BC0A83922B680BDC2637F740900
SHA1:	54CB6519AA57AB0B1E849966BA68FDA5DE0D801D
SHA-256:	81382E9D6B5952A3FBD52163964187874A101AE2735E1A87B253D5B535A87642
SHA-512:	1735E55C0AB5700F47B8F1EB8AE8A3402E6AE18F45691E073D782B0CE54AA2F4460A4955A805B718DDA34A7138A3FE22A5CA80DAE3DEE1C45A92C8D321EC9579
Malicious:	false
Preview:	9nl5u9nKD846kf21238oQWQ5m58Pk9wb6K05Y95OsOYY5A3w15313h2i799YXf7CzKG5o4MiW7iZ1tm2P0928FF41Neh1dxf1940z5n7S8dxo43T6g..FontConstants ColorConstants..3cnG393..BorderConstants ToolbarConstants..ycl18835X6747H9Z50h8W4dFe25149bo304RIG93N7t1Pe92b8Twg3wWY69U3X3Cpjtd8qnN7H5iVn..ToolbarConstants DateTimeConstants..uu3zyr4h53A63IEla6I7j3afx1R76o0aNGP3f2w7pu59vN22l1709EEz4..UpDownConstants ToolTipConstants..U84p17fhV8OokkE34l7U0xK5A3y6L1082Pcx411cyW1Hm4e68dO8028YLXY6fF39u8hi06a752xw36792mNB..StructureConstants ComboConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\qfvtsnbjha.bmp

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.578481319894763
Encrypted:	false
SSDEEP:	12:eBL8ahqk4s/5fSnQZJRqRl0cXAsaqNwiQWJQ0PwqVTcr:G7fXZfuArZiQW+RqNcr
MD5:	BE9F2108A12DAC36C96143F18DABD7C4
SHA1:	39296ADBFD7D286761B852FE11CDA3F4C5B216F6
SHA-256:	5CE2B75147EFA4C68F705D38FEE5A39645732E372ADF0DB1258C378D2F32BCD5
SHA-512:	72B89735537CCB86BFFAFD0BA60B88BBBAB19CC1B54669BBC607AE4978E5170342746CDD9B51FF64998547F0AB03E672DAA09293913E0CE32E75C5AB9A115C1A
Malicious:	false
Preview:	46qd14AVyC80v7T21J3505tLfqkp957Hc33..DateTimeConstants ButtonConstants..NH7Z3E8iZvMKW03789WQ7L17u1XH1N6o4Z034X988KuH96R08HOkX0R49KN3WRoXM8wFReR060i3P496580y6g..ToolbarConstants ColorConstants..H44mEc77AhA17wC54S63288Um27ku4CaPv3WecF78e08x641cpD256u235667ne3Yo5IG0C47x4233RCvc617K975QV542EQ6z3L79GSb9sa31Sj404..DateTimeConstants ButtonConstants..O7vr40O9f7z05scW0I4VB7Q51RcO78CPJhwRkrDky54BoWO388hi9I9V9ooH03g0j79bgz1D9M747r6fWAzLH79Toc258nT0s2JNk37X..TreeViewConstants ToolTipConstants..C749E8U5n784d8O7PWC32f1Gurp5MAW4wz..ToolTipConstants DateTimeConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\sbwrsoo.icm

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	5.57016122386182
Encrypted:	false
SSDEEP:	12:NcXkZO++dzQrtFPU6GXIvF+Vk+iyhDoTPReSh:NmyOJlQrQHuIVnNhqPRHh
MD5:	C23386A3C4259CFEF1A66D4CA934F4F7
SHA1:	C9ACFAFB5A1243BA6F4D0B6FEFF0574A787BDC6A
SHA-256:	BE788CEC245DF4F9ECE6960C67E243FE5F9A86555F9AB19069A148B960BA05CD
SHA-512:	CAF9D2019252A7B2D20FDD6A1F210FC5797C1A79566DDBDD1DCDBC1BA656D578EFA122ED2E6E2C058B4B7360382C8C7704BF02A1E7EB52EC3EAEC92816FE5729
Malicious:	false
Preview:	e22f2ET452yWCX5tGN92i886Cg7Y4W7H897030466CIm743h1N8a28d5445rcW9PBE9i63R6Y226p09b0701yEmD0dv4936lu13I788721uK95FLoin0rq8zvc9D13Edp235783Vw5e91HWD85ev6Po1QLqx2F75K8U38r4LN16xv..TreeViewConstants ColorConstants..2X7f3NN9Lv562zE3qhf2591x121Q0f683b1P57UOYRc983wQ7H43393z793uS070Pos47d2038p75T33B8YCVXEm2qHh8LP1Nm713s463MjEu7R1Ns61162M4966fu7a4NTaUO01T17s802B4MlAiFUMVh..ButtonConstants BorderConstants..6571GUS29U68m2feJ642qVQ3K84l16669ga9Ob2d717k08gnf94naLk4L35s6TkYVMunkW17..StructureConstants FileConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\smmetgr.fqg

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	111874
Entropy (8bit):	3.720029907971537
Encrypted:	false
SSDEEP:	1536:3wU1Zo3foIaXgwxInL+0wA67Td1uHSXeSXoWIcNIH0FIiVL32XclnW:5Zo3Ww7nLtzFH0uidmso
MD5:	EE0B6DCB2323FE5047DE83C300BE5C00
SHA1:	57510C2089062A35B49DCEFAD5F3552501698940
SHA-256:	8A7A595F49C43F8054F757A9FAE31D7D10177638ECA9D8060FC3A902A02785EA
SHA-512:	31D8AF76EF4B9992ADF5A4D78ED0C7231F35339EFA484D137519AB219EE76197669CBB18F1947D9A940E89A6A4655BA5D9757A68D604670F6134BAB83637358C
Malicious:	false
Preview:	0x4D59]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]08]]]]E/F_0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D024]]]]]]]5045]]4C0/03]87F6664]]]]]]]]E]]20/0_0/08]]FC]]]0]]]]]]_E/0/]]2]]]02]/]]]4]]02]]]]2]]04]]]]]]]04]]]]]]]]6]/]]02]]]]]]02]6085]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]064/0/]57]]]]2]/]FF07]]]]]]]]]]]]]]]]]]]4]/]0C]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2]]]8]]]]]]]]]]]082]]048]]]]]]]]]]]2E74657874]]]C4F]]]2]]]0FC]]]02]]]]]]]]]]]]]]2]]0602E72737263]]]FF07]]]2]/]]08]]]FE]]]]]]]]]]]]]]4]]0402E72656C6F63]]0C]]]]4]/]]02]]]060/]]]]]]]]]]]]]4]]042]]]]]]]]]]]]]]]]0/0/]]]]]48]]]02]05]2C7]]38]]]3]]]0/]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]_FE_/E56F_CD973__2/902243057843]3D5644D2/E62_9D4F/80E7E6C3394/2E]2F]5C]]]/E0228/_]]02/7E/4]]042/E0280/4]]042/7E/5]]042/E0280/5]]042/7E/6]]042/E0280/6]]042/7E/7]]042/E0280/7]]042/7E/8]]042/E0280/8]]042/7E/9]]042/E0280/9]]042*/

C:\Users\user\AppData\Local\Temp\RarSFX0\tduj.icm

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	5.666171253378064
Encrypted:	false
SSDEEP:	12:sPgke4xkWRqA31Ksr7cM7tpxmCcG+wNP1tN0xR:8kWRqGYMJpxfcMV1ExR
MD5:	65F980AE12661712717189653D4FB459
SHA1:	4B93F7848462CBD7741231E2BCE8CDF2548AA536
SHA-256:	6232B90F5A35F1A8105C8FBF655F5E49C01DA51A3CA19BEDCC895EB7A8800F23
SHA-512:	50F209EFA16D957B3C5986F447E34CDEA5C07BC73B20874BFBEF63DE9EC4E514041F05072D4CA794EF52E1309B4A68AC949504BEC854C308EF3AA6528F7C7800
Malicious:	false
Preview:	0l5h98veW4n14p4EA177ba79362Y2wF3xdR42730sP444JWVET5zL85JfwH3..StructureConstants GuiDateTimePicker..A0E9iRYw12ezA3qNz5g716K402r0dhqJi883PG521B9zFyCeBQ2Vk8DbM..ButtonConstants FontConstants..486VBc8w5795wafB7RQSS07P319E3Mt75AWo328N0ytb36qAjg89P08MUNl0939095V99spR8w89d78HX851dr4t2az00412057M95679fvop75767RgO89O089ALlw4514254..BorderConstants GuiDateTimePicker..l81n205eKc2m7uR2x63hN28Wp9UF26RXgu6W0I7Ua7c69yJFc32kL44t930vX2658F2HxzX8lmIs1O81D7cp3Q7Gn2A9wV315G2nElSk65y..GuiDateTimePicker ToolbarConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\tihgunorxm.bmp

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	529
Entropy (8bit):	5.658051500411973
Encrypted:	false
SSDEEP:	12:YfjJLkwhjXb9XwPAaxQg0QVahE/CY+M6OqpMBh:cD5BXwPVV0FhEr93Bh
MD5:	D09181BB1825EF873613B385AFE3250C
SHA1:	8CF113E3E8EAAA079994B76D4F0F2C1E112D5A3F
SHA-256:	618FC71415514061D83306C870ABCB07C760C6D163F623E18AFFF95232BEB828
SHA-512:	282B909F5E4FCA4CD5D0785943EABFAE7EB4B9DCE4D75B0BF828FF87238885742E512121CC61E9E30989A07E8C49F6AFBFBB78A9CA0DDCDF6F9C7E2A9E36E979
Malicious:	false
Preview:	A45w7T92Ea44F5AgKQ8Egy4g58Pz3lVx6eR13Z4hO96Og5D7W070Ng4x0Epvri0zI2FPJyL8w06nT15KD..GuiDateTimePicker DateTimeConstants..iq5q70X0GMe539563DW1knx61Z..ColorConstants GuiDateTimePicker..7dp4RcxMXAzO0HcEmiYVq213RV966MoExs8W4Hn2grVXtl9x86..GuiDateTimePicker ButtonConstants..ANha941m2894kJkH0h0Al4Gp72Z934Dl624x23D50BsS7ZX5CXZ136s7vt2p8SQ8M59n12g8vbc3qi82MHEkOqlW774AN84O4..UpDownConstants ComboConstants..0nGzv2604AR5B65NL5T78B1c383r9W0X27923r2td3d9Xr886w13u01mtd5914w76S4b4lO76n0k9x6u8x62X977HJ92V..StructureConstants FileConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (378), with CRLF line terminators
Category:	dropped
Size (bytes):	64360
Entropy (8bit):	3.021094753046138
Encrypted:	false
SSDEEP:	48:j////////////ZlslslslslslslslslslslslslslslslslslZHS///////////H:uHZQNB
MD5:	B94DDFC39C8E33D472BD5A2810F4E10D
SHA1:	C2A8F8C29DF1DDB170B8FA8FAB5170784F4A6DA7
SHA-256:	F97221732861050BD9DD4337FE23D51323336844A1AA68272AAC47E13840A734
SHA-512:	47606282D701241D934051390D41F31270D230C164B849CA741E59308D8749F0BAF137439D1814A61FD1AD79012FE14BB27B5290676F9BF0155F448188008946
Malicious:	true
Preview:	..T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.T.e.l.e.V.r.a.m.(.1.5.9.).:.....T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.l.e.V.r.a.m.(.2.5.).:.T.e.

C:\Users\user\AppData\Local\Temp\RarSFX0\uqkimgceo.das

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	543
Entropy (8bit):	5.379579425070494
Encrypted:	false
SSDEEP:	12:13Dfq3mDv9pRDvh9ECgfzpFP274UCxU8MV50:RrymJTh91gfRU+MV50
MD5:	F79437BF7C47B942F0ACC98DF6B7A39A
SHA1:	6444BFFC1EBA138320798797D178DFCC5585FF25
SHA-256:	01D356A3FB2EEC49DBF8D9C5D492FE0806CE2116BCE896A75E0AEA82D39C3D75
SHA-512:	7C0924D37164DD982ABDDF4F6472B390A43DFDD76ED67C58F106AFBDCE4237FDBE4C290C3987FCAFBC9E9E98EC4799D0A4AE193C4EC1133D173DF74A4CF01ECB
Malicious:	false
Preview:	I98S19d33sK00575VAU6Fx407gO75n3L5948F793QQgU49e386DxDs5a3Ifpyx8T8Vv8a..FileConstants UpDownConstants..1IQ30823111YURi4e01o24z30051Hcp191QR252n94T2y..ColorConstants StructureConstants..67RQ824E1E6npd1NbqsCyjqq73P925fTF03874udERo8HytQ11864h487B79ezr8q9Q6756..FileConstants BorderConstants..NHX6V8Na01T8..ColorConstants ToolTipConstants..fLj1457737knW558404SNzrZRxH2H8X4E253kj..TreeViewConstants ComboConstants..43Iq488m0452f5d0x8938z10q24e6035w2d5088Gh08JF7N..ComboConstants ButtonConstants..Q73C7opb0tI79S8o7..ToolTipConstants BorderConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\vtntkf.xl

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	553
Entropy (8bit):	5.578486202825431
Encrypted:	false
SSDEEP:	12:H75sozL/bNXNtRuPDulvtGJE5iWQD1wGSAEvhUpTP9R23gUdR:H+CL/bNXfRDnG4iWgh+k2pdR
MD5:	2C51C68CC943271C2701E0A32DEF3088
SHA1:	C80F091FEEB6765E8A96E25DE77CAB01190B751A
SHA-256:	D8C1D6A7651B3D4906D2B480709B18E18AEA82E986FE3A7429F63E62D0D50A1F
SHA-512:	2CC8126DCE1CC9364452FA5F0B5459FD9C3E3DD47DC9AE37F20887C3985D29B182CE51C18FD7AFB34A2DD5A508C4D26E77870B403CDAC949B429C44D983CFEE0
Malicious:	false
Preview:	iZQ0P1Gf4xY4d6358QWA03xH353739406M72kSCwdq8gu8kLbV9i3D6J55CQ2zrdi520Vw70007J2..StructureConstants ComboConstants..16Tbb5L2Ned68zt2BD24804jAPGf..FileConstants ComboConstants..pal02OD2KA936z6Rr72m08MWMPO2148X562UEv565825b1XP86t3s0mF5Q3N5a5L6FM0k2S687u7g43vB45a2Cv7QxD2P85d1kzF4JHPe3s8ZBa0UrOocu..UpDownConstants FileConstants..8cL04j948tW49444MY5I743I4HID4eyTHpb712g71GEPL8N3nDiWL85Y69a0929W6b9E5ioMuW6656f9qsK1E250aw94p198sv3cA3L283C8737S1A6K5LmlWmr..TreeViewConstants StructureConstants..2BFt918C2UQZL18L760eDC997o072uA..FontConstants ToolbarConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\vvcrvhm.bmp

Download File

Process:	C:\Users\user\Desktop\1wYGO0mAN2.exe
File Type:	data
Category:	dropped
Size (bytes):	107038202
Entropy (8bit):	7.0176504307222
Encrypted:	false
SSDEEP:	24576:Q4sp4sq4se4ss4sY4sm4sB4se4sD4sp4sm4se4sI4sm4sn4sl4sR4sa4so4sb4sC:P1
MD5:	F057B0988F9E5636A46F6AA20C5C4B1E
SHA1:	F09E814CA0A3DE72C3FAE7132739814AD8EC5B38
SHA-256:	5A25D2F11687DAD3F76A7C72838DE513F8C024555FE041EF5E49AE5395C03F8C
SHA-512:	BC176B524177A4C4DA320460DED58ECE729149CF045EEA8B0C9FF0935241D54CF125AABAB7425A589824AB5E8BCCE1F91B2FB360066E0BD0AEE88FF162C9540B
Malicious:	false
Preview:	..;.v_.A=.uCZ...p.Yv&.z.H.t..y...g./...:....V)pa..l.t.T.U..Vb..S....y:.Q.....e......#.c.s..p,.....e......W.S.i....Y........JM.H[........6F..S..D.:..+.\...T.b..!....G.P-.).W....u.8.7.4.s.8.4.E.n.Y.7.4.8.N.c.0.6.8.i.V.4.V.0.t.2.r.c.S.i.0.k.9.3.B.8.4.2.L.s.V.8.7.8.S.......D..c...'...._......0.0.#{N....^.om...'.}...5.H.....[.5.uA.^.~...9JN...7..e.....{G..)+.N..."5`,...p8....6p.t..59.&.b......yA.....7%J....i...u.m..r.vk..4..e..:....A.~.G..s..Ovy..B.......3.P.&\|).CA....1.5.2.o.t.7.8.4.8.b.8.Y.7.3.1.R.N.9.5.2.8.9.9.5.U.9.6.1.t.6.4...........x..y...)1.,Ti9.4.8.F.R:3L.c...y0c?Q..,?!P2[pj.......n.A.... .b.q.JV.q......#..h_.F..i9.K~......}....i..Tm.49...%..W....Y.6.5.d.7.8.J.e.....2.b.k.P.q.P.8.v.A.A.....4.M.S.6.0.9.2.x.S.E.7.m.X.4.X.G.m.9.u.M.3.d.9.O.2.0.1.i.2.0.5.I.K.3.1.6.6.X.5.Y.h.7.5.T.D.C.1............V.U.o.}Gr.x..;.....:w..P.."...if<G..E.P.U^W.MR.W&.(;1,.f./+:B.QA.f}."!..../\.x.}.7...C'...h.e...=.N.}....sd...gV.n..........X.....`....:.T5_.If......km.].^7

C:\Users\user\temp\ogjh.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.866492516240338
Encrypted:	false
SSDEEP:	3:YRRvuf1lXhONvkY/ndY3t9Grdyn:AvgDO9k4drdy
MD5:	D27283F7FB3F72063B6A7E8894816482
SHA1:	A2238D9CBA0DF7E79BCC23804E9AE2FE635BAFC3
SHA-256:	DA779AB7242D8E25F24A398E68F62EB3FA0533E600E947AC1A302D2B5D079F32
SHA-512:	1CBE9B94279A45BF09B427C9D49D3C5A1B58145BDDF3277CB0E1A0A259286754C0CFCC60AB52800D14E2967F84C00C836BC407FF8C777E46CB03C7498921FBFA
Malicious:	false
Preview:	[S3tt!ng]..stpths=%userprofile%..Key=..Dir3ctory=uwrb..ExE_c=pjcvfvnncx.icm..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.673598600663924
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1wYGO0mAN2.exe
File size:	1'016'608 bytes
MD5:	436b2f74cd97649e20ced1dc65fb0b95
SHA1:	f96367071a2f3aa91a6c82968d542c80e670f1fe
SHA256:	e5bcb2a1cdf6cab62da5b7c8e8d78c25acb5627be5028fd5499df561fd4f24df
SHA512:	5535daf34f0e8d19f95ebf084fdfcf63f3e56f7dc8c562ca2b38212f8b3ad697e250a98d389722f673621201ff29e31c039b1a8e38504c55890993b38e734937
SSDEEP:	24576:hN/BUBb+tYjBFHL68/C6SnugzXiM0hD6di/AD:jpUlRhT/5OXiM0hDTc
TLSH:	5A250112B7C480B3D17229321AB69711167D7E711F658A8B13E03DBEAB719C2D631FA3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#.b#...#0.b#..f"!.b#..a".b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

File Icon


Icon Hash:	260e087d1f333737

Static PE Info

General

Entrypoint:	0x4265d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6640971F [Sun May 12 10:17:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	99ee65c2db82c04251a5c24f214c8892

Entrypoint Preview

Instruction
call 00007FF004D0849Bh
jmp 00007FF004D07E1Dh
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FF004D074CFh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FF004D074B9h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF004CFA9F9h
push 0044634Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF004D08CC7h
int3
jmp 00007FF004D0E9FEh
int3
int3
push 004293C0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00449778h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x47d70	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47da4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x15b18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6e000	0x2afc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44580	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x44600	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3ec58	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4722c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3a32c	0x3a400	e320764e1b3c816ba80aeb820cb8a274	False	0.581381605418455	data	6.685359764265178	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0xcbf8	0xcc00	47c3be3304bfdfb2a778f355849d1c3f	False	0.4439529718137255	data	5.167069652624378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x49000	0xd7e0	0x1200	6335f9314c2900dccb530e151f1b1ee8	False	0.3956163194444444	data	4.0290550032041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x57000	0x1a8	0x200	232a8fe82993b55cefe09cffc39a79b0	False	0.462890625	data	3.5080985761326375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x58000	0x15b18	0x15c00	01347fc060c4871e2beac057b6f6bee3	False	0.6677779274425287	data	6.453733102547725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6e000	0x2afc	0x2c00	98fd4bc572f87a21f69dc57f720a6dbc	False	0.75	data	6.617141671767599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x58824	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x5936c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x5a918	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152			0.32682926829268294
RT_ICON	0x5af80	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.43548387096774194
RT_ICON	0x5b268	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288			0.514344262295082
RT_ICON	0x5b450	0x1c8	Device independent bitmap graphic, 22 x 44 x 4, image size 264			0.5241228070175439
RT_ICON	0x5b618	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.5878378378378378
RT_ICON	0x5b740	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.5053304904051172
RT_ICON	0x5c5e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.634927797833935
RT_ICON	0x5ce90	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.532258064516129
RT_ICON	0x5d558	0x690	Device independent bitmap graphic, 22 x 44 x 8, image size 528, 256 important colors			0.544047619047619
RT_ICON	0x5dbe8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.3872832369942196
RT_ICON	0x5e150	0x8620	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9990097856477167
RT_ICON	0x66770	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.34948132780082986
RT_ICON	0x68d18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.4376172607879925
RT_ICON	0x69dc0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.41721311475409834
RT_ICON	0x6a748	0x810	Device independent bitmap graphic, 22 x 44 x 32, image size 2024			0.48546511627906974
RT_ICON	0x6af58	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.6214539007092199
RT_DIALOG	0x6b3c0	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6b648	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6b784	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6b870	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6b9a0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6bcd8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6bf2c	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x6c110	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x6c2dc	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x6c494	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x6c5dc	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x6ca48	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x6cbb0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x6cd04	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x6ce10	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x6cecc	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x6d08c	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x6d2dc	0xe6	data			0.5739130434782609
RT_MANIFEST	0x6d3c4	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T20:51:33.222041+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	195.26.255.81	77	192.168.2.5	49737	TCP
2024-12-31T20:51:33.222041+0100	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	195.26.255.81	77	192.168.2.5	49737	TCP
2024-12-31T20:51:33.222041+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	195.26.255.81	77	192.168.2.5	49737	TCP
2024-12-31T20:51:33.222041+0100	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	195.26.255.81	77	192.168.2.5	49737	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 20:51:32.635922909 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:32.640680075 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:32.640780926 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:32.686495066 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:32.691361904 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:33.179943085 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:33.180000067 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:33.180059910 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:33.217194080 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:33.222040892 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:33.346460104 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:33.394397020 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:33.697846889 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:33.703341007 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:33.703510046 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:33.709765911 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:42.692740917 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:42.697545052 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:42.701033115 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:42.706670046 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:42.896037102 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:42.941298962 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:42.992691994 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:43.035044909 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:43.057322025 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:43.062079906 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:43.062216997 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:43.066982031 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:51.691862106 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:51.696696043 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:51.696753025 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:51.701596022 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:52.067167044 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:52.113204956 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:52.155936956 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:52.158015013 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:52.162777901 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:51:52.162836075 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:51:52.167666912 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:00.692094088 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:00.696964979 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:00.697060108 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:00.701802969 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:01.049283981 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:01.097594976 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:01.185415983 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:01.187536001 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:01.192363024 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:01.192424059 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:01.197184086 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:09.691999912 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:09.696886063 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:09.699337006 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:09.704145908 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:09.930404902 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:09.972522974 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:10.065345049 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:10.067194939 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:10.072009087 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:10.072066069 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:10.076920986 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:18.691890955 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:18.696871996 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:18.696933031 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:18.701793909 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:19.040235996 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:19.082021952 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:19.170722961 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:19.172637939 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:19.177618027 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:19.177678108 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:19.182466030 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:27.691778898 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:27.696686983 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:27.696773052 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:27.701678991 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:28.056433916 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:28.097589016 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:28.185478926 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:28.238173008 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:28.279810905 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:28.284595013 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:28.284646988 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:28.289387941 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:36.691773891 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:36.696913004 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:36.697031975 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:36.701867104 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.032808065 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.081903934 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:37.121463060 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.123308897 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:37.128160954 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.128215075 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:37.133033991 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.644795895 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:37.649904966 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.650088072 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:37.654922962 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.930682898 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:37.971754074 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:38.061423063 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:38.063199997 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:38.068171978 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:38.068249941 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:38.073121071 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:46.645088911 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:46.649988890 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:46.650089025 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:46.654922009 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:46.894185066 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:47.005069017 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:47.027137041 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:47.029454947 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:47.034310102 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:47.034363031 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:47.039247990 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:49.660604954 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:49.665493965 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:49.665559053 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:49.670373917 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:49.973880053 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.019784927 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:50.025235891 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.025314093 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:50.030141115 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.105338097 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.108849049 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:50.113665104 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.114173889 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:50.118953943 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.456501961 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.599106073 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:50.721858025 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.724390030 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:50.729139090 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:50.729201078 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:50.734010935 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:55.348155022 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:55.353013992 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:55.353064060 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:55.357867002 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:55.645828009 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:55.707025051 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:55.781459093 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:55.782814026 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:55.787606955 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:52:55.787678957 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:52:55.792443991 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:03.644818068 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:03.649689913 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:03.649753094 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:03.654504061 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:03.986855984 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:04.121275902 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:04.121373892 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:04.123466015 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:04.128319025 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:04.128426075 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:04.133198977 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:05.723215103 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:05.728043079 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:05.728094101 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:05.732860088 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:05.969939947 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:06.130054951 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:06.133536100 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:06.133536100 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:06.139031887 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:06.144098043 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:06.149672985 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:14.722918987 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:14.728049994 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:14.733223915 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:14.738146067 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:15.111334085 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:15.160037041 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:15.245352983 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:15.247323990 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:15.252087116 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:15.252130985 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:15.256853104 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:23.722960949 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:23.727911949 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:23.727999926 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:23.732774019 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:23.977061987 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:24.082314968 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:24.144390106 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:24.156831980 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:24.161619902 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:24.161683083 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:24.166487932 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:29.037112951 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:29.042031050 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:29.045226097 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:29.049979925 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:29.339502096 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:29.469413996 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:29.469541073 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:29.498631001 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:29.504102945 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:29.504147053 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:29.508929968 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:31.660686016 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:31.665596008 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:31.665644884 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:31.670419931 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:32.003082991 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:32.108879089 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:32.133826971 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:32.141122103 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:32.147799015 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:32.153155088 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:32.158447981 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:40.660712957 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:40.665515900 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:40.669238091 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:40.674046040 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:41.005693913 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:41.097523928 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:41.164303064 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:41.173214912 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:41.178047895 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:41.178090096 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:41.182862043 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:46.535564899 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:46.540450096 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:46.547997952 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:46.552829027 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:46.787461042 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:46.911348104 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:46.921226978 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:46.922873020 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:46.927660942 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:46.927747011 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:46.932599068 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:51.106096983 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:51.112334013 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:51.115386963 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:51.120129108 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:51.346381903 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:51.477624893 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:51.477694988 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:51.479566097 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:51.484296083 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:53:51.484378099 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:53:51.489175081 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:00.113950014 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:00.118825912 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:00.118905067 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:00.123689890 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:00.466291904 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:00.601303101 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:00.601365089 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:00.603780985 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:00.608556986 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:00.608597994 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:00.613339901 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:09.113677025 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:09.118618965 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:09.118693113 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:09.123404026 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:09.477639914 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:09.597240925 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:09.609390974 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:09.610955954 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:09.623778105 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:09.623845100 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:09.628571033 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:18.115310907 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:18.120187998 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:18.120258093 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:18.125021935 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:18.404274940 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:18.533365965 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:18.535413980 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:18.536761045 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:18.541558027 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:18.543211937 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:18.548036098 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:20.769910097 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:20.774775982 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:20.774848938 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:20.779598951 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:21.072566986 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:21.201849937 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:21.202023983 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:21.207294941 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:21.212198973 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:21.219436884 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:21.224272966 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:21.741173029 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:21.746491909 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:21.746694088 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:21.751418114 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:22.064801931 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:22.197233915 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:22.200259924 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:22.203192949 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:22.207962036 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:22.208132029 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:22.212953091 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:30.738636017 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:30.743443012 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:30.743503094 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:30.748270988 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:31.031626940 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:31.081929922 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:31.176472902 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:31.180130959 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:31.184916973 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:31.184966087 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:31.189733982 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:34.461765051 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:34.466594934 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:34.466650009 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:34.471399069 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:34.812752962 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:34.863151073 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:34.949246883 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:34.951181889 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:34.955915928 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:34.955960989 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:34.960695982 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:40.938041925 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:40.942903996 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:40.942960024 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:40.947746038 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:41.259845972 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:41.389231920 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:41.394536018 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:41.397192955 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:41.401942968 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:41.409198999 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:41.414067984 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:49.926548958 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:49.931380987 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:49.931509018 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:49.936265945 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:50.215301991 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:50.269402027 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:50.345266104 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:50.347131968 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:50.351965904 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:50.352046967 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:50.356781006 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:57.728151083 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:57.733355999 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:57.733453035 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:57.738189936 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:58.033380032 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:58.160141945 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:58.162496090 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:58.164217949 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:58.168987036 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:58.169044018 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:58.173858881 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:59.754261017 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:59.759263039 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:54:59.759363890 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:54:59.764223099 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:00.095544100 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:00.160065889 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:00.245745897 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:00.248450994 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:00.254375935 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:00.254427910 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:00.259207010 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.379362106 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:07.469693899 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.469747066 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:07.474709034 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.801462889 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.910686016 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:07.916404963 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.916497946 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:07.921247959 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.940665960 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.942785025 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:07.996551991 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:07.996666908 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:08.001465082 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:08.239726067 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:08.363173008 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:08.373212099 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:08.374932051 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:08.379698992 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:08.379760027 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:08.384540081 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:13.923388958 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:13.928426027 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:13.928492069 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:13.933293104 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:14.416711092 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:14.456974030 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:14.545492887 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:14.546278954 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:14.551194906 CET	77	49737	195.26.255.81	192.168.2.5
Dec 31, 2024 20:55:14.551278114 CET	49737	77	192.168.2.5	195.26.255.81
Dec 31, 2024 20:55:14.556314945 CET	77	49737	195.26.255.81	192.168.2.5

Target ID:	0
Start time:	14:51:06
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\1wYGO0mAN2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1wYGO0mAN2.exe"
Imagebase:	0xd60000
File size:	1'016'608 bytes
MD5 hash:	436B2F74CD97649E20CED1DC65FB0B95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:51:10
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tmsf.vbe"
Imagebase:	0x360000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:51:21
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /release
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:51:21
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:51:21
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c pjcvfvnncx.icm vvcrvhm.bmp
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:51:21
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:51:21
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /release
Imagebase:	0x610000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:51:21
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\pjcvfvnncx.icm
Wow64 process (32bit):	true
Commandline:	pjcvfvnncx.icm vvcrvhm.bmp
Imagebase:	0x4d0000
File size:	947'288 bytes
MD5 hash:	0ADB9B817F1DF7807576C2D7068DD931
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000003.2225217524.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000003.2225260589.0000000001970000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000003.2225397554.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000003.2225738947.000000000194B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000003.2223435934.000000000196C000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:51:24
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /renew
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:51:24
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:51:24
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /renew
Imagebase:	0x610000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:51:26
Start date:	31/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xb10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000D.00000002.4481126938.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000002.4482482842.0000000003831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.2%
Total number of Nodes:	1883
Total number of Limit Nodes:	48

Executed Functions

Function 00D8454A Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 252
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D76D7B: GetModuleHandleW.KERNEL32(kernel32,7889FE40), ref: 00D76DC7
Part of subcall function 00D76D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D76DD9
Part of subcall function 00D76D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D76E03

Part of subcall function 00D71309: __EH_prolog3.LIBCMT ref: 00D71310
Part of subcall function 00D71309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00D717FB,?,?,\\?\,7889FE40,?,?,?,00000000,00D9A279,000000FF), ref: 00D71319

Part of subcall function 00D7F4D4: OleInitialize.OLE32(00000000), ref: 00D7F4ED
Part of subcall function 00D7F4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D7F524
Part of subcall function 00D7F4D4: SHGetMalloc.SHELL32(00DB532C), ref: 00D7F52E

GetCommandLineW.KERNEL32 ref: 00D84608
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 00D8464F
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00D84661
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00D8466F
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 00D8467D

Part of subcall function 00D7FC38: __EH_prolog3.LIBCMT ref: 00D7FC3F

Part of subcall function 00D83EFC: __EH_prolog3_GS.LIBCMT ref: 00D83F03
Part of subcall function 00D83EFC: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00D83F1B
Part of subcall function 00D83EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00D83F86

Part of subcall function 00D751BF: _wcslen.LIBCMT ref: 00D751E3

UnmapViewOfFile.KERNEL32(00000000,00DB5430,00000400,00DB5430,00DB5430,00000400,00000000,00000001,?,00000000), ref: 00D846CC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D846D3
SetEnvironmentVariableW.KERNEL32(sfxname,00DA9698,00000000), ref: 00D8472F
GetLocalTime.KERNEL32(?), ref: 00D8473A
_swprintf.LIBCMT ref: 00D84779
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D8478E
GetModuleHandleW.KERNEL32(00000000), ref: 00D84795
LoadIconW.USER32(00000000,00000064), ref: 00D847AC
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00D84803
Sleep.KERNELBASE(00001B58), ref: 00D84834
DeleteObject.GDI32 ref: 00D84858
DeleteObject.GDI32(00050E00), ref: 00D84868

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Part of subcall function 00D819EE: __EH_prolog3_GS.LIBCMT ref: 00D819F5

CloseHandle.KERNEL32 ref: 00D848AA

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00D8476A
sfxname, xrefs: 00D8472A
STARTDLG, xrefs: 00D847F8
sfxstime, xrefs: 00D84789
winrarsfxmappingfile.tmp, xrefs: 00D84643

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3142445277-3710569615
Opcode ID: a63b296346925978ad16415ad18b2d1cb58fea95b77713ea45c29d1f1e280e73
Instruction ID: 5bf3717a342c924a4d6b68767c11c70ac31aca103a0b515aa3b9acba1b3770b5
Opcode Fuzzy Hash: a63b296346925978ad16415ad18b2d1cb58fea95b77713ea45c29d1f1e280e73
Instruction Fuzzy Hash: DB91BC71504744EFD320BF64EC45BABB7E8EB89704F444A19F949D2392EB74A904CB72

Function 00D7EBD3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D80845,00000066), ref: 00D7EBE6
SizeofResource.KERNEL32(00000000,?,?,?,00D80845,00000066), ref: 00D7EBFD
LoadResource.KERNEL32(00000000,?,?,?,00D80845,00000066), ref: 00D7EC14
LockResource.KERNEL32(00000000,?,?,?,00D80845,00000066), ref: 00D7EC23
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D80845,00000066), ref: 00D7EC3E
GlobalLock.KERNEL32(00000000), ref: 00D7EC4F
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D7EC73
GlobalUnlock.KERNEL32(00000000), ref: 00D7ECD7

Part of subcall function 00D7EB06: GdipAlloc.GDIPLUS(00000010), ref: 00D7EB0C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D7ECB8
GlobalFree.KERNEL32(00000000), ref: 00D7ECDE

Strings

PNG, xrefs: 00D7EBD7

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: a70a511cdeb92afe54323e09e9cd7a48a27f4c27b1e5a123191c4af050e8887f
Instruction ID: cf2e04dbb44c77e76c464efd746ecb601d8eaaeb19fa80afd7582591902a1d21
Opcode Fuzzy Hash: a70a511cdeb92afe54323e09e9cd7a48a27f4c27b1e5a123191c4af050e8887f
Instruction Fuzzy Hash: 70316975610702ABD7219F21ED4892BBFA9FF89790B08456AF909D2361EB31D800CAB4

Function 00D7355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON

Download Yara Rule

APIs

Part of subcall function 00D78781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,7889FE40,00000007,?,?,?,00D78751,?,?,?,?,0000000C,00D64426), ref: 00D7879D

_wcslen.LIBCMT ref: 00D7395A
__fprintf_l.LIBCMT ref: 00D73AA7

Strings

@%s:, xrefs: 00D73A91, 00D73A9D
RTL, xrefs: 00D73A69
*messages***, xrefs: 00D73773
*messages***, xrefs: 00D7373A
$%s:, xrefs: 00D73A8A
,, xrefs: 00D73AE2

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_wcslen
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
API String ID: 1796436225-285229759
Opcode ID: 11a8db173624e93c2511ba400c9bf81f3407783c534d743b6f206b08c19bbc01
Instruction ID: 18ef28ae65c22178951c7b27c52fc10e001704fe765048eea54fccbc0dc124a8
Opcode Fuzzy Hash: 11a8db173624e93c2511ba400c9bf81f3407783c534d743b6f206b08c19bbc01
Instruction Fuzzy Hash: FD52B371900259AFDF24DFA8CC45AEDB7B5FF04310F54852AE909AB281FB719A44DBB0

Function 00D6F826 Relevance: 9.1, APIs: 6, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6F830
FindFirstFileW.KERNELBASE(?,?,00000274,00D6F733,000000FF,00000049,00000049,?,?,00D6A684,?,?,00000000,?,?,?), ref: 00D6F859
FindFirstFileW.KERNEL32(?,?,?,?,?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049), ref: 00D6F8A4
GetLastError.KERNEL32(?,?,?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049,?,00000000), ref: 00D6F902
FindNextFileW.KERNEL32(?,?,00000274,00D6F733,000000FF,00000049,00000049,?,?,00D6A684,?,?,00000000,?,?,?), ref: 00D6F92D
GetLastError.KERNEL32(?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049,?,00000000), ref: 00D6F93A

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$H_prolog3_Next
String ID:
API String ID: 3831798110-0
Opcode ID: bc710fa00cc47cc921096f5f34e28787267190b904ad5fa3c32889e504a85b83
Instruction ID: ca525089f660c40ebb1d861894471635cbf01fe188c81518f7b763081cb9b495
Opcode Fuzzy Hash: bc710fa00cc47cc921096f5f34e28787267190b904ad5fa3c32889e504a85b83
Instruction Fuzzy Hash: 5D511F71905619DBCF14DF68D889AEDB7B5FF09320F1442AAE419E3290DB31AA84CF70

Function 00D6BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D6C342

Part of subcall function 00D72095: __EH_prolog3_GS.LIBCMT ref: 00D7209C

Part of subcall function 00D657C0: __EH_prolog3.LIBCMT ref: 00D657C7

Strings

__tmp_reference_source_, xrefs: 00D6C33D, 00D6C349

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3H_prolog3__wcslen
String ID: __tmp_reference_source_
API String ID: 1523997010-685763994
Opcode ID: eebff75d39e6ec49791b1ab237be775d9401c76a2e999d746a365376af8393d2
Instruction ID: 4ef846645a8e2db33dca99b55f7d05b7e2078a835b081ad0b6f96c47f242ee61
Opcode Fuzzy Hash: eebff75d39e6ec49791b1ab237be775d9401c76a2e999d746a365376af8393d2
Instruction Fuzzy Hash: 78D2B170A146899FDF25DFA4C890BFEBBB5FF09304F08451AE49A97241DB34A949CB70

Function 00D8ECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00D8EC80,00000000,00DA6F40,0000000C,00D8EDD7,00000000,00000002,00000000), ref: 00D8ECCB
TerminateProcess.KERNEL32(00000000,?,00D8EC80,00000000,00DA6F40,0000000C,00D8EDD7,00000000,00000002,00000000), ref: 00D8ECD2
ExitProcess.KERNEL32 ref: 00D8ECE4

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: caa64d1a5a60c8386df4bd78583197e69c6eeaa82eb569bb2defed2cd3d52066
Instruction ID: 42c73419d5b285630b4cee3e6f5e0d1ee74edeee76024da519334f26c3fcb07f
Opcode Fuzzy Hash: caa64d1a5a60c8386df4bd78583197e69c6eeaa82eb569bb2defed2cd3d52066
Instruction Fuzzy Hash: ECE0B632510608AFCF117F55DE09A583B69EF51381F441425F9499A222CB36ED52DB70

Function 00D7B76F Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 67efa11fe4762216a2924fade10e7dafd6ba423d16f2fc42a7ae117ff9d539a2
Instruction ID: 5c12bad67c192415b409a7b86ae95f4a2e4f360a4b23f7bfca7c1e59ef3d253c
Opcode Fuzzy Hash: 67efa11fe4762216a2924fade10e7dafd6ba423d16f2fc42a7ae117ff9d539a2
Instruction Fuzzy Hash: D9E192715043448FDB24DF28C884B5ABBE1FF88318F08856EE99D9B346E774E945CB62

Function 00D80900 Relevance: 88.4, APIs: 43, Strings: 7, Instructions: 935windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D8090A

Part of subcall function 00D61E44: GetDlgItem.USER32(00000000,00003021), ref: 00D61E88
Part of subcall function 00D61E44: SetWindowTextW.USER32(00000000,00D9C6C8), ref: 00D61E9E

EndDialog.USER32(?,00000000), ref: 00D80A18
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D80A57
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D80A71
IsDialogMessageW.USER32(?,?), ref: 00D80A84
TranslateMessage.USER32(?), ref: 00D80A92
DispatchMessageW.USER32(?), ref: 00D80A9C
EndDialog.USER32(?,00000001), ref: 00D80ADE
GetDlgItem.USER32(?,00000068), ref: 00D80B04
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D80B1F
SendMessageW.USER32(00000000,000000C2,00000000,00D9C6C8), ref: 00D80B32
SetFocus.USER32(00000000), ref: 00D80B39
GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00D80C20
GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00D80C4C
GetTickCount.KERNEL32 ref: 00D80C79
GetLastError.KERNEL32(?,00000011), ref: 00D80CD5
GetCommandLineW.KERNEL32 ref: 00D80DF9
_wcslen.LIBCMT ref: 00D80E06
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,00DB5430,00000400,00000001,00000001), ref: 00D80E85
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00D80EA3
ShellExecuteExW.SHELL32(0000003C), ref: 00D80EDC
WaitForInputIdle.USER32(?,00002710), ref: 00D80F0B
Sleep.KERNEL32(00000064), ref: 00D80F25
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,00DB5430,00000400), ref: 00D80F61
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00DB5430,00000400), ref: 00D80F6D
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D81072

Part of subcall function 00D61E1F: GetDlgItem.USER32(?,?), ref: 00D61E34
Part of subcall function 00D61E1F: ShowWindow.USER32(00000000), ref: 00D61E3B

SetDlgItemTextW.USER32(?,00000065,00D9C6C8), ref: 00D8108A
GetDlgItem.USER32(?,00000065), ref: 00D81093
GetWindowLongW.USER32(00000000,000000F0), ref: 00D810A2
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00D81422
EndDialog.USER32(?,00000001), ref: 00D81436
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D810B1

Part of subcall function 00D7E265: __EH_prolog3_GS.LIBCMT ref: 00D7E26C
Part of subcall function 00D7E265: ShowWindow.USER32(?,00000000,00000038), ref: 00D7E294
Part of subcall function 00D7E265: GetWindowRect.USER32(?,?), ref: 00D7E2D8
Part of subcall function 00D7E265: ShowWindow.USER32(?,00000005,?,00000000), ref: 00D7E373

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D8114F
SendMessageW.USER32(?,00000080,00000001,00030431), ref: 00D81284
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,00050E00), ref: 00D8129D
GetDlgItem.USER32(?,00000068), ref: 00D812A6
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00D812BE
GetDlgItem.USER32(?,00000066), ref: 00D812E6
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00D8135D
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D81371
EnableWindow.USER32(?,00000000), ref: 00D815A7
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00D815E8
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D8160D

Part of subcall function 00D81D4F: __EH_prolog3_GS.LIBCMT ref: 00D81D59

Strings

LICENSEDLG, xrefs: 00D81417
<, xrefs: 00D80D8E
STARTDLG, xrefs: 00D8091C
-el -s2 "-d%s" "-sp%s", xrefs: 00D80D75
@, xrefs: 00D80D98
__tmp_rar_sfx_access_check_, xrefs: 00D80C91
winrarsfxmappingfile.tmp, xrefs: 00D80E71

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
String ID: -el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp
API String ID: 3616063595-3000381960
Opcode ID: b0b56a188c176f5b658fa87ca188f85187791f3398a448a831c55a4d87371242
Instruction ID: 5e4d0f333e7e987cf10a5fd84a672ccbfd29ff1ec6740a84627ddc69b5dd4d19
Opcode Fuzzy Hash: b0b56a188c176f5b658fa87ca188f85187791f3398a448a831c55a4d87371242
Instruction Fuzzy Hash: 0E72BE74944348EFEB21EBA4DC49FEE7BB8EB01700F084159F109B6292D7B45A89CB71

Function 00D76D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32,7889FE40), ref: 00D76DC7
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D76DD9
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D76E03
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D770CA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D770DF
ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 00D770FF
CloseHandle.KERNEL32(00000000), ref: 00D77187
CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 00D771F8
AllocConsole.KERNEL32 ref: 00D7735E
GetCurrentProcessId.KERNEL32 ref: 00D77368
AttachConsole.KERNEL32(00000000), ref: 00D7736F
GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 00D7738F
WriteConsoleW.KERNEL32(00000000), ref: 00D77396
Sleep.KERNEL32(00002710), ref: 00D773A1
FreeConsole.KERNEL32 ref: 00D773A7
ExitProcess.KERNEL32 ref: 00D773B7

Strings

SetDllDirectoryW, xrefs: 00D76DD3
uxtheme.dll, xrefs: 00D772BD
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00D7734E
dwmapi.dll, xrefs: 00D76E6C, 00D772B3
DXGIDebug.dll, xrefs: 00D76E37, 00D771E0
kernel32, xrefs: 00D76DBE
SetDefaultDllDirectories, xrefs: 00D76DFD

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 2644799563-3298887752
Opcode ID: c4325859c3eb6d77d4065e0706e930c232ddd0e462908df01601861afc60db54
Instruction ID: 231b65cf2cb471b8de92d4e3dda7154d9f51b2a171e94a9e77dc3161bec5786d
Opcode Fuzzy Hash: c4325859c3eb6d77d4065e0706e930c232ddd0e462908df01601861afc60db54
Instruction Fuzzy Hash: 0AF139B14042889BCF20EFA4CC49BDE3BAABF05304F548519F91D9B291EB709649CBB5

Function 00D83572 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D80678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D80689
Part of subcall function 00D80678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D8069A
Part of subcall function 00D80678: IsDialogMessageW.USER32(00010444,?), ref: 00D806AE
Part of subcall function 00D80678: TranslateMessage.USER32(?), ref: 00D806BC
Part of subcall function 00D80678: DispatchMessageW.USER32(?), ref: 00D806C6

GetDlgItem.USER32(00000068,00000000), ref: 00D83595
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,00D7FD20,00000001,?,?), ref: 00D835BA
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D835C9
SendMessageW.USER32(00000000,000000C2,00000000,00D9C6C8), ref: 00D835D7
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D835F1
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D8360B
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D8364F
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D83662
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D83675
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D8369C
SendMessageW.USER32(00000000,000000C2,00000000,00D9C860), ref: 00D836AB

Strings

\, xrefs: 00D835FB

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: afe98d26fe13401ea8217ef7855d416e928b0cfbed4a062395270ec9f45b36c2
Instruction ID: 773be1950c756b5dc2940aeefeb7af2a5ff986ceba74e1a5346e0c07cf456b9d
Opcode Fuzzy Hash: afe98d26fe13401ea8217ef7855d416e928b0cfbed4a062395270ec9f45b36c2
Instruction Fuzzy Hash: 8131C171249700FFE310AF28EC49FAB7BE8EF95741F400619FA51E62A0D76099048BB6

Function 00D838A0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 291
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D838A7
ShellExecuteExW.SHELL32(?), ref: 00D83AA4
IsWindowVisible.USER32(?), ref: 00D83ACF
ShowWindow.USER32(?,00000000), ref: 00D83ADD
WaitForInputIdle.USER32(?,000007D0), ref: 00D83AED
GetExitCodeProcess.KERNEL32(?,?), ref: 00D83B0F
CloseHandle.KERNEL32(?), ref: 00D83B33
ShowWindow.USER32(?,00000001), ref: 00D83B76

Strings

.inf, xrefs: 00D83A13
.exe, xrefs: 00D83B3D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
String ID: .exe$.inf
API String ID: 3208621885-3750412487
Opcode ID: 8df61901f85f3ccf760d0458a38e124ff8489d99226ce7d71cb1aa0b005c8b57
Instruction ID: 51d7a8ac66d4fd3365397610c132703b888c2727172dac7dde1dfe1bdcb55f49
Opcode Fuzzy Hash: 8df61901f85f3ccf760d0458a38e124ff8489d99226ce7d71cb1aa0b005c8b57
Instruction Fuzzy Hash: 0EB19A70A00258DFCB25FFA8D9857ED77B5EF44B10F288119E849E7251DBB0AE468B70

Function 00D83EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D83F03
SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00D83F1B
SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00D83F86

Strings

sfxcmd, xrefs: 00D83F16
sfxpar, xrefs: 00D83F81

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: EnvironmentVariable$H_prolog3_
String ID: sfxcmd$sfxpar
API String ID: 3605364767-3493335439
Opcode ID: 3f846e550d7d4741ca43bef705c164d05c3e0a4fca390c9ee7d3cdb6b7162ed0
Instruction ID: 60f2fc773384feb90a349783ebfc7c8d3c158afc970d5085474a6a9594bcdd01
Opcode Fuzzy Hash: 3f846e550d7d4741ca43bef705c164d05c3e0a4fca390c9ee7d3cdb6b7162ed0
Instruction Fuzzy Hash: D121F370D102189FCF14EFA8E9859ADB7F9EF08701B50441AF549A7240DB30AA48CBB4

Function 00D7F2CE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00D7F2EF
SHAutoComplete.SHLWAPI(?,00000010), ref: 00D7F326

Part of subcall function 00D78DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00D70E3F,?,?,?,00000046,00D71ECE,00000046,?,exe,00000046), ref: 00D78DBA

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D7F316

Strings

@Ut, xrefs: 00D7F326
EDIT, xrefs: 00D7F2FA, 00D7F305, 00D7F312

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 7d282ed03d9be74f092ec3314c4a38edf9091f24ebc4448623d5ba672991c71d
Instruction ID: 9646dd702de9cd1af0d74bfe2083e9b025ab20d727241f13228c049b763198af
Opcode Fuzzy Hash: 7d282ed03d9be74f092ec3314c4a38edf9091f24ebc4448623d5ba672991c71d
Instruction Fuzzy Hash: 66F0A431A01618EBDB20AB249C09F9FB7BCDF86B00F044166FA04EB2D0E6B0A9058675

Function 00D7F4D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D76C5E: __EH_prolog3_GS.LIBCMT ref: 00D76C65
Part of subcall function 00D76C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00D76C9A

OleInitialize.OLE32(00000000), ref: 00D7F4ED
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D7F524
SHGetMalloc.SHELL32(00DB532C), ref: 00D7F52E

Strings

3Qo, xrefs: 00D7F505
riched20.dll, xrefs: 00D7F4DC

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 2446841611-4232643773
Opcode ID: a822258f7500212cf7d5e438ebbe1fa94c41afd5bbf469e6b257d2e1fc80e9ae
Instruction ID: c116ee17534a278986a76c6790ad8438325b68262d5d2858a0440a11aec65bc4
Opcode Fuzzy Hash: a822258f7500212cf7d5e438ebbe1fa94c41afd5bbf469e6b257d2e1fc80e9ae
Instruction Fuzzy Hash: CBF0F9B1D04209EBCB10AF99D8499EEFFFCEF94744F10415AE415E2251D7B856058BB1

Function 00D6E180 Relevance: 7.7, APIs: 5, Instructions: 183
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,7889FE40,?,?,00000000,?,?,00000000,00D99E6B,000000FF), ref: 00D6E248
GetLastError.KERNEL32(?,?,00000000,00D99E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00D6E25A
CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,00D99E6B,000000FF,?,00000011), ref: 00D6E2A6
GetLastError.KERNEL32(?,?,00000000,00D99E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00D6E2AF
SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00D99E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 00D6E346

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: f2e4ad709db17d96f2f21e4a8eb05a96ee5d3dfd6b3a8ce9095dc04b7df79500
Instruction ID: 2c0b7ca3b69bb9ad532e0aa9da3f0be33e129cf03514b10058bd7961d2351482
Opcode Fuzzy Hash: f2e4ad709db17d96f2f21e4a8eb05a96ee5d3dfd6b3a8ce9095dc04b7df79500
Instruction Fuzzy Hash: 1F619B74910349DFDB24CFA8C885BEEBBA5FB08314F24462AF819D7380D774A944CBA4

Function 00D774EC Relevance: 7.5, APIs: 5, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D777CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,00D673B8), ref: 00D777E1
Part of subcall function 00D777CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,00D673B8), ref: 00D777F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,7889FE40,?,?,00000001,00000000,00D9A603,000000FF,?,00D790B9,?,?,00D65630,?), ref: 00D7752A
CloseHandle.KERNELBASE(?,?,?,00D790B9,?,?,00D65630,?,?,?,00000000,?,?,?,00000001,?), ref: 00D77544
DeleteCriticalSection.KERNEL32(?,?,00D790B9,?,?,00D65630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00D7755D
CloseHandle.KERNEL32(?,?,00D790B9,?,?,00D65630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00D77569
CloseHandle.KERNEL32(?,?,00D790B9,?,?,00D65630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00D77575

Part of subcall function 00D775ED: WaitForSingleObject.KERNEL32(?,000000FF,00D7770A,?,?,00D7777F,?,?,?,?,?,00D77769), ref: 00D775F3
Part of subcall function 00D775ED: GetLastError.KERNEL32(?,?,00D7777F,?,?,?,?,?,00D77769), ref: 00D775FF

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 7aabdd591a5a08129d9a730ba1f59410f81e409106cd8da9437ab7fb0a230ef2
Instruction ID: 678b0c0e32d47f4b65a2becd1d03cec7d46994fe2bbcca388c434e66f84f2de9
Opcode Fuzzy Hash: 7aabdd591a5a08129d9a730ba1f59410f81e409106cd8da9437ab7fb0a230ef2
Instruction Fuzzy Hash: CB118072504704EFC7229F64DC84FC6FBA9FB08750F40492AF16AD22A0DB71A941CB70

Function 00D80678 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D80689
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D8069A
IsDialogMessageW.USER32(00010444,?), ref: 00D806AE
TranslateMessage.USER32(?), ref: 00D806BC
DispatchMessageW.USER32(?), ref: 00D806C6

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: dac4fc4c27d1c86eca1aa255b270221581af86f7466258b7a29f2fd73dc57901
Instruction ID: 7915a8cdfea596e120fe9705a8d92839464905d5fd13ce0f3d246820c4babffd
Opcode Fuzzy Hash: dac4fc4c27d1c86eca1aa255b270221581af86f7466258b7a29f2fd73dc57901
Instruction Fuzzy Hash: 0BF0BDB1D0631AEB8B20BBA2EC4DEDB7FBCEF852917444515B506D2150E624D505CBB0

Function 00D82813 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00D828B3

Strings

MAX, xrefs: 00D82970
MIN, xrefs: 00D829A4
HIDE, xrefs: 00D8293D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _wcslen
String ID: HIDE$MAX$MIN
API String ID: 176396367-2426493550
Opcode ID: ec6b97e92b036eee7f97132119e73606c770c4533b0b71f1d2302b366e617623
Instruction ID: 3d284db615b3fa74c92f487d6190bf63253d0aa708d7419287ae294d4411f9f1
Opcode Fuzzy Hash: ec6b97e92b036eee7f97132119e73606c770c4533b0b71f1d2302b366e617623
Instruction Fuzzy Hash: BEA12A72C00258DFCF25EBA4C885AEDB7B8FF49310F14059AD445B7241DA319A89CF70

Function 00D6E948 Relevance: 6.1, APIs: 4, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6E94F
GetStdHandle.KERNEL32(000000F5,0000002C,00D72D28,?,?,?,?,00000000,00D7ABB6,?,?,?,?,?,00D7A80E,?), ref: 00D6E978
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D6E9BE

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FileH_prolog3_HandleWrite
String ID:
API String ID: 2898186245-0
Opcode ID: c2917afe6f5c9ed8fb6887f620600aeb2d48c33e9e0ad770f605aa52d9b0a553
Instruction ID: 95a9acc964edc93d9606fb33a49956b05377ae9e64db99b8ae52be5976107f64
Opcode Fuzzy Hash: c2917afe6f5c9ed8fb6887f620600aeb2d48c33e9e0ad770f605aa52d9b0a553
Instruction Fuzzy Hash: A7419A39A11218ABDF14DFA8D884BAEBB76FF84700F184119F801AB394CB719D44CBB1

Function 00D6EFEF Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6EFF6
CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,00D6EBA7,?,00000001,00000000,?,?,00000024,00D6A4DE,?,00000001,?,?), ref: 00D6F01F
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,00D6EBA7,?,00000001,00000000,?,?,00000024,00D6A4DE,?), ref: 00D6F075
GetLastError.KERNEL32(?,?,00000024,00D6EBA7,?,00000001,00000000,?,?,00000024,00D6A4DE,?,00000001,?,?,00000000), ref: 00D6F0E3

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CreateDirectory$ErrorH_prolog3_Last
String ID:
API String ID: 3709856315-0
Opcode ID: c96c999dc2cdbbf5f7bbb2d800bb08bc0fadd95abd1944ad8edfc61ab16fcfc4
Instruction ID: 5e160776483c80db77a1b8c2090d2a843b014079ff70f6a4e8773f0e93445f45
Opcode Fuzzy Hash: c96c999dc2cdbbf5f7bbb2d800bb08bc0fadd95abd1944ad8edfc61ab16fcfc4
Instruction Fuzzy Hash: 7C318175900609DBDF10EFE9E889AEEBBF8EF48340F14442AE541E3252D7349985CB75

Function 00D6E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00D6E5D2,?,?,00000000,?,00000000), ref: 00D6E029
ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,00D6E5D2,?,?,00000000,?,00000000), ref: 00D6E041
GetLastError.KERNEL32(?,?,?,00000000,00D6E5D2,?,?,00000000,?,00000000), ref: 00D6E073
GetLastError.KERNEL32(?,?,?,00000000,00D6E5D2,?,?,00000000,?,00000000), ref: 00D6E092

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 4415fc7d3e5f95a32c986af41f2d539eee3c1e9bafa74edecfccd6f241b04d5b
Instruction ID: 5d5e75f0584c4d770ba29be03ef6a758bf6c5a003193e031b452468b40f9ad99
Opcode Fuzzy Hash: 4415fc7d3e5f95a32c986af41f2d539eee3c1e9bafa74edecfccd6f241b04d5b
Instruction Fuzzy Hash: 83118E38510308EBDF309F69C804A7E37A9FB41361F24462AE466C6291D7F5DE44DB71

Function 00D77628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 00D7764C
SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,00D6736D,00D65AB0,?), ref: 00D77693

Part of subcall function 00D692EB: __EH_prolog3_GS.LIBCMT ref: 00D692F2

Part of subcall function 00D69500: __EH_prolog3_GS.LIBCMT ref: 00D69507

Strings

CreateThread failed, xrefs: 00D77658

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3_Thread$CreatePriority
String ID: CreateThread failed
API String ID: 3138599208-3849766595
Opcode ID: 6d57cd0ae9213ac939127faa403a9908282858792398684d2f706fe4d55eea57
Instruction ID: 57e27ea1cf9f07e2fa5b46706bf49f812ae378b46803d790ce3f37c926f0071c
Opcode Fuzzy Hash: 6d57cd0ae9213ac939127faa403a9908282858792398684d2f706fe4d55eea57
Instruction Fuzzy Hash: 9601D671348705AFE3146E68EC81F66739CEB85711F20052EF64A96284EAF16804C67C

Function 00D6DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6DEA1
CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,00D6E8F5,?,?,00D6A6B9,?,00000011,?), ref: 00D6DF15
CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,00D6D303,?,?,?), ref: 00D6DF65

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CreateFile$H_prolog3_
String ID:
API String ID: 1771569470-0
Opcode ID: d72e222fccef98605d405545c32ef83a043f59a1bf874d53d1d6f23af3d0fbbc
Instruction ID: 7fbdb59d6f688d4a9c67ab6d22ec62c15c889e24f3daf8bf9427dacfc9f996a4
Opcode Fuzzy Hash: d72e222fccef98605d405545c32ef83a043f59a1bf874d53d1d6f23af3d0fbbc
Instruction Fuzzy Hash: 1C417C70E102089FDB14DFA8E88ABEEB7F5EF08321F14561EF456E6281D774A9448B34

Function 00D76C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D76C65
GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00D76C9A
LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00D76D0C

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: DirectoryH_prolog3_LibraryLoadSystem
String ID:
API String ID: 1552931673-0
Opcode ID: 0b6e1bac50b7b97b6e2a75c36a43f30a289dc8104d90f3d5eea9345d91418deb
Instruction ID: 9981b15dfbeb991610818ec07d2fe7909c3409b31da1f21a38bacec83f043120
Opcode Fuzzy Hash: 0b6e1bac50b7b97b6e2a75c36a43f30a289dc8104d90f3d5eea9345d91418deb
Instruction Fuzzy Hash: 78318E75D10248DBDB04EBE4C889BEEBBB8EF48314F14411AE509B7245EB74AA49CB71

Function 00D6F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6F592
SetFileAttributesW.KERNELBASE(?,?,00000024,00D6A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00D6F5A8
SetFileAttributesW.KERNEL32(?,?,?,?,?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049), ref: 00D6F5EB

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AttributesFile$H_prolog3_
String ID:
API String ID: 2559025557-0
Opcode ID: 15bc45146d461e1b727c2ed840a002e3708cbe0a6552b01ad13a323c0d84bb6f
Instruction ID: 7c6715e5f6d22d40b32477fc703e8f9655437361539518d020b93a3e40d51d1a
Opcode Fuzzy Hash: 15bc45146d461e1b727c2ed840a002e3708cbe0a6552b01ad13a323c0d84bb6f
Instruction Fuzzy Hash: FD11E475910609EBDF04EFA8E985ADEB7B8FF08311F54902AE405E7250DB349A94CB74

Function 00D6EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6EC6A
DeleteFileW.KERNELBASE(?,00000024,00D6D6F7,?), ref: 00D6EC7D
DeleteFileW.KERNEL32(00000000,?,00000000), ref: 00D6ECBD

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: DeleteFile$H_prolog3_
String ID:
API String ID: 3558260747-0
Opcode ID: c51aa7897af2c455ffb3af927971298d5159c39d361693ce664b9af508aa2c1c
Instruction ID: 7b9a27a821a7f68bbc78e7f403bcf83f7ecb7c62ba784399ca7ed9df1cd3f911
Opcode Fuzzy Hash: c51aa7897af2c455ffb3af927971298d5159c39d361693ce664b9af508aa2c1c
Instruction Fuzzy Hash: B711D775D10219DBDF04DFA8E889EDEB7F8EF48311F18502AE405E7250D734A9848B78

Function 00D6ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6ED26
GetFileAttributesW.KERNELBASE(?,00000024,00D6ED16,00000000,00D6A4A1,7889FE40,?,00D6CDDD,?,?,?,?,?,?,?,?), ref: 00D6ED39
GetFileAttributesW.KERNELBASE(?,?,?), ref: 00D6ED79

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AttributesFile$H_prolog3_
String ID:
API String ID: 2559025557-0
Opcode ID: e5cc94e096147a24dc0f87f023a5f5a3f4df64859183b4a8771a313c258100d5
Instruction ID: 9abc57aa2f8fe63f4ce6aafca74d9893a6ed473463c1088c9a3e2b757519ac8a
Opcode Fuzzy Hash: e5cc94e096147a24dc0f87f023a5f5a3f4df64859183b4a8771a313c258100d5
Instruction Fuzzy Hash: C8110479910218DBCF04EFA8E9899EDB7F9EB48320F14552AE505F7380DA3099848F74

Function 00D6E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,00D6E3B1,?,?,00000000,?,?,00D6CC21,?), ref: 00D6E55F
GetLastError.KERNEL32 ref: 00D6E56E

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 6c2bb2994d21b3bec854624f05e5060e89f125586e61669362b5d97fea828ed2
Instruction ID: 4602957743df228c3cbd49eb98356f8c80e2c88b300a4e3a1d9014ce288a4ffc
Opcode Fuzzy Hash: 6c2bb2994d21b3bec854624f05e5060e89f125586e61669362b5d97fea828ed2
Instruction Fuzzy Hash: C141F538604345CBD724EF74D4846AAB3E5FF98360F18492DD88687241EB74FC458BB1

Function 00D6E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00D6E78C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00D6E840

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: d9ad2dcd98172ba5db3ba05ae10e6a5e180a126e27d329853940fcada83493e4
Instruction ID: d927342b3cc2612b409d2f8c64be0c70f8021eb8dcf6b34b60bfaa1f1a8e5b5e
Opcode Fuzzy Hash: d9ad2dcd98172ba5db3ba05ae10e6a5e180a126e27d329853940fcada83493e4
Instruction Fuzzy Hash: 2721EF39259385EFC714DE24C891AABBBE8AF95704F08891DF4C5C7181E329E90CDB72

Function 00D7FB4B Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D7FB52
SHFileOperationW.SHELL32(?,?,?,?,?,?,00000000,00DB535C), ref: 00D7FC24

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FileH_prolog3_Operation_wcslen
String ID:
API String ID: 3104323202-0
Opcode ID: febb91425be8b7d73fd4050d054fe963c41ab4e55e33499350f5ed72f46bdcdf
Instruction ID: bbf4b31adc1fc92b9e80d199d8aa98026cb90ce6c295bf6c318637a1f02b4504
Opcode Fuzzy Hash: febb91425be8b7d73fd4050d054fe963c41ab4e55e33499350f5ed72f46bdcdf
Instruction Fuzzy Hash: 3D310371D00348DADB21EFE9C896ADCBBB4FF08310F58412EE019A7296EB701A45CB30

Function 00D6E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00D6E897
GetLastError.KERNEL32 ref: 00D6E8A4

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 90919a74f3881f81f3cfd549ce81380460ec7821a19521df4a13a4ca87833306
Instruction ID: 59908606fbd905ad06656cb1a5aff236548b51cc54ee94d4c340b368df30acec
Opcode Fuzzy Hash: 90919a74f3881f81f3cfd549ce81380460ec7821a19521df4a13a4ca87833306
Instruction Fuzzy Hash: AE11E134600710ABE7249668C840BA6B3E9EB85360F640769E052D36D0D7B0FD09DBB4

Function 00D83C78 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D83C82
_wcslen.LIBCMT ref: 00D83C99

Part of subcall function 00D76A89: _wcslen.LIBCMT ref: 00D76AA6

Part of subcall function 00D6B03D: __EH_prolog3_GS.LIBCMT ref: 00D6B044

Part of subcall function 00D6B3E1: __EH_prolog3_GS.LIBCMT ref: 00D6B3E8

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3__wcslen$H_prolog3_catch_
String ID:
API String ID: 1265872803-0
Opcode ID: a20055fd460c5443f4fe831825e0675e19b0dd68e038454c4550cb69d61cbf77
Instruction ID: 414595a48b9ac3d3ca1ccb500dcd46c71d5ef06bf26152c526ba94930f2b9fdc
Opcode Fuzzy Hash: a20055fd460c5443f4fe831825e0675e19b0dd68e038454c4550cb69d61cbf77
Instruction Fuzzy Hash: 2E118E39901B91EFCB05FBA8B851BDC7BA4EB1A310F04429BE445E7357DBB05A448BB1

Function 00D61CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D61CE9
GetDlgItem.USER32(?,?), ref: 00D61D01

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3_Item_wcslen
String ID:
API String ID: 896027972-0
Opcode ID: 3d032c1939008d6cb79f30d93c75e73918d1cba166ed27336fb7c734196bf698
Instruction ID: 1dc13956c4c0254c88d2e77a00010487e9e6dd32907834ac7aeaf3b9cfb19e90
Opcode Fuzzy Hash: 3d032c1939008d6cb79f30d93c75e73918d1cba166ed27336fb7c734196bf698
Instruction Fuzzy Hash: 63018F79640314DFDB20EFA8C886BEDB7E8EF54340F48010AF916A72A1CB709A45CB70

Function 00D776A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,00D776EA,00D70B6F), ref: 00D776B4
GetProcessAffinityMask.KERNEL32(00000000,?,00D776EA), ref: 00D776BB

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: e19a8f802d0b8c9f87968458ea4d728b66fa1cfd105af26118812ef21cfeb8e9
Instruction ID: e5b57e3d060c2b3519c4cff8ee71233ab37a712940cf8cb4b9d5310175403567
Opcode Fuzzy Hash: e19a8f802d0b8c9f87968458ea4d728b66fa1cfd105af26118812ef21cfeb8e9
Instruction Fuzzy Hash: 71E0D833F24606A7CF1997AD9C059EF72DDEB44244718847AE417D3204F974DD0147B0

Function 00D7F53A Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00D99B73,000000FF), ref: 00D7F578
CoUninitialize.COMBASE(?,?,?,?,00D99B73,000000FF), ref: 00D7F57D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 798180b0934f48ff510b65fad882cfd0820ae0d5f5c01fd4bd5857e56e096220
Instruction ID: 31fb28ffdf3d43e2684c55d08d1195f0529045fae38720d5297640db35d825a6
Opcode Fuzzy Hash: 798180b0934f48ff510b65fad882cfd0820ae0d5f5c01fd4bd5857e56e096220
Instruction Fuzzy Hash: 52F05E76604A04EFC710DF59EC41B4AFBE8FB49760F00422AF416C3760DB74A800CAB4

Function 00D7E849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D7E86A
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D7E871

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 45101601fe953db7df044cd381ee537d8270723b729a3e9da5f7e1887eaa5a95
Instruction ID: eee532f644b08423bba57bb926716c44134ab95e2898d00652e168eb69d990ce
Opcode Fuzzy Hash: 45101601fe953db7df044cd381ee537d8270723b729a3e9da5f7e1887eaa5a95
Instruction Fuzzy Hash: 41E01271901218EFCB10EF95C90579DB7F8EB48350F20C45AA88993701E674EE04EBB1

Function 00D61E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00D61E34
ShowWindow.USER32(00000000), ref: 00D61E3B

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: d0eb5a6ef34317406c23034f65a556c1b773919a6250713b0316e576023f78ad
Instruction ID: b89fa8f26851464add1482706a0ad6ca4b52bfeb42391be5c7a349fb24bc06cd
Opcode Fuzzy Hash: d0eb5a6ef34317406c23034f65a556c1b773919a6250713b0316e576023f78ad
Instruction Fuzzy Hash: CDC012B205C300FFCB020BB4DC09D2ABBA8ABE4212F00CA08B0A5D0160C239C010DB31

Function 00D61CC4 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00D61CD2
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00D61CD9

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: 43c90171282b50f8d976be1c450a388a76c51dea514e543f0865dcafc35e1fac
Instruction ID: 384ec847f332d1a827451f64b905cea76f37e21204a8cd22ab6651bdbc746435
Opcode Fuzzy Hash: 43c90171282b50f8d976be1c450a388a76c51dea514e543f0865dcafc35e1fac
Instruction Fuzzy Hash: 1BC00276408340FFCA015BA49D1882FBBA9AB95251B00DA49B5A5C0260C6358410DB31

Function 00D627E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D627E7

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: ff59845c50437142ebd723b6421b7b375ad35436be87a796c00b0c3837956298
Instruction ID: f51758ebb9c687f90d566f7067a075c4f0a318fc41318e1d31119172901ece51
Opcode Fuzzy Hash: ff59845c50437142ebd723b6421b7b375ad35436be87a796c00b0c3837956298
Instruction Fuzzy Hash: 0DC17930A04A559BDF25DF68C894BFD7BA0AB4A300F1C40BAEC45DF29AC7749945CBB1

Function 00D79556 Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D797AB

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: c1e90d0ba2f8d7f907df66c5f8f2238f12c37dd97916a9d9f3a5e8dfc03b1967
Instruction ID: ad918e8ffe99bc3e7d32464d1fbabc08fc75414fc649a2a03377efa041d3da72
Opcode Fuzzy Hash: c1e90d0ba2f8d7f907df66c5f8f2238f12c37dd97916a9d9f3a5e8dfc03b1967
Instruction Fuzzy Hash: 7381F4739043148FDB28EE68C89AB6EF7E5EB40310F18892EE45D97181F7B0994487B6

Function 00D620B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D620B7

Part of subcall function 00D680EC: __EH_prolog3.LIBCMT ref: 00D680F3

Part of subcall function 00D72815: __EH_prolog3.LIBCMT ref: 00D7281C

Part of subcall function 00D676E7: __EH_prolog3.LIBCMT ref: 00D676EE

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 5d926db0b47271e02d5565ae04c59788f002a7ef2280b137c302f1414d22dc01
Instruction ID: 966478a5f001d84912baad32272d0caa2377c91f5215d323490c65d00d18e738
Opcode Fuzzy Hash: 5d926db0b47271e02d5565ae04c59788f002a7ef2280b137c302f1414d22dc01
Instruction Fuzzy Hash: 4C51D4B1A097808EDB45DF6A84807D9BBE0AF59300F0886BEDC4DCE69BD7744245CB71

Function 00D6B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6B3E8

Part of subcall function 00D6F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00D6A684,?,?,00000000,?,?,?,?,?,?), ref: 00D6F739

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CloseFindH_prolog3_
String ID:
API String ID: 2672038326-0
Opcode ID: 2ece2d862532b23ae9e87a7d84ca6f51f2cf946907124ee81c5b4db004f33883
Instruction ID: b45489c2d646377f3f0bbe49fe6a6c0fc056632e0be2e1d8b0f8e501764ce9bd
Opcode Fuzzy Hash: 2ece2d862532b23ae9e87a7d84ca6f51f2cf946907124ee81c5b4db004f33883
Instruction Fuzzy Hash: CA414C70900708CFDB20DF69C8816A9B7B1FF45318F54446EE15ADB352EB34A885CB35

Function 00D62C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D62C37

Part of subcall function 00D7880E: __EH_prolog3.LIBCMT ref: 00D78815

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID:
API String ID: 3355343447-0
Opcode ID: 1cba0a9a38c8b89a2b54a73fcba0d85a08214ddc5e83cbe94976fe805fb7fa46
Instruction ID: 5d9b4c6e7c941ced3116a9ab4a5410f30699290d1cbbd5a49acde820f3b8ed85
Opcode Fuzzy Hash: 1cba0a9a38c8b89a2b54a73fcba0d85a08214ddc5e83cbe94976fe805fb7fa46
Instruction Fuzzy Hash: F731397190064CEFCF19EBE4E8959EEBBB9EF18300F58442AF405A7251DB319989CB70

Function 00D676E7 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D676EE

Part of subcall function 00D74F2B: __EH_prolog3.LIBCMT ref: 00D74F32

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: e2f33e15f3a21c0e1274b2b3cd36afb800fc12e6638878fd79b715dc465e5551
Instruction ID: 715a06d5746868ad94d14485b25635393ad713e840deca718ff8f29132988e0f
Opcode Fuzzy Hash: e2f33e15f3a21c0e1274b2b3cd36afb800fc12e6638878fd79b715dc465e5551
Instruction Fuzzy Hash: DA4154B4806B85CAC725DF7AD1493DAFBE4AFA4300F10995FD0AE93361E7B025048F29

Function 00D797A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D797AB

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: d61870bd89c006dbfb7ff157f77524cc8352b03a7087bc77063f825e689cb00f
Instruction ID: 3e875ca1538dcec831ed5d62d44e6ce1efe33ff42faa0501c15123a32a9ff7e3
Opcode Fuzzy Hash: d61870bd89c006dbfb7ff157f77524cc8352b03a7087bc77063f825e689cb00f
Instruction Fuzzy Hash: DE21C5B2D006129FEF18AF749C5AA5EB6A8FF04314F19413AE909AB6C1E7709940C7F5

Function 00D6D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D6D778

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: dd47f4d270ecf40c3f2c6c2ef29ef85b1dd3ecf6d34ee6b2f86537a946802e00
Instruction ID: d4f97b1459fe1a62571eae1052a756bb44b9c0776faa4de4b6afabace16cb135
Opcode Fuzzy Hash: dd47f4d270ecf40c3f2c6c2ef29ef85b1dd3ecf6d34ee6b2f86537a946802e00
Instruction Fuzzy Hash: FB218675F0061A9BCB14DFE9DC81AAEB7BAEF84300F18401AE505A7201DB749E04CBB5

Function 00D6EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6EAFA

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: b9dbf8c778fc1e4170ba0b51f8fd23bb8c0fe8a138d6f5b89dd1915ab5fa5050
Instruction ID: e492f78b819534023c2106d41656a883e0b31dd1f066e2f65660e8ee6299b31f
Opcode Fuzzy Hash: b9dbf8c778fc1e4170ba0b51f8fd23bb8c0fe8a138d6f5b89dd1915ab5fa5050
Instruction Fuzzy Hash: 9E21A238601318AFDF20AE6CC846EEE73E9EF12750F185558F482A7181D7749E49C7B0

Function 00D8437D Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D84384

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: ea19871d286ac84a8a5a675087cbe435106e76fbf7f99e1d6554c240ba19cb92
Instruction ID: 0e3d74d7747b3ceb16ee9cbf0a8559bf67547cbb4bc48de0682b4753c3f303a6
Opcode Fuzzy Hash: ea19871d286ac84a8a5a675087cbe435106e76fbf7f99e1d6554c240ba19cb92
Instruction Fuzzy Hash: 48213B71940209EFDF08EFA8D886EDE7BF9EF48300F54411AE105E7291DA359A49CB75

Function 00D93129 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00D91DE6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D900BA,00000001,00000364,?,00D86C16,?,?,?,?,?,00D85269,00D8535E), ref: 00D91E27

_free.LIBCMT ref: 00D93195

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
Instruction ID: 6534f5c8af13e41910299a81bcb11c3472c2196ad809a9289c38380914bf835a
Opcode Fuzzy Hash: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
Instruction Fuzzy Hash: 9801F9762043056BEB21CF65DC4595AFBD9FB86370F29061DE59493280EA30A905C774

Function 00D91DE6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D900BA,00000001,00000364,?,00D86C16,?,?,?,?,?,00D85269,00D8535E), ref: 00D91E27

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b4156aaff7036196a9859abc61dba31313259155f224e9fd76b1d5def9096b0a
Instruction ID: 0f31adb7360e6510039306e49647b24f1b3cb91fcb63237e5d844f163d100637
Opcode Fuzzy Hash: b4156aaff7036196a9859abc61dba31313259155f224e9fd76b1d5def9096b0a
Instruction Fuzzy Hash: DAF05436705227A6EF266B669C05F5B7749EF41770B194121FC08EA190DA60DD1187F0

Function 00D9040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00D8535E,?,?,00D86C16,?,?,?,?,?,00D85269,00D8535E,?,?,?,?), ref: 00D90440

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e50ffa45bd65a5becc8bae6a8167cdf2f2f739a669f3235b5adca55c964f4dd7
Instruction ID: 829acb96321884387f27d073bc6f2a47c699ea6df81fd7d1e13c1b70f2d1dfe4
Opcode Fuzzy Hash: e50ffa45bd65a5becc8bae6a8167cdf2f2f739a669f3235b5adca55c964f4dd7
Instruction Fuzzy Hash: 7DE06D326413259EEF2137A5BC01B5B3E8CDF417B0F2D4121EE88E6191DBA4CC0096F5

Function 00D6F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00D6F826: __EH_prolog3_GS.LIBCMT ref: 00D6F830
Part of subcall function 00D6F826: FindFirstFileW.KERNELBASE(?,?,00000274,00D6F733,000000FF,00000049,00000049,?,?,00D6A684,?,?,00000000,?,?,?), ref: 00D6F859
Part of subcall function 00D6F826: FindFirstFileW.KERNEL32(?,?,?,?,?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049), ref: 00D6F8A4
Part of subcall function 00D6F826: GetLastError.KERNEL32(?,?,?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049,?,00000000), ref: 00D6F902

FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00D6A684,?,?,00000000,?,?,?,?,?,?), ref: 00D6F739

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorH_prolog3_Last
String ID:
API String ID: 765066492-0
Opcode ID: 81df23e6e555d8ce09d704f05c8e05550c3ae58e0b127d1d29f7377c9678c83f
Instruction ID: d9b38cec9cc02f652000feab6cc6d7e2a7885476000c60450e2c8b6aa9709198
Opcode Fuzzy Hash: 81df23e6e555d8ce09d704f05c8e05550c3ae58e0b127d1d29f7377c9678c83f
Instruction Fuzzy Hash: FAF0A735009B50AFCE215B645805A8B7FD1AF17374F044B49F0FD12192C63090559F36

Function 00D773F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00D7742D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 1c728a6c5bfe4dc9a6a9b191a07a163c1abf7412fc3bff56d669af4de6949969
Instruction ID: 922ee7d578683d1a856af203fa670cd4054ec23cbab28fd6f91d25ca364b8e27
Opcode Fuzzy Hash: 1c728a6c5bfe4dc9a6a9b191a07a163c1abf7412fc3bff56d669af4de6949969
Instruction Fuzzy Hash: 68D0121164915037EA15372568AA7FD2A0A8FCB315F094466B10D56283EA940846A3BA

Function 00D611DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D61206

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 679acea3c257f309f3b37c7a6b0c56e7ba53015130158bd6b89df0f0531ea031
Instruction ID: b04bd54de99af62ee7b30a5299fe3f59933aa6e635fbcadea76637f9c6f9dc6e
Opcode Fuzzy Hash: 679acea3c257f309f3b37c7a6b0c56e7ba53015130158bd6b89df0f0531ea031
Instruction Fuzzy Hash: DED0177A6026024B8628EB38847692E62A09E54306358422DF02ACA685EB21C8558739

Function 00D7EB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00D7EB0C

Part of subcall function 00D7E849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D7E86A

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
Instruction ID: 401cc9e6d9f5a15f248df677aa6ec752f45511d3b0b3eb61ec7cb16d0994014e
Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
Instruction Fuzzy Hash: EAD0A930200209BADF013F34CC02D7E7B98EF08340F00C161B84A85190FAB0EE10A2B1

Function 00D84231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00D84256

Part of subcall function 00D80678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D80689
Part of subcall function 00D80678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D8069A
Part of subcall function 00D80678: IsDialogMessageW.USER32(00010444,?), ref: 00D806AE
Part of subcall function 00D80678: TranslateMessage.USER32(?), ref: 00D806BC
Part of subcall function 00D80678: DispatchMessageW.USER32(?), ref: 00D806C6

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 9daaac6a025d04259a83e21eed0b55f06ab2ad3759f72293430b814d4866faa9
Instruction ID: bf45a0102e37727877c92503ccc9210a5dada0dea7252e8eb4f8b7bed0ffb8fe
Opcode Fuzzy Hash: 9daaac6a025d04259a83e21eed0b55f06ab2ad3759f72293430b814d4866faa9
Instruction Fuzzy Hash: C1D09276148300EBDA523B52DE0BF0A7AE2EB88B04F404694B349741B1D662DE30AB32

Function 00D84D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D84DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00D84DF2

DloadProtectSection.DELAYIMP ref: 00D84D54

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AcquireDloadExclusiveLockProtectSection
String ID:
API String ID: 3680172570-0
Opcode ID: cc7aee3cfcb304eae74d86391208d5c0c79093bbda465e2441f8f576b3bddf30
Instruction ID: 98156d664fadc58a65023830480dc443bc0713312bf8e9da643f2e3536d6c4f8
Opcode Fuzzy Hash: cc7aee3cfcb304eae74d86391208d5c0c79093bbda465e2441f8f576b3bddf30
Instruction Fuzzy Hash: 4CD01234100762DEC712FB24AC4B7582350F704308F8D0B85F292C62A8CFB44450D731

Function 00D6E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00D6E052,?,?,?,00000000,00D6E5D2,?,?,00000000,?,00000000), ref: 00D6E15E

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 14124be558a3e1e6a94a931bcde28f1007f2ca55c014f7924eec845fdba5103d
Instruction ID: 5e61eec42fd1526f8835307b121471718023554b7dfc009e3cf1b899dc9b3613
Opcode Fuzzy Hash: 14124be558a3e1e6a94a931bcde28f1007f2ca55c014f7924eec845fdba5103d
Instruction Fuzzy Hash: 45C00278410309D78E314A289C494997722AA533A6BB89795D02DC96A1C33A8D97FA61

Function 00D849D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d177e090c994ce3a4bfa7aced970569fc9d2e2db5c95b952aaedc20e96bfb284
Instruction ID: b377789a782bfae5d5c0faa086a759ed26bf400f30fd064f8889549ac663139f
Opcode Fuzzy Hash: d177e090c994ce3a4bfa7aced970569fc9d2e2db5c95b952aaedc20e96bfb284
Instruction Fuzzy Hash: BEB0128226D112BD320471183E02D37014EDAC5B50331451EF001C1141E4448C440672

Function 00D849C1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1ffb1157d016e40b37d9988ff908562ec38e79fd3ee7a488229c05ce982e2451
Instruction ID: d869352314c7c9093d7559e95b22e545df4ee5a6a891bf996fb9f4b4c04aed60
Opcode Fuzzy Hash: 1ffb1157d016e40b37d9988ff908562ec38e79fd3ee7a488229c05ce982e2451
Instruction Fuzzy Hash: 15B0129225D212BD334472183E02D37010DC6C5B50331461EF001C1141E4448C840672

Function 00D84999 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 747e1b9ad0bf454243d56cb5807e3d742981a9246478866896fce0d95bbfba56
Instruction ID: 350bb0a7c02f1c90b834387c6743a3c51b896be0ecb5b00b760973392a82a69b
Opcode Fuzzy Hash: 747e1b9ad0bf454243d56cb5807e3d742981a9246478866896fce0d95bbfba56
Instruction Fuzzy Hash: C7B0129235C212BD334471183E02D37010CC6C5F50330561EF001C1141E4448D840A32

Function 00D8498F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c0d3d7a6c17d85a1da575df73808ca95803f5bedb985f542774c4fbeabcaec32
Instruction ID: dd221740401766e556de38a35101b127467dcf0d4680d85a6ccabf395aa639e0
Opcode Fuzzy Hash: c0d3d7a6c17d85a1da575df73808ca95803f5bedb985f542774c4fbeabcaec32
Instruction Fuzzy Hash: 26B0129235C112BD320471183E02D37010CCAC6F50330951EF401C1181E4448D440A32

Function 00D84985 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2b11bcd6a69a5732134830d227d48cbc4384ea1a5620c45ca171cd0ceff0bf63
Instruction ID: 5908d05ccf54aab3e97e0ab4243adbb49308a4b8630181712ad99fc7bf31de18
Opcode Fuzzy Hash: 2b11bcd6a69a5732134830d227d48cbc4384ea1a5620c45ca171cd0ceff0bf63
Instruction Fuzzy Hash: E9B0128225C112BD330871683E02D37010CD6C5B50330891EF005C1241E4448C480632

Function 00D849B7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 901c0909b86a46739e142d6f65b20d4a309e0bbeacc4bd02ed7373dc5c2dc272
Instruction ID: bd72472380076ad71496a9e7c0b8cc6d1998993a4ea6014cd1381db0748fb792
Opcode Fuzzy Hash: 901c0909b86a46739e142d6f65b20d4a309e0bbeacc4bd02ed7373dc5c2dc272
Instruction Fuzzy Hash: 1DB0128225D112BD320471183E02D37010DC6C6B50331851EF401C11C1E4448C440672

Function 00D849A3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 159596cedb43b59fc920b048b4e8c50702faf34fe4a677842778b9f348687599
Instruction ID: 10c0c6fa8f68039bbd1ffc145926c56745998b589868c8492c12b486b15314da
Opcode Fuzzy Hash: 159596cedb43b59fc920b048b4e8c50702faf34fe4a677842778b9f348687599
Instruction Fuzzy Hash: D3B0129235C112BD320471183F02D37010CC6C5F50330555EF401C1141E4458E450A32

Function 00D8495D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aed7d802af0a22a1d8838434fa77c5b2f726775c22981dafac95d8ea306660f8
Instruction ID: c8277c21ae7f8542fdf28a2269eefe7d6e7343af2cffc9dd27aaad6f006fdcad
Opcode Fuzzy Hash: aed7d802af0a22a1d8838434fa77c5b2f726775c22981dafac95d8ea306660f8
Instruction Fuzzy Hash: A0B0128625C212BD320471183E02D3B010CE6C5B50330451EF001C1241E444CC440732

Function 00D84953 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 255ba55a6698573064ba52f53f2977032986bc24fe2d3710109703c3cd810775
Instruction ID: 8281ef2a0d6c391adb2893f91211fad169a3ebee2e6f70d360a3b84c6a4694c3
Opcode Fuzzy Hash: 255ba55a6698573064ba52f53f2977032986bc24fe2d3710109703c3cd810775
Instruction Fuzzy Hash: B8B0128625C312BD320471183F02D3B010CD6C5B50330455EF401C1241E445CE450632

Function 00D84949 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ee2ccc374d7dbdac0dfe6bf9b0d25d419d1c27b9def4fd1f115c4cd48224d66e
Instruction ID: 3b07ecf78de6906c7c0e2846b44c45779e70c2ccf0377a1f4e2c7572495b7a9c
Opcode Fuzzy Hash: ee2ccc374d7dbdac0dfe6bf9b0d25d419d1c27b9def4fd1f115c4cd48224d66e
Instruction Fuzzy Hash: 89B0128625C312BD334471183E02D3B010CD6C5B50330461EF001C1241E444CC840632

Function 00D8497B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12df914c7600471cb5bb9baf97325d65e1f753344d6e92d51b9998276ecd9a4b
Instruction ID: bb3cc5cf6a9e3c238c0b7923d08a43ff8814f48d916b8723fe00d028e6ff62e4
Opcode Fuzzy Hash: 12df914c7600471cb5bb9baf97325d65e1f753344d6e92d51b9998276ecd9a4b
Instruction Fuzzy Hash: FDB0128225C112BD330871183F03D37010CC6C5B50330855EF405C1241E4458D4D0632

Function 00D84967 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c451250ef601791967fbdd89a40a05e02653b2632e9b0899fbdb7ab0c11f74f4
Instruction ID: 402a1166957790491b60a6972c670742562decf554d5fbfb3da7face7bafb171
Opcode Fuzzy Hash: c451250ef601791967fbdd89a40a05e02653b2632e9b0899fbdb7ab0c11f74f4
Instruction Fuzzy Hash: D7B0128225C113BD330875183E02D37010CC6C6B50330C51EF405C1281E4448C480732

Function 00D84906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d1f996936f1f094db4d2c94dffaecf158d5fab5423b4c4e4e57656eeedfc6c18
Instruction ID: 6c941bd55f08b92dce583537fea3549a645064606296934ccb6a316919fd73cf
Opcode Fuzzy Hash: d1f996936f1f094db4d2c94dffaecf158d5fab5423b4c4e4e57656eeedfc6c18
Instruction Fuzzy Hash: 72B0129225C112BD320432143F02D77010CC6C1B50330455EF401D0042E8469D450536

Function 00D8493F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5e712f1345c15752764e38718668308b6176fe9042c3abb2cbef82379c30cbf2
Instruction ID: 7bc0a19acee0544be38d834ec4999042e251a2ddebe2d2e0ec43d811b479dcd9
Opcode Fuzzy Hash: 5e712f1345c15752764e38718668308b6176fe9042c3abb2cbef82379c30cbf2
Instruction Fuzzy Hash: 5AB0128625C212BD320471183E02D3B010CD6C6B50330851EF401C1281E444DC440632

Function 00D84935 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d6fd3e4e2a79ebb346b408aa79fbd9b0df068316e716a3ecde6dbba2aa2ac432
Instruction ID: c2f71790659513e7324be8931b942be237ff918ed3390f11a6cfb5d9a46cf6fa
Opcode Fuzzy Hash: d6fd3e4e2a79ebb346b408aa79fbd9b0df068316e716a3ecde6dbba2aa2ac432
Instruction Fuzzy Hash: 30B012C226C212BD320471187E02D37011CD6C5B50330461FF001C1141E4448C440636

Function 00D8492B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 69b4cdca75011959786f463c95c89abc52cd1f9a7e716bed5be25abaf2c0f70b
Instruction ID: 5882081bd7717940e21a0b884b3ea839cfb6e1e50f07e66ba7d00bab5b7da7f1
Opcode Fuzzy Hash: 69b4cdca75011959786f463c95c89abc52cd1f9a7e716bed5be25abaf2c0f70b
Instruction Fuzzy Hash: FDB012C225C112BD320471187F02D37011CC6C5B50370475EF401C1141E4458D450636

Function 00D84921 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d4f4126038023b92d609f816743676ea116548b872a4daa268bc401f924495a
Instruction ID: 21e5aae333266c05473ff9373b768c59adfbfba430a501e06c60fc2814c94545
Opcode Fuzzy Hash: 5d4f4126038023b92d609f816743676ea116548b872a4daa268bc401f924495a
Instruction Fuzzy Hash: E4B012C225C212BD334471187E02D37011CC6C5B50330471EF001C1141E4448C840636

Function 00D84A07 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85a36c1032c6847777dc38de921822ff913dbffcd890363e00b1c606af9486fc
Instruction ID: 0dc251e67e96f126619128cbb7f16562e42efb0249d8e785aa2cffdcb835d47e
Opcode Fuzzy Hash: 85a36c1032c6847777dc38de921822ff913dbffcd890363e00b1c606af9486fc
Instruction Fuzzy Hash: 90B0128225C112BD321471197E03D37010CC6C6B50330891EF401C5581E4448C440632

Function 00D84B8A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1e8a658364cdfae6f1ed015c7a73b7fca090005d7d28881c0a7af6fc667e8c2f
Instruction ID: 64dae1a6cd7c3de592150b06daa856cf01fc859cd6c87c458773c5b151b35407
Opcode Fuzzy Hash: 1e8a658364cdfae6f1ed015c7a73b7fca090005d7d28881c0a7af6fc667e8c2f
Instruction Fuzzy Hash: 0CB0129235C112FD310471091E13E3B015CC6C2F10330911FF401C1281D440EC440231

Function 00D84B58 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 50b16a3ceb3cf354e818132dbe8393224249e5f95030ad6848ebe45a69190539
Instruction ID: 36e3127ba0ec95f659235cedcd754e9690c283362080231746dd6f68d390ed0d
Opcode Fuzzy Hash: 50b16a3ceb3cf354e818132dbe8393224249e5f95030ad6848ebe45a69190539
Instruction Fuzzy Hash: F3B0129235C112BD320471095E03E37015CC6C2F10330531FF001C1181D4409C880235

Function 00D84B62 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b14bc4595b5d5abd5d5343ccb21aab76aa85c65be690322fa8eb91f137f379c4
Instruction ID: f9ef82d89010b34cae9017ca065d29f919df2f2e5f904084035a63c714bde0d8
Opcode Fuzzy Hash: b14bc4595b5d5abd5d5343ccb21aab76aa85c65be690322fa8eb91f137f379c4
Instruction Fuzzy Hash: 39B0129235C012BD310471095F03E37115CC7C2F10330931FF101C1141D4409C450235

Function 00D84C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c651e657f35675d199f71068248a84bf4404d0b139897b56b853f23d16261b1
Instruction ID: 0a931d52288f57c18d5513742124782b5357ab0eb6abbd8acd657a8be9763680
Opcode Fuzzy Hash: 2c651e657f35675d199f71068248a84bf4404d0b139897b56b853f23d16261b1
Instruction Fuzzy Hash: 33B0128265D012FD3144712A5E02D37011CC6C1B10331852FF401C1181D4404C480231

Function 00D84CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4c9893b4b83bfed4f6c432e95708e2097166dab2583277337ca74be45b68030e
Instruction ID: fe2a584099aaf4d750db5db1b321dd86113e328fc4d82223584895788411ea1a
Opcode Fuzzy Hash: 4c9893b4b83bfed4f6c432e95708e2097166dab2583277337ca74be45b68030e
Instruction Fuzzy Hash: 91B0128225D013FD3144711A5E02E36011CC6C1B10331452FF001C1541D4404C480231

Function 00D84CAD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4f513c0e17356d378d9d30a9bea564cb706ac361290b356864e6c0b366247f9
Instruction ID: 832594df95388913c03f9efda998972f2a032e135dcedb151fa0c82c619e9785
Opcode Fuzzy Hash: d4f513c0e17356d378d9d30a9bea564cb706ac361290b356864e6c0b366247f9
Instruction Fuzzy Hash: 41B0128225D012FD3144711A5F02D37011CC7C1B10331852FF101C1141D4404C490231

Function 00D84C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0cf0933db3909746246fff44c62a353bd652366bf3abf3dc101e8ed6645760dd
Instruction ID: e9b67787ebfc71057fa656ae44a33933899c46c37678864053fbe2175cf071ae
Opcode Fuzzy Hash: 0cf0933db3909746246fff44c62a353bd652366bf3abf3dc101e8ed6645760dd
Instruction Fuzzy Hash: 3EB0128669D012FD310431061F02C36011CCFD1B11331861FF101C0042D4404C450131

Function 00D84D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84CF1

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aada9fc54b9b72ffdf79cadfc0cf11235789d2ee27224c2f310742adeeeff357
Instruction ID: 87130cd864486796251c32fa0c24d91ce52f6d5987b88c52ccec2fd1ace6f67f
Opcode Fuzzy Hash: aada9fc54b9b72ffdf79cadfc0cf11235789d2ee27224c2f310742adeeeff357
Instruction Fuzzy Hash: 79B0128625D113BD314472485E02D77010CC7C2B10330811EF401C21C1D4404C8C0231

Function 00D84D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84CF1

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12f8970d09929bfc4d4ec716bc0b269abc73a67fd393305e59f289c46df3a597
Instruction ID: 8dd388d48ef3d4521b39ef9fdc3b1b2cb13c14672468f88527eaf8c9e790bada
Opcode Fuzzy Hash: 12f8970d09929bfc4d4ec716bc0b269abc73a67fd393305e59f289c46df3a597
Instruction Fuzzy Hash: DBB0128625D213BD328471489E02D37010CC7C1B10330422EF001C1141D4414CCA0231

Function 00D84D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84CF1

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 891eff87ca32c193ea4e8d76fcb7d43c7e4661a6967c8daf01e268b29e5f8e7c
Instruction ID: 5d802315e0ec69ea59f18aefe27b32468d96f394e62274496d9fe536cfac6178
Opcode Fuzzy Hash: 891eff87ca32c193ea4e8d76fcb7d43c7e4661a6967c8daf01e268b29e5f8e7c
Instruction Fuzzy Hash: 93B0128625D113BD314471489E02D37010CD7C1B10330412EF001C1141D4404C8A0231

Function 00D72226 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00D72233

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 91389c242371aff78d6e490549e10d69945193356f7ae50ecd08682446a85473
Instruction ID: 49f01444a9988c34e47becda05eba1ec7ac72c7e00c11f8c5cdd81a27e7335e4
Opcode Fuzzy Hash: 91389c242371aff78d6e490549e10d69945193356f7ae50ecd08682446a85473
Instruction Fuzzy Hash: 89C04870211200DF8704CFA8DA8CA0A77EABFA2706B81D469F448CF122D734DD60DA39

Function 00D849D0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f545fdb60975946f506f517dd373aa83aecb1129cc0fff916c9c6b8a0b1880ca
Instruction ID: 4d07426b438d5a643106e06cb3f0af9bcaf88119768796b1484f0f1dca707ab7
Opcode Fuzzy Hash: f545fdb60975946f506f517dd373aa83aecb1129cc0fff916c9c6b8a0b1880ca
Instruction Fuzzy Hash: EDA002D76AD123BC321872617F07D3B021DD9CAFA13718E5EF542C5482F8899D891A76

Function 00D849F8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0bfb679ca28fd1c37568f04a662c6127a780dc3950d6bde1937500ed9b596120
Instruction ID: 4d07426b438d5a643106e06cb3f0af9bcaf88119768796b1484f0f1dca707ab7
Opcode Fuzzy Hash: 0bfb679ca28fd1c37568f04a662c6127a780dc3950d6bde1937500ed9b596120
Instruction Fuzzy Hash: EDA002D76AD123BC321872617F07D3B021DD9CAFA13718E5EF542C5482F8899D891A76

Function 00D849EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fe01c5b59fb2e24687bc38a4d7b6fc1234628b82f6586816b7c52b64865aa7fa
Instruction ID: 4d07426b438d5a643106e06cb3f0af9bcaf88119768796b1484f0f1dca707ab7
Opcode Fuzzy Hash: fe01c5b59fb2e24687bc38a4d7b6fc1234628b82f6586816b7c52b64865aa7fa
Instruction Fuzzy Hash: EDA002D76AD123BC321872617F07D3B021DD9CAFA13718E5EF542C5482F8899D891A76

Function 00D849E4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cfd280e3d68d94f9bf05533eaba6ffc3bbea13d18db95d6402b8b219969a9bb6
Instruction ID: 4d07426b438d5a643106e06cb3f0af9bcaf88119768796b1484f0f1dca707ab7
Opcode Fuzzy Hash: cfd280e3d68d94f9bf05533eaba6ffc3bbea13d18db95d6402b8b219969a9bb6
Instruction Fuzzy Hash: EDA002D76AD123BC321872617F07D3B021DD9CAFA13718E5EF542C5482F8899D891A76

Function 00D849B2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 072bbc43a9d6c92f53d4d40f115fd9b4521c4f31c2455e0ecebd14a7866a29f1
Instruction ID: 4d07426b438d5a643106e06cb3f0af9bcaf88119768796b1484f0f1dca707ab7
Opcode Fuzzy Hash: 072bbc43a9d6c92f53d4d40f115fd9b4521c4f31c2455e0ecebd14a7866a29f1
Instruction Fuzzy Hash: EDA002D76AD123BC321872617F07D3B021DD9CAFA13718E5EF542C5482F8899D891A76

Function 00D84976 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b3f3a0dc6c161acbc3ce150fc88bf900147e3c130d91bae2ac6ea97190d8d8c8
Instruction ID: 4d07426b438d5a643106e06cb3f0af9bcaf88119768796b1484f0f1dca707ab7
Opcode Fuzzy Hash: b3f3a0dc6c161acbc3ce150fc88bf900147e3c130d91bae2ac6ea97190d8d8c8
Instruction Fuzzy Hash: EDA002D76AD123BC321872617F07D3B021DD9CAFA13718E5EF542C5482F8899D891A76

Function 00D84A02 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84918

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ec3a7bda9b3e1ca149b7379b39ae556f6b675217851818f3b87affd5610db354
Instruction ID: 4d07426b438d5a643106e06cb3f0af9bcaf88119768796b1484f0f1dca707ab7
Opcode Fuzzy Hash: ec3a7bda9b3e1ca149b7379b39ae556f6b675217851818f3b87affd5610db354
Instruction Fuzzy Hash: EDA002D76AD123BC321872617F07D3B021DD9CAFA13718E5EF542C5482F8899D891A76

Function 00D84B85 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4f23af990a4c5dacb408b0c938466d77a02e7bd9ce3fd0d124948ee6d5c66b13
Instruction ID: f4b0aff05127a5667ff04e496ac27bbb9d93354a3baeb0a98af23863bf8b6967
Opcode Fuzzy Hash: 4f23af990a4c5dacb408b0c938466d77a02e7bd9ce3fd0d124948ee6d5c66b13
Instruction Fuzzy Hash: 52A002E73AD123BC310872566F17E3B125DC9C7F61331AA1FF542C5086E884AC891635

Function 00D84B53 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c1f3289618e74e019393a0d03956175f1c2058df362a422d9de9ea79a95c39b5
Instruction ID: f4b0aff05127a5667ff04e496ac27bbb9d93354a3baeb0a98af23863bf8b6967
Opcode Fuzzy Hash: c1f3289618e74e019393a0d03956175f1c2058df362a422d9de9ea79a95c39b5
Instruction Fuzzy Hash: 52A002E73AD123BC310872566F17E3B125DC9C7F61331AA1FF542C5086E884AC891635

Function 00D84B49 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c88837e9eae07fa6bac25b7cd827fe8bf01fab2c8c24bcc5b7283ca230fa5a2f
Instruction ID: f4b0aff05127a5667ff04e496ac27bbb9d93354a3baeb0a98af23863bf8b6967
Opcode Fuzzy Hash: c88837e9eae07fa6bac25b7cd827fe8bf01fab2c8c24bcc5b7283ca230fa5a2f
Instruction Fuzzy Hash: 52A002E73AD123BC310872566F17E3B125DC9C7F61331AA1FF542C5086E884AC891635

Function 00D84B7B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: be37b0c65576be048395f5479a7b7ba04f0b68bbe7b7421cde57672aa2929c50
Instruction ID: f4b0aff05127a5667ff04e496ac27bbb9d93354a3baeb0a98af23863bf8b6967
Opcode Fuzzy Hash: be37b0c65576be048395f5479a7b7ba04f0b68bbe7b7421cde57672aa2929c50
Instruction Fuzzy Hash: 52A002E73AD123BC310872566F17E3B125DC9C7F61331AA1FF542C5086E884AC891635

Function 00D84B71 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4bdfdf87163fcfef833e72ff6c819cec161ab392cb767d0cb31fa670a44aaf80
Instruction ID: f4b0aff05127a5667ff04e496ac27bbb9d93354a3baeb0a98af23863bf8b6967
Opcode Fuzzy Hash: 4bdfdf87163fcfef833e72ff6c819cec161ab392cb767d0cb31fa670a44aaf80
Instruction Fuzzy Hash: 52A002E73AD123BC310872566F17E3B125DC9C7F61331AA1FF542C5086E884AC891635

Function 00D84B2E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84B3B

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5758000ab751c5479df0b83de02d661e5c514bcbaf25870952dec197717a012e
Instruction ID: 2db1717a2c365a4b3d911b2fe0ebdedf2a8b40370a248bac1578b34875486455
Opcode Fuzzy Hash: 5758000ab751c5479df0b83de02d661e5c514bcbaf25870952dec197717a012e
Instruction Fuzzy Hash: C0A001A62AD1227C31087256AE17E3B125DC9D2F21331A61EF541D5086A894A9891635

Function 00D84CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3a6f8dd9341a929ece24d1cc29d4e573b3f27e1f56527e22e7ba7faf9087f39a
Instruction ID: c081be51f89da6e86724c9baa708b183090221bb9f911aa1bb900cd6a53a24d6
Opcode Fuzzy Hash: 3a6f8dd9341a929ece24d1cc29d4e573b3f27e1f56527e22e7ba7faf9087f39a
Instruction Fuzzy Hash: 8DA002D76AE127FC314872536F07D3B021DC9C6F613328E1EF542C5482E8845C891635

Function 00D84CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6b7c28c051344db3f2f434234e70e86d0b1438a048789acfdc87117aa6fbc34
Instruction ID: c081be51f89da6e86724c9baa708b183090221bb9f911aa1bb900cd6a53a24d6
Opcode Fuzzy Hash: e6b7c28c051344db3f2f434234e70e86d0b1438a048789acfdc87117aa6fbc34
Instruction Fuzzy Hash: 8DA002D76AE127FC314872536F07D3B021DC9C6F613328E1EF542C5482E8845C891635

Function 00D84CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ed8935237ad21da104da6623a0669f1983ecc494ddf33cf6d0be339437fefa35
Instruction ID: c081be51f89da6e86724c9baa708b183090221bb9f911aa1bb900cd6a53a24d6
Opcode Fuzzy Hash: ed8935237ad21da104da6623a0669f1983ecc494ddf33cf6d0be339437fefa35
Instruction Fuzzy Hash: 8DA002D76AE127FC314872536F07D3B021DC9C6F613328E1EF542C5482E8845C891635

Function 00D84CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84CF1

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e413b91ef671ef97779f6407b1a13096db59c4e3c2591cba898d77c5be67fcff
Instruction ID: e88a3793771c9550e1f9fa0ae4c3c163fb2501ce7ddec59c295df0dbfcdd2fed
Opcode Fuzzy Hash: e413b91ef671ef97779f6407b1a13096db59c4e3c2591cba898d77c5be67fcff
Instruction Fuzzy Hash: C4A002DB2AE523BC31487291AF07D3B121DDAD6F653318A1EF542C5082E9855CCD1635

Function 00D84CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84CF1

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7be93ca9e022e0ed61dd5116e2fb122fde86afdc11a8375add182aa30f6c6241
Instruction ID: 816dad44486807cdfd3fc384d475a8e5ffbd6cb7ab5d8f3df99b85393387ae34
Opcode Fuzzy Hash: 7be93ca9e022e0ed61dd5116e2fb122fde86afdc11a8375add182aa30f6c6241
Instruction Fuzzy Hash: 2AA002DF2AE523BD31487291AF07D3B121DDAD2F25331861EF541D5082E9855CCD1675

Function 00D84CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84C90

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5e42dbe278d1f83c4e4641638dfe15803a374476406750cba7ca7a84b1459ec0
Instruction ID: c081be51f89da6e86724c9baa708b183090221bb9f911aa1bb900cd6a53a24d6
Opcode Fuzzy Hash: 5e42dbe278d1f83c4e4641638dfe15803a374476406750cba7ca7a84b1459ec0
Instruction Fuzzy Hash: 8DA002D76AE127FC314872536F07D3B021DC9C6F613328E1EF542C5482E8845C891635

Function 00D61DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,?,?), ref: 00D61DFC

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: a62c7883ba8591df22a7a990ca2cf751dae5f010d71f5904415e124bb21b5e95
Instruction ID: 50a7f67c95dea06789a374748cddad9e0908ac0ba147061b609b7aeacb845e8b
Opcode Fuzzy Hash: a62c7883ba8591df22a7a990ca2cf751dae5f010d71f5904415e124bb21b5e95
Instruction Fuzzy Hash: 5DC0EA75508200EF8B05CB58D948D1ABBA6BB95311B518558F05486120C331D920DB62

Function 00D84D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D84CF1

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5608d1f8e0c454f4673b5ae1854bbba4ab0044ff795d10ccc6b27dffd66f80cd
Instruction ID: e88a3793771c9550e1f9fa0ae4c3c163fb2501ce7ddec59c295df0dbfcdd2fed
Opcode Fuzzy Hash: 5608d1f8e0c454f4673b5ae1854bbba4ab0044ff795d10ccc6b27dffd66f80cd
Instruction Fuzzy Hash: C4A002DB2AE523BC31487291AF07D3B121DDAD6F653318A1EF542C5082E9855CCD1635

Function 00D6E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00D6D115,?,?,?,?,?,?,?), ref: 00D6E8DC

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: f9e42e2823d46dfcc433aaf372023fd736b769756afcaa98372a730ccd83bb23
Instruction ID: 1c56473688b44c99a4dabe500afd1613915a5b2427a43195a5dc39c44844cbf1
Opcode Fuzzy Hash: f9e42e2823d46dfcc433aaf372023fd736b769756afcaa98372a730ccd83bb23
Instruction Fuzzy Hash: 25A00230211245CBDB411F72DE0970E7B6ABF426D9B59D0A9A40DC9171DB27CCB3EA51

Function 00D6DE50 Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00D6DE10,7889FE40,?,00000000,00D993B1,000000FF,?,00D6BEA6,?), ref: 00D6DE6B

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8122f10653fd6418364e0097b879e5aa29555e941ed4b54ecb8770e942d06437
Instruction ID: 90bc1d1b543e501dbe9e4810be3e562fecff633e9dc5b54c4517df118d5ea2e1
Opcode Fuzzy Hash: 8122f10653fd6418364e0097b879e5aa29555e941ed4b54ecb8770e942d06437
Instruction Fuzzy Hash: BFF0E270941B018BD7308E24E414362B3E46B21325F084B0EE0E64A5E5C372A889DA70

Non-executed Functions

Function 00D69B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D69CB1

Part of subcall function 00D6AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D6AC2E
Part of subcall function 00D6AC11: GetLastError.KERNEL32 ref: 00D6AC72
Part of subcall function 00D6AC11: CloseHandle.KERNEL32(?), ref: 00D6AC81

Part of subcall function 00D62F45: _wcslen.LIBCMT ref: 00D62F50

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00D69EE1
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,788A0988,00D99937,000000FF), ref: 00D69F1E
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 00D6A0BF

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00D6A127
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,788A0988,00D99937,000000FF), ref: 00D6A134
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,788A0988,00D99937,000000FF), ref: 00D6A14A
RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,788A0988,00D99937,000000FF), ref: 00D6A18E
DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,788A0988,00D99937,000000FF), ref: 00D6A196

Strings

SeRestorePrivilege, xrefs: 00D69BBD
\??\, xrefs: 00D69C0B
UNC\, xrefs: 00D69CAB, 00D69CB0, 00D69CCD
SeCreateSymbolicLinkPrivilege, xrefs: 00D69BC7

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3517300771-3508440684
Opcode ID: e1053a42ad8bfd3da7f94204b7e61718547791b87fb1413632286856ab43187d
Instruction ID: 73b47f554edb2c5f24c335f99171e08959893e5165ef60357276f85514afadfd
Opcode Fuzzy Hash: e1053a42ad8bfd3da7f94204b7e61718547791b87fb1413632286856ab43187d
Instruction Fuzzy Hash: 8C326F759002889FDB24DFA8CC91BEE77F9EF15314F14416AE849E7281DB34AA48CB71

Function 00D81630 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D8163A

Part of subcall function 00D61E44: GetDlgItem.USER32(00000000,00003021), ref: 00D61E88
Part of subcall function 00D61E44: SetWindowTextW.USER32(00000000,00D9C6C8), ref: 00D61E9E

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D816BB
EndDialog.USER32(?,00000006), ref: 00D816CE
GetDlgItem.USER32(?,0000006C), ref: 00D816EA
SetFocus.USER32(00000000), ref: 00D816F1

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Part of subcall function 00D61DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00D61DFC

SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D81763
FindFirstFileW.KERNEL32(?,?), ref: 00D81783
FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00D81826
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D818AD

Part of subcall function 00D61150: _wcslen.LIBCMT ref: 00D6115B

Strings

REPLACEFILEDLG, xrefs: 00D8164F
%s %s, xrefs: 00D81869, 00D8199A

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
String ID: %s %s$REPLACEFILEDLG
API String ID: 485132379-439456425
Opcode ID: 820dfa34b4d8812c32ec87cc34fedc6e1acb8e2140b0296f3860fd8f0fd363b8
Instruction ID: 2f12c5eaaba6f26ad9e42d0be81698cc1b4042681980503dd7f8a0e4f0197caf
Opcode Fuzzy Hash: 820dfa34b4d8812c32ec87cc34fedc6e1acb8e2140b0296f3860fd8f0fd363b8
Instruction Fuzzy Hash: DDA18D75940218EBDB21FBA0CC4AFEEB77DEF15300F044195B249A3182EA759B498F71

Function 00D9480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D94954

Strings

1#SNAN, xrefs: 00D95B53
1#INF, xrefs: 00D95B61
1#QNAN, xrefs: 00D95B5A
1#IND, xrefs: 00D95B4C

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ecd30e2b40e874bdba4c86c6597378e3200fa0b7a64cd0a411f04a22a491bccb
Instruction ID: 5d1a27dc953b2b792ac9502f43a2663c0cd5494d6079e292930ad5bb323810fb
Opcode Fuzzy Hash: ecd30e2b40e874bdba4c86c6597378e3200fa0b7a64cd0a411f04a22a491bccb
Instruction Fuzzy Hash: A8C24B71E046298FDF25CE28ED40BEAB7B5EB44305F1841EAD84DE7245E774AE818F60

Function 00D63D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00D6438C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D64523

Strings

CMT, xrefs: 00D64551

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 2172594012-2756464174
Opcode ID: e4d83e7e5e3face104551abe4ddf8ade88cdc46002996ec5d68f8473aa90dbc1
Instruction ID: 21e6651f69e420ef86ff9d1d74aab1d1bdfbc447338ec06f533d541dc9e7d45a
Opcode Fuzzy Hash: e4d83e7e5e3face104551abe4ddf8ade88cdc46002996ec5d68f8473aa90dbc1
Instruction Fuzzy Hash: DF72C071A003448FDB18DF68C8957EA7BA1FF59300F08857EEC5A9B282DB74A945CB71

Function 00D86878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D86884
IsDebuggerPresent.KERNEL32 ref: 00D86950
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D86970
UnhandledExceptionFilter.KERNEL32(?), ref: 00D8697A

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d09458605392dfe0bb17cdb8205fdaef0649db77676414e37c94d6b1f3528ad1
Instruction ID: 645a5a446a65bea02d16d718b369afb6745d646cf4e6f0388ac900819b5ed607
Opcode Fuzzy Hash: d09458605392dfe0bb17cdb8205fdaef0649db77676414e37c94d6b1f3528ad1
Instruction Fuzzy Hash: 1E312975D453189BDB11EFA4D989BCCBBB8FF08304F1051EAE40CAB250EB719A848F64

Function 00D6932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D6952D,?,00000040,00D6931E,00000001,?,?,?,?,0000001C,00D77618,00DAE0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00D69330
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,00D6952D,?,00000040,00D6931E,00000001,?,?), ref: 00D69351
_wcslen.LIBCMT ref: 00D69360
LocalFree.KERNEL32(00000000,00000000,00000000,00DAE0C8,?,?,00D6952D,?,00000040,00D6931E,00000001,?,?,?,?,0000001C), ref: 00D69373

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage_wcslen
String ID:
API String ID: 991192900-0
Opcode ID: 321081c986e6b0edf7e3ff1728f29a7f0be36708e1237d77f8e608932f5144d1
Instruction ID: 138d728c1f305d440bfc6ed9ef1402701f8b1d280243d4c8e9f672fc413b3920
Opcode Fuzzy Hash: 321081c986e6b0edf7e3ff1728f29a7f0be36708e1237d77f8e608932f5144d1
Instruction Fuzzy Hash: BDF08279510304FBEB04EBA19D05EFF776CEB85740B14801AF502E6290CA709E01D678

Function 00D84E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00D84D59,0000001C,00D84F4E,00000000,?,?,?,?,?,?,?,00D84D59,00000004,00DB5D84,00D84FDE), ref: 00D84E25
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00D84D59,00000004,00DB5D84,00D84FDE), ref: 00D84E40

Strings

D, xrefs: 00D84E34

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 3d4830026248ed07192c3bfbd6cea7e898e37cab51fc70f9bdf80cb177c0f7a1
Instruction ID: 2fe7f1ae7e419cd48c3c36707c40d283fbc180c5483d7391c493da57f58daa6d
Opcode Fuzzy Hash: 3d4830026248ed07192c3bfbd6cea7e898e37cab51fc70f9bdf80cb177c0f7a1
Instruction Fuzzy Hash: C401A7726002096BDB14EE29DC05BEE7BA9AFC4328F0CC125FD59DB255DB34D91187A0

Function 00D8AAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00D8535E), ref: 00D8ABBC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00D8535E), ref: 00D8ABC6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00D8535E), ref: 00D8ABD3

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c786d5b1176b05f65e6db2530f370076fe6ae7f18445f021f9a0302909d14a23
Instruction ID: c34b57628833ce4852267e2c1dcf109bd8a6834346e947bb5abce70a7ed392e0
Opcode Fuzzy Hash: c786d5b1176b05f65e6db2530f370076fe6ae7f18445f021f9a0302909d14a23
Instruction Fuzzy Hash: 2B31C2749013189BCB21EF68D988B98BBB8EF08310F5051DAE41CA7261EB749F818F65

Function 00D91FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00D9218B

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2c947078abe9e32b7e2f8a03f1d9ad9cd5ced6d2afea07bceeba9960f70216dd
Instruction ID: 62f7fe7b0cde210a4584e0c3545cef74dbc363b5a1e89b2abd86edc0c8727de4
Opcode Fuzzy Hash: 2c947078abe9e32b7e2f8a03f1d9ad9cd5ced6d2afea07bceeba9960f70216dd
Instruction Fuzzy Hash: 5931CF72900209BBDF249E78CC84EFABBADDB85314F1802A9F91997251E6319E45CB70

Function 00D94360 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
Instruction ID: 03fd03a356302baefa269de03f9f8195a01234046aa77fbbe18c15356539d8e0
Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
Instruction Fuzzy Hash: DC024D71E002199FDF14CFA9C980AAEB7F1EF49314F298269D919E7345D731AD42CBA0

Function 00D7FD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D7FD6A
GetNumberFormatW.KERNEL32(00000400,00000000,?,00DA9714,?,?), ref: 00D7FDB3

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 038770f95a0dd1203547ba039ba503bcbdd95688ec1fc8f28e8583bbb9ff0616
Instruction ID: a260fbb103e6a0bb6efc943ea6dfb7e56d53b739108c47bdc54c40fcfce33cb5
Opcode Fuzzy Hash: 038770f95a0dd1203547ba039ba503bcbdd95688ec1fc8f28e8583bbb9ff0616
Instruction Fuzzy Hash: A7115E79220358EBDB10DF64EC41BEAB7F8EF08700F00542AB506E72A1E670A908C779

Function 00D648AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON

Download Yara Rule

Strings

CMT, xrefs: 00D65131

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 9f0853d474702c545f76524ae7ab0b7827423d7165e416e8ded84dd0c8be457e
Instruction ID: c768c4291605997a690512d857f8195f8e45dfad1ac3f6787d4a1a1a07b45322
Opcode Fuzzy Hash: 9f0853d474702c545f76524ae7ab0b7827423d7165e416e8ded84dd0c8be457e
Instruction Fuzzy Hash: D5629371A00649AFDF08DF64C891BED7BA4FF19314F088179EC499B286DB74A944CBB1

Function 00D986D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D986CD,?,?,00000008,?,?,00D9836D,00000000), ref: 00D988FF

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bab2bb2ac01626aad8300aab1f70b582045885efeeab642d8c63cf94212cd8ed
Instruction ID: be2bbff96e40626dc74f9e3ea761b1c1e6a03dcbd49ae50d39c9bf53a918c5e5
Opcode Fuzzy Hash: bab2bb2ac01626aad8300aab1f70b582045885efeeab642d8c63cf94212cd8ed
Instruction Fuzzy Hash: 7DB15B316106089FDB15CF28C48AB647BE0FF46764F698658E8DACF2A1C735D982DF50

Function 00D86694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D866AA

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bc6978c7b5cecfccaed81bb5ebb7104ced232a1df207145c102abf382a775991
Instruction ID: 9d3042a918622be3d1a19670c165c0367676271490326913b9209a85e1c67194
Opcode Fuzzy Hash: bc6978c7b5cecfccaed81bb5ebb7104ced232a1df207145c102abf382a775991
Instruction Fuzzy Hash: EC517BB2911305CFEB14CF59D8856AABBF0FB44324F28896AD505EB391D375D940CBB0

Function 00D703BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00D703ED

Part of subcall function 00D70469: __EH_prolog3.LIBCMT ref: 00D70470

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3Version
String ID:
API String ID: 2775145068-0
Opcode ID: c41cebf7d1075b57f4d1104fec50ffbc3064817ed3a99ad54081d8333fcdba6b
Instruction ID: ac09ec2879543fe0c6dc467ba1891293e715b7cca9a2128ea5468bf97b538f00
Opcode Fuzzy Hash: c41cebf7d1075b57f4d1104fec50ffbc3064817ed3a99ad54081d8333fcdba6b
Instruction Fuzzy Hash: 12F08C30804348CAEB24DF74EC197E87FA0AB1234CF448469D64AA7392E7B8848DCB31

Function 00D65AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

gj, xrefs: 00D65BCE

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 52c1349138ac8b719603e7acdcf6a0a177ce02469cd2d4541116033aa9d04224
Instruction ID: e3cb9efae16194e40d51096bc9eea6ff44d15540729e781bebaf8a7c4cb8c185
Opcode Fuzzy Hash: 52c1349138ac8b719603e7acdcf6a0a177ce02469cd2d4541116033aa9d04224
Instruction Fuzzy Hash: ADD138B2A183458FC354CF69D88065AFBE2BFC9308F59492DE998D7301D734A949CF92

Function 00D86A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00D86445), ref: 00D86A10

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4f4455ae3edc5dfa79701489de5c65ec84c515077f1dffc9caeff897e72b72d8
Instruction ID: e3acb42983734f373db860ee31486970858c85a687d704546702177864482ab0
Opcode Fuzzy Hash: 4f4455ae3edc5dfa79701489de5c65ec84c515077f1dffc9caeff897e72b72d8
Instruction Fuzzy Hash:

Function 00D92CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00D92CE0

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f1f6fc93eacf4d30e87fb156920e673049094201f21af62c4ef053fe7ac156d0
Instruction ID: ce300679d4691974ec481ed1f56295035414bb45b9d71a1994e7a2bd1d253b65
Opcode Fuzzy Hash: f1f6fc93eacf4d30e87fb156920e673049094201f21af62c4ef053fe7ac156d0
Instruction Fuzzy Hash: 15A02230202300CFAB008F30AF0830E3AE8FE002C0388802EB00ACA330EF38C000CB20

Function 00D7ABC8 Relevance: 1.0, Instructions: 977COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
Instruction ID: 44e7de373bf7de29ca5fd1f770b8d8ad3f6428cca72126beae4592616e86f418
Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
Instruction Fuzzy Hash: 3882E4356047859FCB29CF28C4907BABBE1AF95314F18C95ED8DE8B346E730A945CB21

Function 00D65F39 Relevance: .9, Instructions: 899COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5dc683f424ca3e3b90f170d092ddfbd13c5edb0810bc368677be806e2779c3
Instruction ID: ef5f8180afda5658aa7310ce95f186419c8d72046ec33939e4488fda3adee525
Opcode Fuzzy Hash: 7d5dc683f424ca3e3b90f170d092ddfbd13c5edb0810bc368677be806e2779c3
Instruction Fuzzy Hash: 3E823C65D39F895EE3039A3884021E7F3A86EF71C9F46E71FF8A431526E721A6C75201

Function 00D7C27F Relevance: .9, Instructions: 880COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
Instruction ID: 85ab1a4974e9a951b1db97effd0775542f023f2958dfcc0990eee0037de3a188
Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
Instruction Fuzzy Hash: 0C72F3716143858FCB19CF6CC8906A9BBE2BF95304F18D56DE89E8B346E730E945CB21

Function 00D75214 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
Instruction ID: c5362454c6730695338d775638d58e292890981a01a052cd0bbe2659252d6224
Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
Instruction Fuzzy Hash: 4C524B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00D7BC05 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13b0eb2895bc5e597969e36ed56e0313cb298e28c21dcaadfb5e4361172a7d2
Instruction ID: b53059bb05afbe2d6bbfcb13efb3fa5f97315ac846fd84ec77dab44da93a21b0
Opcode Fuzzy Hash: d13b0eb2895bc5e597969e36ed56e0313cb298e28c21dcaadfb5e4361172a7d2
Instruction Fuzzy Hash: DF12D1706147068FD728CF28C891BB9B7E0FF54318F14892EE89AC7281E774E995CB65

Function 00D746CF Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78205abfc10fe48b6bf866e955dab9830ad473c26cf3a3535fd3e9520843539
Instruction ID: 49622a32986ffc4dcd2905f189388fb07e8f8ef8885208d1d0385091b5302f41
Opcode Fuzzy Hash: f78205abfc10fe48b6bf866e955dab9830ad473c26cf3a3535fd3e9520843539
Instruction Fuzzy Hash: 3FE13BB5908390DFC344CF29D49046ABBF0AB99300F464A6EF5D497352D335EA16DFA2

Function 00D7A222 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c88b65260b2f4f112facfb1ecb65f78ae03855b8e125f13aee392aa49e2464a
Instruction ID: c81b7e8ec90fd055ce166e4e42c7b165fa687176455d4aab1f1732fd2e28eaf3
Opcode Fuzzy Hash: 0c88b65260b2f4f112facfb1ecb65f78ae03855b8e125f13aee392aa49e2464a
Instruction Fuzzy Hash: 0F9112312083414BD725DF6CD885BAE77D2EBD0308F14892DE9CE8B282E675D8858773

Function 00D8C0D6 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a92f22a004291f93a7c43976e4c0fa1cd48dd3cf5f06cc941271daece0c5d8b
Instruction ID: 8ce78b33a1c858bb379e539970f8bfa44f9ebca51c700c9dfd5cd28b7e585410
Opcode Fuzzy Hash: 0a92f22a004291f93a7c43976e4c0fa1cd48dd3cf5f06cc941271daece0c5d8b
Instruction Fuzzy Hash: 46617C71630708D6DE34BAB858D9BBE7398DF05B04F58341AE882DB2C2D635DD468379

Function 00D8BEA7 Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: b133d2e6fb37467ad95a765e286d61ade3ef08bc0962a08c6cdc2572595c4833
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 9C517861210745DADF35B92888567FF2B99DF02360F1C155BEA82C7782C726ED05C735

Function 00D74D32 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ac09e1220197574b8c1f088bad7bbff7d7e0b3297a68e67d70a1fb8b834b12
Instruction ID: 5b011d79faf294728ec59180bef2523457fc40be2c22edfd16a72b2d1d5cc432
Opcode Fuzzy Hash: 90ac09e1220197574b8c1f088bad7bbff7d7e0b3297a68e67d70a1fb8b834b12
Instruction Fuzzy Hash: 9251E5315083954FC712DF28C5505AEFFE0AEDA314F4A8999F4E95B242E331DA4ACB72

Function 00D75F0B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da4a09a5690c38a7539a49b275772a51fcc381439fac3e469f37f25632b4c50
Instruction ID: 087869adcb7be947d717d71b495a5dd79771f6066e0459cb8cb06e6af96229af
Opcode Fuzzy Hash: 2da4a09a5690c38a7539a49b275772a51fcc381439fac3e469f37f25632b4c50
Instruction Fuzzy Hash: 7051DDB1A087119FC758CF29D88055AF7E1FF88314F058A2EF899E7340DB30E9598B96

Function 00D7A008 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
Instruction ID: e51b8c65e337ad15a44df1563e6697e3bf8566e6a4f1a1a40431c6d19f63856c
Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
Instruction Fuzzy Hash: B53112B1614B068FCB14DF28C85116EBBE1FB95304F148A2DE8DAC3342D335E809CBA2

Function 00D67CBA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
Instruction ID: c8571ab5f0f197b931409a9fa9715cf880c340b01122bfa278b845ed701ae9cd
Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
Instruction Fuzzy Hash: D041F930505B15CFC71ADF38D4559A6B7E0FF8A704B1248AFD06A8B221EB30E604DF69

Function 00D892D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 406873f0a5518e838752d5893d61fa0909871e47fae60b5532392fa6c8954e0b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0E1190B720014243D605A67ED4F46FBE399FBC6321B6C437AE0C34B7D8D222E941AB20

Function 00D73EAA Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D73EEA

Part of subcall function 00D6F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6F6CD

Part of subcall function 00D789ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00DAE088,?,00000007,00D733E2,?,?,00000050,7889FE40), ref: 00D78A0A

_strlen.LIBCMT ref: 00D73F0B
SetDlgItemTextW.USER32(?,00DA919C,?), ref: 00D73F64
GetWindowRect.USER32(?,?), ref: 00D73F9A
GetClientRect.USER32(?,?), ref: 00D73FA6
GetWindowLongW.USER32(?,000000F0), ref: 00D74051
GetWindowRect.USER32(?,?), ref: 00D74081
SetWindowTextW.USER32(?,?), ref: 00D740B0
GetSystemMetrics.USER32(00000008), ref: 00D740B8
GetWindow.USER32(?,00000005), ref: 00D740C3
GetWindowRect.USER32(00000000,?), ref: 00D740F3
GetWindow.USER32(00000000,00000002), ref: 00D74165

Strings

CAPTION, xrefs: 00D74098
$%s:, xrefs: 00D73ED3
d, xrefs: 00D73FC6

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 80ef92bef7c2842039c71744e2453572ae03d72f1ec6909952f36b708c65b203
Instruction ID: 4d70305f6485d88f9234b4061a948c374ed1d44d02dcfe8e151c632aa4f78366
Opcode Fuzzy Hash: 80ef92bef7c2842039c71744e2453572ae03d72f1ec6909952f36b708c65b203
Instruction Fuzzy Hash: 6C817B72508301EFD715DF68CD89A6BBBE9EB89704F04591DF989D3290E730E909CB62

Function 00D861A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00DB60E0,00000FA0,?,?,00D86185), ref: 00D861B3
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00D86185), ref: 00D861BE
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D86185), ref: 00D861CF
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D861E1
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D861EF
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00D86185), ref: 00D86212
DeleteCriticalSection.KERNEL32(00DB60E0,00000007,?,?,00D86185), ref: 00D86235
CloseHandle.KERNEL32(00000000,?,?,00D86185), ref: 00D86245

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D861B9
kernel32.dll, xrefs: 00D861CA
SleepConditionVariableCS, xrefs: 00D861DB
WakeAllConditionVariable, xrefs: 00D861E7

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: a0ee091f60b588f050a74b6c1653107ef04fff93d5971f7f05e2a17e9b6940a1
Instruction ID: dd205647b4cc000b23dd4a28c313b80dc30a8c7651f5b5542f96c26e7d270eb6
Opcode Fuzzy Hash: a0ee091f60b588f050a74b6c1653107ef04fff93d5971f7f05e2a17e9b6940a1
Instruction Fuzzy Hash: 0901A771E50711EFDB207B76AC0DF563B68EB44B51F084562FD1ED2350EA64C8008B71

Function 00D937D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D93816

Part of subcall function 00D933B1: _free.LIBCMT ref: 00D933CE
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D933E0
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D933F2
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D93404
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D93416
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D93428
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D9343A
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D9344C
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D9345E
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D93470
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D93482
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D93494
Part of subcall function 00D933B1: _free.LIBCMT ref: 00D934A6

_free.LIBCMT ref: 00D9380B

Part of subcall function 00D903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?), ref: 00D903EA
Part of subcall function 00D903D4: GetLastError.KERNEL32(?,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?,?), ref: 00D903FC

_free.LIBCMT ref: 00D9382D
_free.LIBCMT ref: 00D93842
_free.LIBCMT ref: 00D9384D
_free.LIBCMT ref: 00D9386F
_free.LIBCMT ref: 00D93882
_free.LIBCMT ref: 00D93890
_free.LIBCMT ref: 00D9389B
_free.LIBCMT ref: 00D938D3
_free.LIBCMT ref: 00D938DA
_free.LIBCMT ref: 00D938F7
_free.LIBCMT ref: 00D9390F

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 92f63002e25cb5221f3e549bf817017e5a40b17640556188d3f0a0a4cb7a2bc2
Instruction ID: 3970cd2f5f170515cbddd208b8e5c00fdd73d0f2b1f2cd3f0ab5ff262f3d5a20
Opcode Fuzzy Hash: 92f63002e25cb5221f3e549bf817017e5a40b17640556188d3f0a0a4cb7a2bc2
Instruction Fuzzy Hash: 05317E316043049FEF21AA79E845B6AB7E9EF00310F194529F458E7651DFB2EE84CB70

Function 00D7D912 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D7D919

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

_wcslen.LIBCMT ref: 00D7D97B
_wcslen.LIBCMT ref: 00D7D99A
_wcslen.LIBCMT ref: 00D7D9B6
_strlen.LIBCMT ref: 00D7DA14
GlobalAlloc.KERNEL32(00000040,?,00000000,00D9D9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 00D7DA2D
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00D7DA54

Strings

<html>, xrefs: 00D7D95F
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00D7D937
</html>, xrefs: 00D7D9B0, 00D7D9B5, 00D7D9BD
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00D7D976, 00D7D982

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 1185167184-1533471033
Opcode ID: dda015fba82f1184cd5dcfbfa92648f95b84980212646d4db8f4d5950c259866
Instruction ID: 2fc8c771150922eea99c13bdbb873567751c7c796c12f454d74b790dce8af64f
Opcode Fuzzy Hash: dda015fba82f1184cd5dcfbfa92648f95b84980212646d4db8f4d5950c259866
Instruction Fuzzy Hash: D3514F71D00218AFEB04EBA4CD46BEEBBB9EF55310F144019E509BB285EB705E45CBB5

Function 00D83796 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00D837C4
GetClassNameW.USER32(00000000,?,00000080), ref: 00D837F0

Part of subcall function 00D78DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00D70E3F,?,?,?,00000046,00D71ECE,00000046,?,exe,00000046), ref: 00D78DBA

GetWindowLongW.USER32(00000000,000000F0), ref: 00D8380C
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D83823
GetObjectW.GDI32(00000000,00000018,?), ref: 00D83837
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D83860
DeleteObject.GDI32(00000000), ref: 00D83867
GetWindow.USER32(00000000,00000002), ref: 00D83870

Strings

STATIC, xrefs: 00D837F6

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: aee3f970e8b1e5dae8a9709ec653b7b9d5c91bd3eb20052f4e40b2c8d802eccb
Instruction ID: d67c93e3c6a50177edd3297002ab2af7c0b7d3a1fad01ef416e4a0e5a27d24d8
Opcode Fuzzy Hash: aee3f970e8b1e5dae8a9709ec653b7b9d5c91bd3eb20052f4e40b2c8d802eccb
Instruction Fuzzy Hash: E021D072548710FBE620BB24DC4AFEF77ACEF89B50F044625FA09E62D1EB60890547B5

Function 00D8FF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D8FF25

Part of subcall function 00D903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?), ref: 00D903EA
Part of subcall function 00D903D4: GetLastError.KERNEL32(?,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?,?), ref: 00D903FC

_free.LIBCMT ref: 00D8FF31
_free.LIBCMT ref: 00D8FF3C
_free.LIBCMT ref: 00D8FF47
_free.LIBCMT ref: 00D8FF52
_free.LIBCMT ref: 00D8FF5D
_free.LIBCMT ref: 00D8FF68
_free.LIBCMT ref: 00D8FF73
_free.LIBCMT ref: 00D8FF7E
_free.LIBCMT ref: 00D8FF8C

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0b7495241e2e44433e2e3e1baf8602d4182d2284d2411714dcff3ed85358d1f8
Instruction ID: 7093fe61ee9851fe0f2b5634dec65068908376edbec2cd3297abe10c00d9b1f3
Opcode Fuzzy Hash: 0b7495241e2e44433e2e3e1baf8602d4182d2284d2411714dcff3ed85358d1f8
Instruction Fuzzy Hash: 2011427651414CBFCF41EF94D942CDD3FA9EF08350B5142A5BA089B262DA72EA50DBA0

Function 00D89AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D89BD0
___TypeMatch.LIBVCRUNTIME ref: 00D89CDE
_UnwindNestedFrames.LIBCMT ref: 00D89E30
CallUnexpected.LIBVCRUNTIME ref: 00D89E4B
_abort.LIBCMT ref: 00D89E50

Strings

csm, xrefs: 00D89AEE
csm, xrefs: 00D89C07
csm, xrefs: 00D89B5B

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 42d1d3174de12b18ff4bc7a47cc562995f9deba557a7b4219cb9983d1df1df75
Instruction ID: afa02be2d7da55db3c9ee9bc3529376d133d5b038b1bb51fc4044255efcbb80f
Opcode Fuzzy Hash: 42d1d3174de12b18ff4bc7a47cc562995f9deba557a7b4219cb9983d1df1df75
Instruction Fuzzy Hash: 3FB14775800209EFCF15EFA8D9A19BEFBB5EF04310B1C445AE8856B212D731EA51CBB5

Function 00D6D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6D99A
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00D6D9BF
GetLongPathNameW.KERNEL32(?,?,?), ref: 00D6DA11
GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00D6DA34
GetShortPathNameW.KERNEL32(?,?,?), ref: 00D6DA84
MoveFileW.KERNEL32(-00000040,-00000028), ref: 00D6DC9F
MoveFileW.KERNEL32(-00000028,-00000040), ref: 00D6DCEC

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Strings

rtmp, xrefs: 00D6DBB8

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
String ID: rtmp
API String ID: 2388273531-870060881
Opcode ID: 6f0e4eb42678ba550065cfcc23222a85f0ad9acb47844f3d7ce231a7121d3c05
Instruction ID: 69de4feb98850c8ea5f652052fd4f6a431bdea94f8314316cc2618abfe63565f
Opcode Fuzzy Hash: 6f0e4eb42678ba550065cfcc23222a85f0ad9acb47844f3d7ce231a7121d3c05
Instruction Fuzzy Hash: B1B1E570E01258DBCF20EFA8DC85ADDBBB9AF59305F484099E449A7251DB309B89CF70

Function 00D71E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D71E5B
_wcslen.LIBCMT ref: 00D71E87

Strings

sfx, xrefs: 00D71ED2
rar, xrefs: 00D71F2E, 00D71FC9, 00D71FCE, 00D71FD6
exe, xrefs: 00D71EAB
.rar, xrefs: 00D71E81, 00D71E86, 00D71E8E

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3__wcslen
String ID: .rar$exe$rar$sfx
API String ID: 3251556500-630704357
Opcode ID: 1ae9ed0aef0ae8e1bfd8a7faf1256881e5867e24ea86a83dc67e00c793fa3f84
Instruction ID: 025054f08d3b6c2dee9f481d125fc7014820ae6865fcc95695aacea061f1124d
Opcode Fuzzy Hash: 1ae9ed0aef0ae8e1bfd8a7faf1256881e5867e24ea86a83dc67e00c793fa3f84
Instruction Fuzzy Hash: F571E435A007509BCB21EFACC941ABDB7F4EF48B10F64861EF4899B291EB719946C770

Function 00D853D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00D704AB,00D704AD,00000000,00000000,7889FE40,00000001,00000000,00000000,?,00D7038C,?,00000004,00D704AB,ROOT\CIMV2), ref: 00D85459
MultiByteToWideChar.KERNEL32(00000000,00000000,00D704AB,?,00000000,00000000,?,?,00D7038C,?,00000004,00D704AB), ref: 00D854D4
SysAllocString.OLEAUT32(00000000), ref: 00D854DF
_com_issue_error.COMSUPP ref: 00D85508
_com_issue_error.COMSUPP ref: 00D85512
GetLastError.KERNEL32(80070057,7889FE40,00000001,00000000,00000000,?,00D7038C,?,00000004,00D704AB,ROOT\CIMV2), ref: 00D85517
_com_issue_error.COMSUPP ref: 00D8552A
GetLastError.KERNEL32(00000000,?,00D7038C,?,00000004,00D704AB,ROOT\CIMV2), ref: 00D85540
_com_issue_error.COMSUPP ref: 00D85553

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: f44aa32e38320559ab5823775bf65fb807a22bdcfccf08150dfc5862f4e9b2a0
Instruction ID: 1eb61a1f25ae92c7660b242d753e4f6d16743f4606b056e1dc113bd0f4fdaca1
Opcode Fuzzy Hash: f44aa32e38320559ab5823775bf65fb807a22bdcfccf08150dfc5862f4e9b2a0
Instruction Fuzzy Hash: 8B41F571A00705ABCB10EF69EC45BAEBBA9EB48710F24426AF509E7385D734D940CBB5

Function 00D70469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D70470

Part of subcall function 00D70360: __EH_prolog3.LIBCMT ref: 00D70367

VariantClear.OLEAUT32(?), ref: 00D705FA

Strings

Windows 10, xrefs: 00D705E2
ROOT\CIMV2, xrefs: 00D7049B
Name, xrefs: 00D705D3
WQL, xrefs: 00D7051E
SELECT * FROM Win32_OperatingSystem, xrefs: 00D7050C

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3$ClearVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 4196654922-3505469590
Opcode ID: 25818f85be910b133e69bdfbfa70d3e736ab472630e828b32ff78a77988234db
Instruction ID: db221c5f3c63c5549bd114e0e9e378ba5059505493c1b06b73a71c77c85c2648
Opcode Fuzzy Hash: 25818f85be910b133e69bdfbfa70d3e736ab472630e828b32ff78a77988234db
Instruction Fuzzy Hash: F8612671A10219EFDB14DFA4CC95AAEBBB8FF88714B44415DE506E72A0DB30AD01CBB0

Function 00D7E07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D7E085
_wcslen.LIBCMT ref: 00D7E1B7

Strings

<br>, xrefs: 00D7E199
<style>, xrefs: 00D7E1C8
</style>, xrefs: 00D7E1E5
</p>, xrefs: 00D7E183
, xrefs: 00D7E1AA, 00D7E1B6, 00D7E1BE

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID: $</p>$</style>$<br>$<style>
API String ID: 3746244732-3393513139
Opcode ID: 8b2773b9c5d39b504e674481624c1613a2ff69dd01dc998947bf27ecd7c9d7df
Instruction ID: ab60c337e34dd81e606fe6aab3d7b13a7ffea5089b17e1dc5c8faef0339f6db0
Opcode Fuzzy Hash: 8b2773b9c5d39b504e674481624c1613a2ff69dd01dc998947bf27ecd7c9d7df
Instruction Fuzzy Hash: FC510635B4031296DF309A28881277673A6EF69741F9CC099FDC9AB2C1FB758D8083B4

Function 00D806D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D61E44: GetDlgItem.USER32(00000000,00003021), ref: 00D61E88
Part of subcall function 00D61E44: SetWindowTextW.USER32(00000000,00D9C6C8), ref: 00D61E9E

EndDialog.USER32(?,00000001), ref: 00D80720
SendMessageW.USER32(?,00000080,00000001,00030431), ref: 00D80747
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,00050E00), ref: 00D80760
GetDlgItem.USER32(?,00000065), ref: 00D8077C
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D80790
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D807A6

Strings

LICENSEDLG, xrefs: 00D806E4

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: MessageSend$Item$DialogTextWindow
String ID: LICENSEDLG
API String ID: 3077722735-2177901306
Opcode ID: 6bfcff4c66a1db860c958e75744a0e2b5c38211977e8521636f0dedf30cd1e42
Instruction ID: 050d0d5eae4e34fbe59e3096792e922bc7cef922e2fba7e2b7f83264303daacb
Opcode Fuzzy Hash: 6bfcff4c66a1db860c958e75744a0e2b5c38211977e8521636f0dedf30cd1e42
Instruction Fuzzy Hash: 5621B031249304FBD2517F259D4DFAB3FADEB86B86F080114F601E62A1C662AA098B75

Function 00D77818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D7783D

Part of subcall function 00D7067E: GetVersionExW.KERNEL32(?), ref: 00D706AF

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00D77860
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00D77872
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D77883
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D77893
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D778A3
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00D778DE
__aullrem.LIBCMT ref: 00D77984

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: b478b4afba85515c1f123ac35aa4e4133067132be6759035f597b0a83e125d41
Instruction ID: 79c849404d95e3cc3c7bb58ed91c49e044ddbad51c1dca305c4d40e741273051
Opcode Fuzzy Hash: b478b4afba85515c1f123ac35aa4e4133067132be6759035f597b0a83e125d41
Instruction Fuzzy Hash: F05105B1508305AFD710DF65C88496BFBE9FB88714F408E2EF59AD2251E734E948CB62

Function 00D70E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D70E50
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00D70E85
GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00D70EC4
_wcslen.LIBCMT ref: 00D70ED4
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00D70F51
GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00D70F93
_wcslen.LIBCMT ref: 00D70FA3

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FullNamePath$_wcslen$H_prolog3_
String ID:
API String ID: 840513527-0
Opcode ID: 1f219cf765dd14516ec0f068182ec8785292363cfb8a1e5cf4663a2115bbafb8
Instruction ID: 05ce51bca45f1f78fcc93ca9054b1125ab7c3bcc167e2a117a588ac8d8d079bc
Opcode Fuzzy Hash: 1f219cf765dd14516ec0f068182ec8785292363cfb8a1e5cf4663a2115bbafb8
Instruction Fuzzy Hash: 09615C75D00208EBDB14DFA8D985EEEBBB9EF89710F18811AF414E7290EB349944CB71

Function 00D96239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00D969AE,?,00000000,?,00000000,00000000), ref: 00D9627B
__fassign.LIBCMT ref: 00D962F6
__fassign.LIBCMT ref: 00D96311
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00D96337
WriteFile.KERNEL32(?,?,00000000,00D969AE,00000000,?,?,?,?,?,?,?,?,?,00D969AE,?), ref: 00D96356
WriteFile.KERNEL32(?,?,00000001,00D969AE,00000000,?,?,?,?,?,?,?,?,?,00D969AE,?), ref: 00D9638F

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8f9737d8e08a9ae6a6ddd8090d676fbb22a1b2865070f9479b90decbc359ca68
Instruction ID: 6821eb9ac91c36e3f0e5faeb740a2d435e8b1d665b36fa9e609c3396c1bb440d
Opcode Fuzzy Hash: 8f9737d8e08a9ae6a6ddd8090d676fbb22a1b2865070f9479b90decbc359ca68
Instruction Fuzzy Hash: 4A516F71A00249DFDF10CFA8D855AEEBBF8EB49310F18411AE956E7291E771E941CB70

Function 00D893C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D893F7
___except_validate_context_record.LIBVCRUNTIME ref: 00D893FF
_ValidateLocalCookies.LIBCMT ref: 00D89488
__IsNonwritableInCurrentImage.LIBCMT ref: 00D894B3
_ValidateLocalCookies.LIBCMT ref: 00D89508

Strings

csm, xrefs: 00D8949D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ffac9c0c3331f103c683ba21c0d20d99fb4802fede3d016cd456a363243bd581
Instruction ID: 4e7eee0520da0025b7d5caa29188167b706ddcbc64e2a4690fff24be3b9b9c2b
Opcode Fuzzy Hash: ffac9c0c3331f103c683ba21c0d20d99fb4802fede3d016cd456a363243bd581
Instruction Fuzzy Hash: 38419334A002089FCF10EF6CC894AAEBBB5FF45314F188155E855AB392D771E906CBB1

Function 00D7E265 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D7E26C
ShowWindow.USER32(?,00000000,00000038), ref: 00D7E294
GetWindowRect.USER32(?,?), ref: 00D7E2D8
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D7E373
ShowWindow.USER32(00000000,00000005), ref: 00D7E394

Strings

RarHtmlClassName, xrefs: 00D7E334

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Window$Show$H_prolog3_Rect
String ID: RarHtmlClassName
API String ID: 950582801-1658105358
Opcode ID: 494a0bf6f997af51a7ec5a32b0d9690505d8dacb5061963bb7a1606d2b318b1a
Instruction ID: 8e6d5fe36e328b6dc5eccf08efdf04d451da72674c4f7f1d92cf4a6646dd070b
Opcode Fuzzy Hash: 494a0bf6f997af51a7ec5a32b0d9690505d8dacb5061963bb7a1606d2b318b1a
Instruction Fuzzy Hash: 08416D71900204EFDF11AFA8DC89A9E7BB9EF48301F188195F908EB255EB349941CB70

Function 00D93554 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D93518: _free.LIBCMT ref: 00D93541

_free.LIBCMT ref: 00D935A2

Part of subcall function 00D903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?), ref: 00D903EA
Part of subcall function 00D903D4: GetLastError.KERNEL32(?,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?,?), ref: 00D903FC

_free.LIBCMT ref: 00D935AD
_free.LIBCMT ref: 00D935B8
_free.LIBCMT ref: 00D9360C
_free.LIBCMT ref: 00D93617
_free.LIBCMT ref: 00D93622
_free.LIBCMT ref: 00D9362D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
Instruction ID: b85f1fb7ddbf9a9115e36ca578075d94248d494e7338ea96ca61915f83bb056c
Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
Instruction Fuzzy Hash: E411C671940B04BBDF70BBB0DC46FCB7B9CEF08700F414915B299A6192DAB6EA0587B0

Function 00D84D5F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D84DDA,00D84D3D,00D84FDE), ref: 00D84D76
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D84D8C
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D84DA1

Strings

ReleaseSRWLockExclusive, xrefs: 00D84D96
AcquireSRWLockExclusive, xrefs: 00D84D86
KERNEL32.DLL, xrefs: 00D84D71

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: b1253141c4431b07389c6dce5473c712b46ad8d48a53490a84cef6720af75e12
Instruction ID: 4318ad16be19c957b9a9321ef129b777199e304a0c1f59b7c531fc9bc29045ac
Opcode Fuzzy Hash: b1253141c4431b07389c6dce5473c712b46ad8d48a53490a84cef6720af75e12
Instruction Fuzzy Hash: 34F0F631711B23FB4F62BFB56C8477623DCAA0571571C0639DA41D2380E610CC124BB0

Function 00D91609 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D8C5A2,00D8C5A2,?,?,?,00D9185A,00000001,00000001,C5E85006), ref: 00D91663
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D9185A,00000001,00000001,C5E85006,?,?,?), ref: 00D916E9
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D917E3
__freea.LIBCMT ref: 00D917F0

Part of subcall function 00D9040E: RtlAllocateHeap.NTDLL(00000000,00D8535E,?,?,00D86C16,?,?,?,?,?,00D85269,00D8535E,?,?,?,?), ref: 00D90440

__freea.LIBCMT ref: 00D917F9
__freea.LIBCMT ref: 00D9181E

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 29f2d65f7a0b2e9089c6e6877c9bb1b529a3485152bfaedf84ca97f3f3f34768
Instruction ID: df507dffee8317901f4327c4b5c76cf088df79f03fe68e4cdd72377c102f5568
Opcode Fuzzy Hash: 29f2d65f7a0b2e9089c6e6877c9bb1b529a3485152bfaedf84ca97f3f3f34768
Instruction Fuzzy Hash: 9F51B17A600217AFEF259FA4CC81EBB77AAEB44750F194629FC05D6250EB34DC50D6B0

Function 00D77AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00D77B06

Part of subcall function 00D7067E: GetVersionExW.KERNEL32(?), ref: 00D706AF

LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00D77B2A
FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00D77B44
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00D77B57
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00D77B67
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00D77B77

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 89f504aab82006f97c98ac1c606cf10e7262dc5e6f3eba4129f6384fd4e239c7
Instruction ID: e543aabb8c6f4ee3a2a76d6f2553a67779960d1bcec19cb89c8ffb8763f3b0e2
Opcode Fuzzy Hash: 89f504aab82006f97c98ac1c606cf10e7262dc5e6f3eba4129f6384fd4e239c7
Instruction Fuzzy Hash: 984106761183159BC704DFA8C88499BB7E8FF98714F04991EF999C7320E730D949CBAA

Function 00D7F33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,7889FE40,?,?,?,?,00D9AA27,000000FF), ref: 00D7F38A
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,00D9AA27,000000FF), ref: 00D7F399
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,00D9AA27,000000FF), ref: 00D7F3A7
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00D9AA27,000000FF), ref: 00D7F3B5
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,00D9AA27,000000FF), ref: 00D7F3D0
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,00D9AA27,000000FF), ref: 00D7F3FA

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific
String ID:
API String ID: 909090443-0
Opcode ID: 0f1a8640287635e22dc3301313347bc1683f9509b19d5d5f9f08c34241bcd6a1
Instruction ID: 27ec6acd203d7b06eda2c7d09ec9775a9a73c2473f20fc98ef96ab2d5b4f46ee
Opcode Fuzzy Hash: 0f1a8640287635e22dc3301313347bc1683f9509b19d5d5f9f08c34241bcd6a1
Instruction Fuzzy Hash: 54311CB2510288AFDB20DFA4DC45EEF77ACFB19704F04412AF906D6241EB74AA08CB70

Function 00D8977A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D89771,00D896CC,00D86A64), ref: 00D89788
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D89796
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D897AF
SetLastError.KERNEL32(00000000,00D89771,00D896CC,00D86A64), ref: 00D89801

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ae85175b9d340216b1c0c465fb715d02c455afd062e32544f1080d0e8b683413
Instruction ID: 7f2871c5f31f34c8f5c241ebb745f573a6aad222beebd0c5400bc6c1937427e3
Opcode Fuzzy Hash: ae85175b9d340216b1c0c465fb715d02c455afd062e32544f1080d0e8b683413
Instruction Fuzzy Hash: 3501247213D3129EA6243F796CB557AA794EB02371739032AF061952E0EF118C00D3B0

Function 00D90005 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D8B581,?,00DAE088,?,00D8AE80,?,00DAE088,?,00000007), ref: 00D90009
_free.LIBCMT ref: 00D9003C
_free.LIBCMT ref: 00D90064
SetLastError.KERNEL32(00000000,00DAE088,?,00000007), ref: 00D90071
SetLastError.KERNEL32(00000000,00DAE088,?,00000007), ref: 00D9007D
_abort.LIBCMT ref: 00D90083

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 67482fd272156d9b1abbdd5c45fe672ef8a98f1b5f6bd8f4f657679b26001a4e
Instruction ID: 9c97e3ba7c018b62a03c66afb25ddfb3020f0bc89b14879595f165ad040ab0c5
Opcode Fuzzy Hash: 67482fd272156d9b1abbdd5c45fe672ef8a98f1b5f6bd8f4f657679b26001a4e
Instruction Fuzzy Hash: 0FF06836104701AFCF227778BC06F6B2E5ADFC2771F290115F55DD2292EE7988468674

Function 00D83FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D83FDB
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D83FF5
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D84006
TranslateMessage.USER32(?), ref: 00D84010
DispatchMessageW.USER32(?), ref: 00D8401A
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D84025

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 3f0424ef0d40db4158fefb427bd16381b4fe3d9a46f14f7a43fb698570bc3619
Instruction ID: 104dc9c14976c57a30b7cb7c27903b36673e177c1bbc6bd4ede186a3e13e3aa2
Opcode Fuzzy Hash: 3f0424ef0d40db4158fefb427bd16381b4fe3d9a46f14f7a43fb698570bc3619
Instruction Fuzzy Hash: 7EF03C72E0122AEBCB206BA1EC4CEDF7E7DEF81791F044112B60AE2150E6349541CBB0

Function 00D82493 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000066), ref: 00D826A9
SendMessageW.USER32(00000000,00000143,00000000,00DB5380), ref: 00D826D6
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D82702

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00D825F4
ProgramFilesDir, xrefs: 00D825E0

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: MessageSend$Item
String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3888421826-2634093826
Opcode ID: 32b108c7212bf95b4022d646cc7c241fe0b486b61e1564cfbe6d9790b290687d
Instruction ID: d797bb3ac949b0d2871333e3280ed12d9d51a1093683a14d326933e3c9689291
Opcode Fuzzy Hash: 32b108c7212bf95b4022d646cc7c241fe0b486b61e1564cfbe6d9790b290687d
Instruction Fuzzy Hash: D5814A35940258DBDF24EBE4C891BEDB7B8EF18310F080199E546B7281EB705B89CB70

Function 00D7DC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D7DC9C
_wcslen.LIBCMT ref: 00D7DD61
_wcslen.LIBCMT ref: 00D7DDAC

Strings

<br>, xrefs: 00D7DD5C, 00D7DD68
 , xrefs: 00D7DDA7, 00D7DDB3

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _wcslen$H_prolog3
String ID:  $<br>
API String ID: 1035939448-26742755
Opcode ID: f6c4ff357b05c576be7117f5af0812db5e6bb40effb242c74d52a83e3f75e568
Instruction ID: f6c84a7e851fcc46355fb85efd78628f5bc9da03abf5e762dd73e9931125b859
Opcode Fuzzy Hash: f6c4ff357b05c576be7117f5af0812db5e6bb40effb242c74d52a83e3f75e568
Instruction Fuzzy Hash: 41411830B003119BDB25AF54D981A2D7773FFA5704F64C42AE40A9B281FBB599928BF1

Function 00D807E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00D807F5
GetObjectW.GDI32(00000000,00000018,?), ref: 00D8081A
DeleteObject.GDI32(00000000), ref: 00D8084C
DeleteObject.GDI32(00000000), ref: 00D8086F

Part of subcall function 00D7EBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D80845,00000066), ref: 00D7EBE6
Part of subcall function 00D7EBD3: SizeofResource.KERNEL32(00000000,?,?,?,00D80845,00000066), ref: 00D7EBFD
Part of subcall function 00D7EBD3: LoadResource.KERNEL32(00000000,?,?,?,00D80845,00000066), ref: 00D7EC14
Part of subcall function 00D7EBD3: LockResource.KERNEL32(00000000,?,?,?,00D80845,00000066), ref: 00D7EC23
Part of subcall function 00D7EBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D80845,00000066), ref: 00D7EC3E
Part of subcall function 00D7EBD3: GlobalLock.KERNEL32(00000000), ref: 00D7EC4F
Part of subcall function 00D7EBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D7EC73
Part of subcall function 00D7EBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D7ECB8
Part of subcall function 00D7EBD3: GlobalUnlock.KERNEL32(00000000), ref: 00D7ECD7
Part of subcall function 00D7EBD3: GlobalFree.KERNEL32(00000000), ref: 00D7ECDE

Strings

], xrefs: 00D80822

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: ff42c1431ef3e38f7b22764451dd2282c0f25573464e5480ecd5e9d29c73d72d
Instruction ID: 06b1a0b2e810d1db3ec4389ada4a9b91da1852bf5f016a78f9948d770aa7d81f
Opcode Fuzzy Hash: ff42c1431ef3e38f7b22764451dd2282c0f25573464e5480ecd5e9d29c73d72d
Instruction Fuzzy Hash: 1401CC32940205E7EB1277A49C0AA6F7B7AEFC4B51F090165F904A73D1EB71CC0996F0

Function 00D8ED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D8ECE0,00000000,?,00D8EC80,00000000,00DA6F40,0000000C,00D8EDD7,00000000,00000002), ref: 00D8ED4F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D8ED62
FreeLibrary.KERNEL32(00000000,?,?,?,00D8ECE0,00000000,?,00D8EC80,00000000,00DA6F40,0000000C,00D8EDD7,00000000,00000002), ref: 00D8ED85

Strings

mscoree.dll, xrefs: 00D8ED48
CorExitProcess, xrefs: 00D8ED5A

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0fea3be5b5b2ac939aebf1778e4ce78ba05b16be17267470fcbd4127bd77c40e
Instruction ID: 3d840ce8aad03646203c07743d3d043562a6a24700422e85561bb99f48a459e6
Opcode Fuzzy Hash: 0fea3be5b5b2ac939aebf1778e4ce78ba05b16be17267470fcbd4127bd77c40e
Instruction Fuzzy Hash: 9EF03C34A10218FBCB11AFA5DC49BAEBFB5EB08725F444169B809E6250CB704945CBB0

Function 00D75094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D76C5E: __EH_prolog3_GS.LIBCMT ref: 00D76C65
Part of subcall function 00D76C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00D76C9A

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D750B3
GetProcAddress.KERNEL32(00DB51F8,CryptUnprotectMemory), ref: 00D750C3

Strings

CryptProtectMemory, xrefs: 00D750AD
CryptUnprotectMemory, xrefs: 00D750B9
Crypt32.dll, xrefs: 00D7509D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AddressProc$DirectoryH_prolog3_System
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 270589589-1753850145
Opcode ID: 4c52af9bb196331ed555f0b0877a33981bdb4d9f7f4768696eaf88dace8db17d
Instruction ID: b8990d43c4fc75e61c23ee128ac29cacb4696d2f5c3bba0d36f7e7a5265b4133
Opcode Fuzzy Hash: 4c52af9bb196331ed555f0b0877a33981bdb4d9f7f4768696eaf88dace8db17d
Instruction Fuzzy Hash: 3AE04F70820B11DECB315B74EC097467ED4AF04714F14D82EA4DDD3641E6B4E4448BB0

Function 00D8985A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D89921
___AdjustPointer.LIBCMT ref: 00D89944
_abort.LIBCMT ref: 00D89992
___AdjustPointer.LIBCMT ref: 00D899E0

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: fd53fb139309a47934273caa25412b3e6072fe79c592f7ff9fcb46afc77519bc
Instruction ID: 897a9191640876ec6159210eefc40da390678cafcd7642a5f4a391a241740ffc
Opcode Fuzzy Hash: fd53fb139309a47934273caa25412b3e6072fe79c592f7ff9fcb46afc77519bc
Instruction Fuzzy Hash: FA51B172A01206AFDB29BF54D861BBAF7A4EF40710F1C452DE88597291E731ED85CBB0

Function 00D6F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6F3C5
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,00D6B749,?,?,?,?,?,?), ref: 00D6F450
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00D6F4A7
SetFileTime.KERNEL32(?,?,?,?), ref: 00D6F569
CloseHandle.KERNEL32(?), ref: 00D6F570

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: File$Create$CloseH_prolog3_HandleTime
String ID:
API String ID: 4002707884-0
Opcode ID: dfd39d346a8ece57624952d541ec5eb5f4726e07b51316ad8fc134c6822cf3a4
Instruction ID: 5434d9c29dbea439c5676838a362da03899e5ae9648e29866e476c094cb064d3
Opcode Fuzzy Hash: dfd39d346a8ece57624952d541ec5eb5f4726e07b51316ad8fc134c6822cf3a4
Instruction Fuzzy Hash: 7A519F71900648ABDF14DFE8E885BEEBBB5AF48310F284529F551F7280DB34AA45CB34

Function 00D92BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D92BE9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D92C0C

Part of subcall function 00D9040E: RtlAllocateHeap.NTDLL(00000000,00D8535E,?,?,00D86C16,?,?,?,?,?,00D85269,00D8535E,?,?,?,?), ref: 00D90440

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D92C32
_free.LIBCMT ref: 00D92C45
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D92C54

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 2fc94aa1501e8242e2b6cc40e0951428ba4bd1faa523e3f36a49c41b77955000
Instruction ID: c1a1582b356cc528a18434e5a780b7537b9a1dc676c4285e4e7595a457928966
Opcode Fuzzy Hash: 2fc94aa1501e8242e2b6cc40e0951428ba4bd1faa523e3f36a49c41b77955000
Instruction Fuzzy Hash: 1001A2726017157F3B252AB66C8CC7F7E6DDEC6BA1319012AF944E6211DA60CC0192B4

Function 00D90089 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00D8535E,00D8535E,?,00D901D8,00D90451,?,?,00D86C16,?,?,?,?,?,00D85269,00D8535E,?), ref: 00D9008E
_free.LIBCMT ref: 00D900C3
_free.LIBCMT ref: 00D900EA
SetLastError.KERNEL32(00000000,?,00D8535E), ref: 00D900F7
SetLastError.KERNEL32(00000000,?,00D8535E), ref: 00D90100

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9105fab82e7f5bc371ef56b5fa74926b99500263075d0525b06893b54cdd4556
Instruction ID: 781af7aebfbe358bbf81c6740f3c229ccfa78478526611afeadec5b6e959fe5e
Opcode Fuzzy Hash: 9105fab82e7f5bc371ef56b5fa74926b99500263075d0525b06893b54cdd4556
Instruction Fuzzy Hash: BA01F436245701AF8F227774BD86A2B2D6ADFC2771B2A0125F54DE2292EE74C8059270

Function 00D934AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D934C7

Part of subcall function 00D903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?), ref: 00D903EA
Part of subcall function 00D903D4: GetLastError.KERNEL32(?,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?,?), ref: 00D903FC

_free.LIBCMT ref: 00D934D9
_free.LIBCMT ref: 00D934EB
_free.LIBCMT ref: 00D934FD
_free.LIBCMT ref: 00D9350F

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d0f7ed4b3cff8aa241797812aa86dfb864bc59892e34c6857fa91dc5cf4acdc3
Instruction ID: 870920f5ccbb3c8606ce0c0b9ff83ae39345b6f90a91bf10b4f274d5d7309764
Opcode Fuzzy Hash: d0f7ed4b3cff8aa241797812aa86dfb864bc59892e34c6857fa91dc5cf4acdc3
Instruction Fuzzy Hash: F2F01272505200AB8F60EBA8F886C56B7D9EF4571075E4905F418E7A01CB71FE80C7B0

Function 00D8F7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D8F7DE

Part of subcall function 00D903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?), ref: 00D903EA
Part of subcall function 00D903D4: GetLastError.KERNEL32(?,?,00D93546,?,00000000,?,00000000,?,00D9356D,?,00000007,?,?,00D9396A,?,?), ref: 00D903FC

_free.LIBCMT ref: 00D8F7F0
_free.LIBCMT ref: 00D8F803
_free.LIBCMT ref: 00D8F814
_free.LIBCMT ref: 00D8F825

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f70738aacbda275d06e591488e3a4dc05ac33e8d2a9ec42f4a33752eebf35778
Instruction ID: 4674844f5f639d34f86ed31bfda951d12ae64a6627605acbd5798697fe59356a
Opcode Fuzzy Hash: f70738aacbda275d06e591488e3a4dc05ac33e8d2a9ec42f4a33752eebf35778
Instruction Fuzzy Hash: 5EF0FE71811320EF9B11AF24BC524087BE1FB15B25319031AF419E67B6CB7A9942CBF1

Function 00D82F8D Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 350COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D831A4

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Strings

lnk, xrefs: 00D83165
.lnk, xrefs: 00D8319E, 00D831AB
0, xrefs: 00D83261

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _wcslen
String ID: .lnk$0$lnk
API String ID: 176396367-906397761
Opcode ID: e7c92b828e562dbf9e50e7db63ec19f04e76e95244c933c70fe2ed8bbafc1f18
Instruction ID: 5098e09c7cbfbe1bac5188689e9a8dc96150fc748743115ee3d9ca8a04df6fb5
Opcode Fuzzy Hash: e7c92b828e562dbf9e50e7db63ec19f04e76e95244c933c70fe2ed8bbafc1f18
Instruction Fuzzy Hash: 5FE10671D002589FDB24EBA4CC85BDDB7B8EF08300F5445AAE549A7291EB749B88CF70

Function 00D82B26 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00D82B66

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Part of subcall function 00D70BF3: _wcslen.LIBCMT ref: 00D70C03

EndDialog.USER32(?,00000001), ref: 00D82EDA

Strings

@set:user, xrefs: 00D82D20
, xrefs: 00D82E88

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _wcslen$DialogPathTemp
String ID: $@set:user
API String ID: 2172748170-1503366402
Opcode ID: 40595942727304992b49787ec7e029890405d4e45cc00d10e0cdd2d754bfc5ff
Instruction ID: 14c6d0726bc6d6cfda44b80761d7b4d68526b63bb6eb6124716f4aa381c5899a
Opcode Fuzzy Hash: 40595942727304992b49787ec7e029890405d4e45cc00d10e0cdd2d754bfc5ff
Instruction Fuzzy Hash: 32C12674801299DBDF21EBA4DC45BEDBBB8AF15300F08419AE449B3292DB705B89CF71

Function 00D81F82 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D71309: __EH_prolog3.LIBCMT ref: 00D71310
Part of subcall function 00D71309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00D717FB,?,?,\\?\,7889FE40,?,?,?,00000000,00D9A279,000000FF), ref: 00D71319

Part of subcall function 00D71AD1: __EH_prolog3_GS.LIBCMT ref: 00D71AD8

Part of subcall function 00D6F763: __EH_prolog3_GS.LIBCMT ref: 00D6F76A

Part of subcall function 00D6F58B: __EH_prolog3_GS.LIBCMT ref: 00D6F592
Part of subcall function 00D6F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,00D6A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00D6F5A8
Part of subcall function 00D6F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049), ref: 00D6F5EB

SHFileOperationW.SHELL32(?,00000000,?,?,?,00000000), ref: 00D82137
MoveFileW.KERNEL32(?,?), ref: 00D822BE
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00D822D8

Part of subcall function 00D714CC: __EH_prolog3_GS.LIBCMT ref: 00D714D3

Strings

.tmp, xrefs: 00D8222B

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
String ID: .tmp
API String ID: 1688541384-2986845003
Opcode ID: 10955cb5718e418d7f5a5e2cd0b97becaccc81fd880549ab7efe72be3952732a
Instruction ID: 64af873ce70bb8f76d3f83aacb69ee91432305a3bba5634a02bd4cf83f4161b7
Opcode Fuzzy Hash: 10955cb5718e418d7f5a5e2cd0b97becaccc81fd880549ab7efe72be3952732a
Instruction Fuzzy Hash: BCC1C0758002689ADB61EFA4CC85BDDB7B8BF08304F5441EAE449A3251DB345B89CF71

Function 00D6A300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6A307
GetLastError.KERNEL32(00000054,?,?,?,?,?,00D6D303,?,?,?,?,?,?,?,7889FE40,00000049), ref: 00D6A427

Part of subcall function 00D6AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D6AC2E
Part of subcall function 00D6AC11: GetLastError.KERNEL32 ref: 00D6AC72
Part of subcall function 00D6AC11: CloseHandle.KERNEL32(?), ref: 00D6AC81

Strings

SeRestorePrivilege, xrefs: 00D6A356
SeSecurityPrivilege, xrefs: 00D6A341

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2235100918-639343689
Opcode ID: df1b8fad912452f89c76a61116f52b6fa0131ad67255d6f7009535fac694f008
Instruction ID: 81cae95556bbaebc431b22bdea5d02aed48b2fdcfad3006d76c8717a7dae4345
Opcode Fuzzy Hash: df1b8fad912452f89c76a61116f52b6fa0131ad67255d6f7009535fac694f008
Instruction Fuzzy Hash: 63411A71E10208AFDF14EBACE985AEDB7B8EB49314F04402AF545B7341DBB5A944CB36

Function 00D8EE2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1wYGO0mAN2.exe,00000104), ref: 00D8EE6A
_free.LIBCMT ref: 00D8EF35
_free.LIBCMT ref: 00D8EF3F

Strings

C:\Users\user\Desktop\1wYGO0mAN2.exe, xrefs: 00D8EE61, 00D8EE68, 00D8EE97, 00D8EECF

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\1wYGO0mAN2.exe
API String ID: 2506810119-3236848191
Opcode ID: ba88b395856f9ae8ceb2de68bbb179d0b68d51f6902ab81474ca3f4cc17bef75
Instruction ID: eb15d0f5955ba10cca4f7560ae60a94066f08e6d3f4dd7388690ed8adc16ef56
Opcode Fuzzy Hash: ba88b395856f9ae8ceb2de68bbb179d0b68d51f6902ab81474ca3f4cc17bef75
Instruction Fuzzy Hash: 41316B71A04358EFCB22AB999C8199EBBFCEF85714F1441A6F904E7211D7709A40DFB0

Function 00D89E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D89E7B
_abort.LIBCMT ref: 00D89F86

Strings

MOC, xrefs: 00D89E8D
RCC, xrefs: 00D89E95

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 0f4cc5edb3595b304d8ada5c17edae69b683b25799810baaf57fc33ac89024ab
Instruction ID: fab92c4ea7663ffc4b1f841e3d0644737a7de182d63a8b5fe5ce822e86038799
Opcode Fuzzy Hash: 0f4cc5edb3595b304d8ada5c17edae69b683b25799810baaf57fc33ac89024ab
Instruction Fuzzy Hash: 14418B71900209AFCF1AEF98CD91AEEBBB5FF48304F1C4199FA44A7221D3359A51DB60

Function 00D7338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00D7340E
_strncpy.LIBCMT ref: 00D73459

Part of subcall function 00D789ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00DAE088,?,00000007,00D733E2,?,?,00000050,7889FE40), ref: 00D78A0A

Strings

$%s, xrefs: 00D73403
@%s, xrefs: 00D733F8

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: c288ee11e6cdcbaceb9a3ac19bf6d56b1d569a01cdf317c2e6069deda86e22c1
Instruction ID: 1b74e930ed3d78591fb0d56f9e7c6b23c0dbe574ad9c52cd0341fca7ed1be09a
Opcode Fuzzy Hash: c288ee11e6cdcbaceb9a3ac19bf6d56b1d569a01cdf317c2e6069deda86e22c1
Instruction Fuzzy Hash: 7221A07250070DAFDB15DEA8CC45EAE7BA8FB04300F088525FA18D7281E731EA15DB70

Function 00D7F8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D7F8F7

Part of subcall function 00D61E44: GetDlgItem.USER32(00000000,00003021), ref: 00D61E88
Part of subcall function 00D61E44: SetWindowTextW.USER32(00000000,00D9C6C8), ref: 00D61E9E

EndDialog.USER32(?,00000001), ref: 00D7F99F
SetDlgItemTextW.USER32(?,00000066,00000000), ref: 00D7F9E1

Strings

ASKNEXTVOL, xrefs: 00D7F909

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ItemText$DialogH_prolog3_Window
String ID: ASKNEXTVOL
API String ID: 2321058237-3402441367
Opcode ID: eff524976f5e3ff58f464bf795af16435f26dc0de7ca132710ed1d0d1f2da272
Instruction ID: 8f99701a4c25fcb3d8ff0aec8564fb27d76b2f12f1c525dcd950a6e19dcb15eb
Opcode Fuzzy Hash: eff524976f5e3ff58f464bf795af16435f26dc0de7ca132710ed1d0d1f2da272
Instruction Fuzzy Hash: FA210A36650204EFDB24EFA8DC46FAD37A8EB46300F148025F6459B2A5D731DA05CF76

Function 00D77445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D6FEBD,00000008,00000004,00D72D42,?,?,?,?,00000000,00D7ABB6,?), ref: 00D77484
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D6FEBD,00000008,00000004,00D72D42,?,?,?,?,00000000), ref: 00D7748E
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D6FEBD,00000008,00000004,00D72D42,?,?,?,?,00000000), ref: 00D7749E

Strings

Thread pool initialization failed., xrefs: 00D774B6

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: b009d4f6b23f562787e925906244eef6e61788b433535537f76c591f6df5e402
Instruction ID: 5524239e8608aa4907644319bcb2073dc1863bfda763eadff513c1f7ade7a2c9
Opcode Fuzzy Hash: b009d4f6b23f562787e925906244eef6e61788b433535537f76c591f6df5e402
Instruction Fuzzy Hash: 8B1191B1604709AFC3215F669C849A7FBECFB59748F144C2EF1DEC2200E6B059808B74

Function 00D8406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00D840B8, 00D840F2
RENAMEDLG, xrefs: 00D840CB

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 2914fe7d68313059178202cb1f625be1c27c5aa08b5d94e6029112aa6c481d0f
Instruction ID: 924c451d071d7d747d44e72cb538dd3d74d1c77ac90ec7b4992af00d06c0900c
Opcode Fuzzy Hash: 2914fe7d68313059178202cb1f625be1c27c5aa08b5d94e6029112aa6c481d0f
Instruction Fuzzy Hash: 49113C35304302EFD711EF29FC48A277BE9E749792B08452AFA86C3324D6719844DB71

Function 00D8A892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D8A843,00000000,?,00DB6150,?,?,?,00D8A9E6,00000004,InitializeCriticalSectionEx,00D9F7F4,InitializeCriticalSectionEx), ref: 00D8A89F
GetLastError.KERNEL32(?,00D8A843,00000000,?,00DB6150,?,?,?,00D8A9E6,00000004,InitializeCriticalSectionEx,00D9F7F4,InitializeCriticalSectionEx,00000000,?,00D8A79D), ref: 00D8A8A9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D8A8D1

Strings

api-ms-, xrefs: 00D8A8B6

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: bf5fd7ecc6bb1bcb90dd2996f7a7d7daad6e30fffe86e0593da4484e24f2ffe5
Instruction ID: 7fe5e9db7dcf64353020af6e0ca9dc091dab01e30d88abb2c548e76eaeb56dd4
Opcode Fuzzy Hash: bf5fd7ecc6bb1bcb90dd2996f7a7d7daad6e30fffe86e0593da4484e24f2ffe5
Instruction Fuzzy Hash: 4BE04F30280305BBEF202BA0EC06B183BA9AB10B91F140032F90DE85E0D7619851ABBA

Function 00D907EA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D90875
__alldvrm.LIBCMT ref: 00D90A76
__alldvrm.LIBCMT ref: 00D90A98

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
Instruction ID: 80deccb02e0bb37fc17f2c591ecddc1d878e6f53edb5d10a086d4039d3f3d0c8
Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
Instruction Fuzzy Hash: 84A14772A04386AFEF11DF28D8917AEBFE5EF55310F1C41A9E5959B282C6348D41CBB0

Function 00D93638 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D90481,?,00000000,?,00000001,?,?,00000001,00D90481,?), ref: 00D93685
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D9370E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D8DBD1,?), ref: 00D93720
__freea.LIBCMT ref: 00D93729

Part of subcall function 00D9040E: RtlAllocateHeap.NTDLL(00000000,00D8535E,?,?,00D86C16,?,?,?,?,?,00D85269,00D8535E,?,?,?,?), ref: 00D90440

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d28eb17b82c7e69dbbe93cbd2b14fa00b1885b8965f8350d5bd9fc6820976c48
Instruction ID: 778060a9479e91e86957c0b9daf91a56229fb5f60d257beb229f228f97aaaec4
Opcode Fuzzy Hash: d28eb17b82c7e69dbbe93cbd2b14fa00b1885b8965f8350d5bd9fc6820976c48
Instruction Fuzzy Hash: 1F31A1B2A1020AABDF259F64DC85DAE7BA5EF44750F184169FC04D7250EB35CE51CBB0

Function 00D762CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D762D4
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 00D762EB
ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00D76328
_wcslen.LIBCMT ref: 00D76338

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: EnvironmentExpandStrings$H_prolog3_wcslen
String ID:
API String ID: 3741103063-0
Opcode ID: 68bffdc2ffe72dc3e06804b4e4c83881437294383b7cc4153336d038b0c4e456
Instruction ID: 610994c50fbb3726d05fba658a13d70d2939b10ed500a9f310b1cd68ad8f0df0
Opcode Fuzzy Hash: 68bffdc2ffe72dc3e06804b4e4c83881437294383b7cc4153336d038b0c4e456
Instruction Fuzzy Hash: A7119E70A0160AAF9B00AFA89D859BFBB79FF45310B18811DA419E7241FB34ED10CBB4

Function 00D7126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D71273

Part of subcall function 00D7067E: GetVersionExW.KERNEL32(?), ref: 00D706AF

FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,00D6350C,7889FE68,00000000,?,?,00D643F5,?,?,?,00000000), ref: 00D7129A
FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 00D712D4
_wcslen.LIBCMT ref: 00D712DF

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FoldString$H_prolog3Version_wcslen
String ID:
API String ID: 535866816-0
Opcode ID: 33ea98e7540427272e3ff709c0ac8d252cc86f1c5c02a183b6907c152958b4c2
Instruction ID: 0de1de4a1e6a2aaf5c8c2a281228570c30ea578e2548169999bbf45e03ed031a
Opcode Fuzzy Hash: 33ea98e7540427272e3ff709c0ac8d252cc86f1c5c02a183b6907c152958b4c2
Instruction Fuzzy Hash: 63119175A11226ABDB009BAD8D4A96F7BA9EF05720F144309B814E72C1EB70994087F5

Function 00D919E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00D9198B,00000000,00000000,00000000,00000000,?,00D91B88,00000006,FlsSetValue), ref: 00D91A16
GetLastError.KERNEL32(?,00D9198B,00000000,00000000,00000000,00000000,?,00D91B88,00000006,FlsSetValue,00DA0DD0,FlsSetValue,00000000,00000364,?,00D900D7), ref: 00D91A22
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D9198B,00000000,00000000,00000000,00000000,?,00D91B88,00000006,FlsSetValue,00DA0DD0,FlsSetValue,00000000), ref: 00D91A30

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 21797363955fe94c5ffb2aa7165786499a350fa7db30c0835b0288565ce8f6ad
Instruction ID: 392b21dad2688d424bf79bdaf0d19682d39e9f39cffb4046d78c92d48a57274e
Opcode Fuzzy Hash: 21797363955fe94c5ffb2aa7165786499a350fa7db30c0835b0288565ce8f6ad
Instruction Fuzzy Hash: 7501F73A6563339BCB218BB99C44A567B98AF057A1B150620F90AD3380C730DC02C6F4

Function 00D71309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D71310
GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00D717FB,?,?,\\?\,7889FE40,?,?,?,00000000,00D9A279,000000FF), ref: 00D71319
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,00D9A279,000000FF), ref: 00D71348
_wcslen.LIBCMT ref: 00D71351

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CurrentDirectory$H_prolog3_wcslen
String ID:
API String ID: 19219720-0
Opcode ID: b1c4ba04549079336de6957965c5c125f0e6513d8541d94591e53f5005ae6d5b
Instruction ID: b57f1409f4a1bc92bf7ced11eceb419fb2831e6e74241672044188baed3a0581
Opcode Fuzzy Hash: b1c4ba04549079336de6957965c5c125f0e6513d8541d94591e53f5005ae6d5b
Instruction Fuzzy Hash: 3501A276900216AB8B10AFFC9D558BFBB79EF85720B14430AB515E7245DF34890087F0

Function 00D8631E Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00D862BB,00000064), ref: 00D86341
LeaveCriticalSection.KERNEL32(00DB60E0,?,?,00D862BB,00000064,?,?,?,?,00000000,00D9A75D,000000FF), ref: 00D8634B
WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,00D862BB,00000064,?,?,?,?,00000000,00D9A75D,000000FF), ref: 00D8635C
EnterCriticalSection.KERNEL32(00DB60E0,?,00D862BB,00000064,?,?,?,?,00000000,00D9A75D,000000FF), ref: 00D86363

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 651db59c28850e1e9d34a302843967cf52644ffdc6cb298b96719fa5d3e28d65
Instruction ID: 2d51684b57ed461af152533d8cf18445deb1093913908c861ded15d9feef3b77
Opcode Fuzzy Hash: 651db59c28850e1e9d34a302843967cf52644ffdc6cb298b96719fa5d3e28d65
Instruction Fuzzy Hash: 23E01231951334EFC7113B96EC09BDD7F28EB04BA1F484126F90AE6360C665D9109BF8

Function 00D7EB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D7EB77
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D7EB86
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D7EB94
ReleaseDC.USER32(00000000,00000000), ref: 00D7EBA2

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c3e7e21d32f93dafeddaff10d85ba2b3ef5286083b485ba8f6622c6ed6865d7f
Instruction ID: 46723d094a7b0722b3907db7fa735ce5dd104b24b7cfaf07dbbbd294d29b1ff6
Opcode Fuzzy Hash: c3e7e21d32f93dafeddaff10d85ba2b3ef5286083b485ba8f6622c6ed6865d7f
Instruction Fuzzy Hash: DFE0EC3194AF20EBD6612B74BD0DB863EA4EB59B93F000345F605EA394D6A144008BB0

Function 00D77C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D78294

Part of subcall function 00D614A7: _wcslen.LIBCMT ref: 00D614B8

Part of subcall function 00D8087E: __EH_prolog3_GS.LIBCMT ref: 00D80885
Part of subcall function 00D8087E: GetLastError.KERNEL32(0000001C,00D78244,?,00000000,00000086,?,7889FE40,?,?,?,?,?,00000000,00D9A75D,000000FF), ref: 00D8089D
Part of subcall function 00D8087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00D9A75D,000000FF), ref: 00D808D6

Strings

%ls, xrefs: 00D77CF7

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
String ID: %ls
API String ID: 1279724102-3246610740
Opcode ID: 470cf2780ff6d8582c5680d1e421b3973cd15860e1e20d674a1a4896332c1597
Instruction ID: 6837b2be7c5eff73bc7876d32c4e15c468866311b90db4836d27ba8c29d741ea
Opcode Fuzzy Hash: 470cf2780ff6d8582c5680d1e421b3973cd15860e1e20d674a1a4896332c1597
Instruction Fuzzy Hash: 67B19174944209EFDB30EF90C94AFAD7BB1EF15305F108419F48A671D5EB71AA18EAB0

Function 00D7EF21 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 00D7EBAA: GetDC.USER32(00000000), ref: 00D7EBAE
Part of subcall function 00D7EBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D7EBB9
Part of subcall function 00D7EBAA: ReleaseDC.USER32(00000000,00000000), ref: 00D7EBC4

GetObjectW.GDI32(?,00000018,?), ref: 00D7EF65

Part of subcall function 00D7F1EC: GetDC.USER32(00000000), ref: 00D7F1F5
Part of subcall function 00D7F1EC: GetObjectW.GDI32(?,00000018,?), ref: 00D7F224
Part of subcall function 00D7F1EC: ReleaseDC.USER32(00000000,?), ref: 00D7F2BC

Strings

(, xrefs: 00D7F0BA

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 377cd9bfdc57fd24e76c517fa3f08e748f26388451e9a85df8e57799c289da8c
Instruction ID: 0be14cd42da416f2caab7e7bf9b98bf95454ad3f944cc72f319d038e126b99e1
Opcode Fuzzy Hash: 377cd9bfdc57fd24e76c517fa3f08e748f26388451e9a85df8e57799c289da8c
Instruction Fuzzy Hash: A091D071618314DFC660DF69C844A2BBBE9FFC9B10F40495EF98AD7260DB70A905CB62

Function 00D91E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D91FD4

Part of subcall function 00D8ACBB: IsProcessorFeaturePresent.KERNEL32(00000017,00D8AC8D,00D8535E,?,?,00000000,00D8535E,00000016,?,?,00D8AC9A,00000000,00000000,00000000,00000000,00000000), ref: 00D8ACBD
Part of subcall function 00D8ACBB: GetCurrentProcess.KERNEL32(C0000417,?,00D8535E), ref: 00D8ACDF
Part of subcall function 00D8ACBB: TerminateProcess.KERNEL32(00000000,?,00D8535E), ref: 00D8ACE6

Strings

., xrefs: 00D9218B
*?, xrefs: 00D91EAB

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
Instruction ID: d9dfe3c22fcbc2a9b1c1e869cf7b6c293495922f520d6ac96dd81c832d7f5a75
Opcode Fuzzy Hash: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
Instruction Fuzzy Hash: 6451757AE0011AAFDF14DFA8C881AADB7B5FF58314F284169E854E7341E7759E018B60

Function 00D6F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 00D779F7: GetSystemTime.KERNEL32(?,00000000), ref: 00D77A0F
Part of subcall function 00D779F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00D77A1D

Part of subcall function 00D779A0: __aulldiv.LIBCMT ref: 00D779A9

__aulldiv.LIBCMT ref: 00D6F162
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,7889FE40,?,?,00000000,?,00000000,00D99F3D,000000FF), ref: 00D6F169

Part of subcall function 00D61150: _wcslen.LIBCMT ref: 00D6115B

Strings

.rartemp, xrefs: 00D6F1D8

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
String ID: .rartemp
API String ID: 3789791499-2558811017
Opcode ID: 016f265239abcffce3521f3f7184edb40c6213443d3e7ff36a84c8284750bf18
Instruction ID: f36b53eb7dee979f4ee11ae531c25dbca8adc65c64919f9d695d143c4a165a77
Opcode Fuzzy Hash: 016f265239abcffce3521f3f7184edb40c6213443d3e7ff36a84c8284750bf18
Instruction Fuzzy Hash: 29418175900248AFDF14EFA4CC46EEEB7A8EF54314F444129F91993281EB749B09CBB0

Function 00D7DACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D7DAD5

Part of subcall function 00D70360: __EH_prolog3.LIBCMT ref: 00D70367

Strings

Shell.Explorer, xrefs: 00D7DB11
about:blank, xrefs: 00D7DBD3

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: H_prolog3
String ID: Shell.Explorer$about:blank
API String ID: 431132790-874089819
Opcode ID: 040b6cb80b88c85fad5014b5793dff02a2aa33f161148aebac2787fa547bffb9
Instruction ID: 25f49c9b9d7a4fdf9055957ce80f42cd5f13094acfcc4966542b41a6a18a3207
Opcode Fuzzy Hash: 040b6cb80b88c85fad5014b5793dff02a2aa33f161148aebac2787fa547bffb9
Instruction Fuzzy Hash: CA411D746002059FDB18DF64C855B6A77B6EF88700F15C0ADE94AAF295EB71AD00CB70

Function 00D80110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00D61E44: GetDlgItem.USER32(00000000,00003021), ref: 00D61E88
Part of subcall function 00D61E44: SetWindowTextW.USER32(00000000,00D9C6C8), ref: 00D61E9E

EndDialog.USER32(?,00000001), ref: 00D8017B
SetDlgItemTextW.USER32(?,00000067,?), ref: 00D801B9

Strings

GETPASSWORD1, xrefs: 00D80148

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 22f652d9769f45215aa601ca98ee92832f972eb245f39d9a9445df55e72857b8
Instruction ID: 56896eae7b2a080013c230f6fc4290b355f6d4b7b1e99068a2e636cdfaf08639
Opcode Fuzzy Hash: 22f652d9769f45215aa601ca98ee92832f972eb245f39d9a9445df55e72857b8
Instruction Fuzzy Hash: 1D1108B2644314BBE270AB249C49FFB7BACEB85710F440429F745E3280CB7098098776

Function 00D75109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D75094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D750B3
Part of subcall function 00D75094: GetProcAddress.KERNEL32(00DB51F8,CryptUnprotectMemory), ref: 00D750C3

GetCurrentProcessId.KERNEL32(?,00000200,?,00D75104), ref: 00D75197

Strings

CryptUnprotectMemory failed, xrefs: 00D7518F
CryptProtectMemory failed, xrefs: 00D7514E

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: a439c9f081b710fe561044dc1d9a81561746461deff725bb2682f63f1f9665a0
Instruction ID: 6876a5dab81721a02f0a9aa33cd6f252d69f8150f3859ec2bc2e0a015dbfc4e6
Opcode Fuzzy Hash: a439c9f081b710fe561044dc1d9a81561746461deff725bb2682f63f1f9665a0
Instruction Fuzzy Hash: F4112931A02B24ABDF169F20FC1176E3B55EF40761B48C116FC0A9B349EBB09D0186FA

Function 00D84264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00010444), ref: 00D84291
DialogBoxParamW.USER32(GETPASSWORD1,00010444,00D80110,?), ref: 00D842BA

Strings

GETPASSWORD1, xrefs: 00D842AF

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: fbfaf68aad4c852187a13f2cbc0dc7b53cfdc5ff4617bf5d752fec775655601d
Instruction ID: 76feda37d602c21b040c2acad63e27866fd6dfeb93dd010fbe9023bbe1b3cb09
Opcode Fuzzy Hash: fbfaf68aad4c852187a13f2cbc0dc7b53cfdc5ff4617bf5d752fec775655601d
Instruction Fuzzy Hash: 2201B93169A716FFCB11BB64AC56FAA37D8EB02311B444215F842D3395CAA09848DB75

Function 00D61E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00D73EAA: _swprintf.LIBCMT ref: 00D73EEA
Part of subcall function 00D73EAA: _strlen.LIBCMT ref: 00D73F0B
Part of subcall function 00D73EAA: SetDlgItemTextW.USER32(?,00DA919C,?), ref: 00D73F64
Part of subcall function 00D73EAA: GetWindowRect.USER32(?,?), ref: 00D73F9A
Part of subcall function 00D73EAA: GetClientRect.USER32(?,?), ref: 00D73FA6

GetDlgItem.USER32(00000000,00003021), ref: 00D61E88
SetWindowTextW.USER32(00000000,00D9C6C8), ref: 00D61E9E

Strings

0, xrefs: 00D61E47

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 996b2b96e0f80b38ab5286d24b976d96d432046d36669609c9bc7e3c16c69506
Instruction ID: a42604292627c6f9c8799be25ce7ebb39bd3e595e46386938b4b60c0c4181a51
Opcode Fuzzy Hash: 996b2b96e0f80b38ab5286d24b976d96d432046d36669609c9bc7e3c16c69506
Instruction Fuzzy Hash: 69F0C234544348EBDF155F64DE0ABFA3B58AF15344F0C9254FC48942A2C776CA94EB70

Function 00D8536D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00D85379

Part of subcall function 00D852FB: std::exception::exception.LIBCONCRT ref: 00D85308

Part of subcall function 00D8734A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00D8536C,?,00DA6C54,?), ref: 00D873AA

___delayLoadHelper2@8.DELAYIMP ref: 00D8539F

Part of subcall function 00D84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D85041
Part of subcall function 00D84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D85052

Strings

@Ut, xrefs: 00D8538D, 00D85399

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ExceptionRaise$AccessDloadHelper2@8LoadReleaseSectionWrite___delaystd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: @Ut
API String ID: 1552410523-141846247
Opcode ID: cc52b0ec56d9b08f725590379c815267a67b3eb7e6a0eca5a77aa54ba1dca1f9
Instruction ID: 45e02e4dd8da0a651f70a83cff1d6198ecb6ac3285fbcbd1be5f016628606f69
Opcode Fuzzy Hash: cc52b0ec56d9b08f725590379c815267a67b3eb7e6a0eca5a77aa54ba1dca1f9
Instruction Fuzzy Hash: E3D05B6690C10CFED704B6D0ED06D7D372CDE41700F204415B950D1485E9A0D50957B5

Function 00D775ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00D7770A,?,?,00D7777F,?,?,?,?,?,00D77769), ref: 00D775F3
GetLastError.KERNEL32(?,?,00D7777F,?,?,?,?,?,00D77769), ref: 00D775FF

Part of subcall function 00D692EB: __EH_prolog3_GS.LIBCMT ref: 00D692F2

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D77608

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: ErrorH_prolog3_LastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 2419225763-2248577382
Opcode ID: 9ac477e379b5c18aeab7401dc8d2eb6dad18383d4f118a0dc29c36ee920b1286
Instruction ID: 18ff694e4604f8a41ab7b88e54f93640491c380b55172702639996d3d6aaad1d
Opcode Fuzzy Hash: 9ac477e379b5c18aeab7401dc8d2eb6dad18383d4f118a0dc29c36ee920b1286
Instruction Fuzzy Hash: 1FD05E31608621BBDA5023695C5ACAEBA09DB56330FA00715F63CA53E9DA20084182BD

Function 00D73E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,7889FE40), ref: 00D73E65
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00D73E73

Strings

RTL, xrefs: 00D73E6D

Memory Dump Source

Source File: 00000000.00000002.2214866100.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.2214850762.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214894429.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214912329.0000000000DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214947026.0000000000DB7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_1wYGO0mAN2.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 1863f83e7dfbaef8f3437a47a9d09aa3fdde2b3de296ace0431e5d1fa69fe5da
Instruction ID: cd09523b6002d4b5925b0712ae1cf7b78058eb58ef38bc55abbdc8e5d54cc823
Opcode Fuzzy Hash: 1863f83e7dfbaef8f3437a47a9d09aa3fdde2b3de296ace0431e5d1fa69fe5da
Instruction Fuzzy Hash: 92C080317503109BE73017717C0DB872D585B04715F09245DB50DD91C0D5E5D4508BF0

Analysis Process: pjcvfvnncx.icmPID: 2676, Parent PID: 5420COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 004D5D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004D5DA7

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

GetCurrentProcess.KERNEL32(?,0056DC2C,00000000,?,?), ref: 004D5ED3
IsWow64Process.KERNEL32(00000000,?,?), ref: 004D5EDA
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004D5F05
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004D5F17
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 004D5F25
FreeLibrary.KERNEL32(00000000,?,?), ref: 004D5F2C
GetSystemInfo.KERNEL32(?,?,?), ref: 004D5F51

Strings

|O, xrefs: 00514F80
GetNativeSystemInfo, xrefs: 004D5F11
kernel32.dll, xrefs: 004D5F00

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e6a263527e33c8918efe66f36c4289d447523a3d30637dd1290f3e8c12de2ffa
Instruction ID: 120e2ecb97f98d343a64dc35f160a4078b2fac8a20075c17b79908e6c2d1bb40
Opcode Fuzzy Hash: e6a263527e33c8918efe66f36c4289d447523a3d30637dd1290f3e8c12de2ffa
Instruction Fuzzy Hash: 6EA16B3190A6C0CBDF11DB6C78461A97FA47B77300F145C9BE48997321D66C898DEB36

Function 004D3312 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,004D32EF,?), ref: 004D3342
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,004D32EF,?), ref: 004D3355
GetFullPathNameW.KERNEL32(00007FFF,?,?,005A2418,005A2400,?,?,?,?,?,?,004D32EF,?), ref: 004D33C1

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

Part of subcall function 004D41E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004D33E9,005A2418,?,?,?,?,?,?,?,004D32EF,?), ref: 004D4227

SetCurrentDirectoryW.KERNELBASE(?,00000001,005A2418,?,?,?,?,?,?,?,004D32EF,?), ref: 004D3442
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00513C8A
SetCurrentDirectoryW.KERNEL32(?,005A2418,?,?,?,?,?,?,?,004D32EF,?), ref: 00513CCB
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005931F4,005A2418,?,?,?,?,?,?,?,004D32EF), ref: 00513D54
ShellExecuteW.SHELL32(00000000,?,?), ref: 00513D5B

Part of subcall function 004D345A: GetSysColorBrush.USER32(0000000F), ref: 004D3465
Part of subcall function 004D345A: LoadCursorW.USER32(00000000,00007F00), ref: 004D3474
Part of subcall function 004D345A: LoadIconW.USER32(00000063), ref: 004D348A
Part of subcall function 004D345A: LoadIconW.USER32(000000A4), ref: 004D349C
Part of subcall function 004D345A: LoadIconW.USER32(000000A2), ref: 004D34AE
Part of subcall function 004D345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004D34C6
Part of subcall function 004D345A: RegisterClassExW.USER32(?), ref: 004D3517

Part of subcall function 004D353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004D3568
Part of subcall function 004D353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004D3589
Part of subcall function 004D353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,004D32EF,?), ref: 004D359D
Part of subcall function 004D353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,004D32EF,?), ref: 004D35A6

Part of subcall function 004D38F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004D39C3

Strings

AutoIt, xrefs: 00513C7F
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00513C84
0$Z, xrefs: 004D341C
runas, xrefs: 00513D4F

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$Z$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-1862342204
Opcode ID: 5082802ae810dd314d060f56762a7c76647328ff2a1bb9fffbb878aed8099cfd
Instruction ID: 01dd8d5031be2b4ab168564a0734efae403795a1e4159ef04ab4ecf9da40004a
Opcode Fuzzy Hash: 5082802ae810dd314d060f56762a7c76647328ff2a1bb9fffbb878aed8099cfd
Instruction Fuzzy Hash: FE51EB30208341AADF01EF65AC7696E7FA4AF96748F04082FF44153362DE6C8A4DE767

Function 0053DC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0053DCC1
Process32FirstW.KERNEL32(00000000,?), ref: 0053DCCF
Process32NextW.KERNEL32(00000000,?), ref: 0053DCEF
CloseHandle.KERNELBASE(00000000), ref: 0053DD9C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 905e6ef806d9ea65b8c7fd915cca2e4e955b645990a42147c163be0935944667
Instruction ID: 7ff9d2abdc39bdab9137054f83a3b27bb5a6cc0ee6457d7436db8bbc327b36d7
Opcode Fuzzy Hash: 905e6ef806d9ea65b8c7fd915cca2e4e955b645990a42147c163be0935944667
Instruction Fuzzy Hash: 163172715083419FD301DF65D895BAFBBF8EF99354F04082EF581872A1DBB19948CBA2

Function 0053E387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00514686), ref: 0053E397
GetFileAttributesW.KERNELBASE(?), ref: 0053E3A6
FindFirstFileW.KERNELBASE(?,?), ref: 0053E3B7
FindClose.KERNEL32(00000000), ref: 0053E3C3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b4a857834ffff03774a81fa88e8ac7f41f017d2c8372d9e59ec9b1b9b4c5fe31
Instruction ID: 58b20a86bc4d2c24defe794d0cd81b0cced5eee18d6ee9d0d0cae3b0a6e448db
Opcode Fuzzy Hash: b4a857834ffff03774a81fa88e8ac7f41f017d2c8372d9e59ec9b1b9b4c5fe31
Instruction Fuzzy Hash: 85F0A031815910578211673CAC0E8AA7BFCAE52335F104F11F836D30F0D7F0A99996A5

Function 004F5078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,004F504E,?,005998D8,0000000C,004F51A5,?,00000002,00000000), ref: 004F5099
TerminateProcess.KERNEL32(00000000,?,004F504E,?,005998D8,0000000C,004F51A5,?,00000002,00000000), ref: 004F50A0
ExitProcess.KERNEL32 ref: 004F50B2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 984acb81e2f982ee4ff42b8af6e0a07f4eb460d995e5066eadf3aadfa67b87b9
Instruction ID: 7a644412ee3027e3147b97d79c3f2654eea461426ccf9c4f75ee75dd77b1d697
Opcode Fuzzy Hash: 984acb81e2f982ee4ff42b8af6e0a07f4eb460d995e5066eadf3aadfa67b87b9
Instruction Fuzzy Hash: C6E04F31900548AFCF116F18CD09E593F79FB50741F004815FA048B221DF79DD41DB95

Function 0052E5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0052E60A

Strings

X64, xrefs: 0052E626

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: fe60837d77ba655516df2466d65c87b369f9860c54c0da97bcc69d5f269a4bee
Instruction ID: b953e5e945e03350158614cc851af4613ee8b49e3f232c4ce7f4a66be21b1f78
Opcode Fuzzy Hash: fe60837d77ba655516df2466d65c87b369f9860c54c0da97bcc69d5f269a4bee
Instruction Fuzzy Hash: 96D0C9B4C0112DEACB90CB90EC8CDDD777CBB18304F100552F106A2040D774A6499B20

Function 004D3E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Unterminated group of comments, xrefs: 005146F0
#comments-end, xrefs: 004D3F76
#notrayicon, xrefs: 004D3E84
Cannot parse #include, xrefs: 005146DD
#cs, xrefs: 004D3F10, 004D3F62
#pragma compile, xrefs: 004D3E70
#include, xrefs: 004D3EE4
Bad directive syntax error, xrefs: 005145FE
#comments-start, xrefs: 004D3EFC, 004D3F4E
", xrefs: 005145B7
#OnAutoItStartRegister, xrefs: 004D3EB4
#requireadmin, xrefs: 004D3E9C
#ce, xrefs: 004D3F8A
', xrefs: 005145CD
#include-once, xrefs: 004D3ECC

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 8bb864abcc7f63ce4d59ec1ba1d9ca5955b79db95eb8126a91f301851888a535
Instruction ID: 0aece772e167af3ed28da6712e56df05af84d1b81a639b1275d885dd80b00dd2
Opcode Fuzzy Hash: 8bb864abcc7f63ce4d59ec1ba1d9ca5955b79db95eb8126a91f301851888a535
Instruction Fuzzy Hash: 3881FA71A40209BBEB11AF62CD56FAF3B64BF05705F04402BF9055B286EB78DA41C76A

Function 004D3696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004D3690,?,?), ref: 004D36FE
KillTimer.USER32(?,00000001,?,?,?,?,?,004D3690,?,?), ref: 004D372A
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004D374D
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004D3690,?,?), ref: 004D3758
CreatePopupMenu.USER32 ref: 004D376C
PostQuitMessage.USER32(00000000), ref: 004D378D

Strings

TaskbarCreated, xrefs: 004D3753
0$Z, xrefs: 00513D83
0$Z, xrefs: 00513DD1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$Z$0$Z$TaskbarCreated
API String ID: 129472671-215663466
Opcode ID: 9508324a14183ec13e1a0a42e5529128a094b0a0cc7e732e0e66a0e3b5a4c49a
Instruction ID: 622ec2750f5efbf40ebf71c3393e3f0ccca1d6125fc2ccb33a2a77255e83ad8d
Opcode Fuzzy Hash: 9508324a14183ec13e1a0a42e5529128a094b0a0cc7e732e0e66a0e3b5a4c49a
Instruction Fuzzy Hash: 114126F12041406ADF241F6CDC2AB7E3F65F716352F04852BF512863A0CAAC8B45A62B

Function 004D35AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004D35DE
RegisterClassExW.USER32(00000030), ref: 004D3608
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004D3619
InitCommonControlsEx.COMCTL32(?), ref: 004D3636
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004D3646
LoadIconW.USER32(000000A9), ref: 004D365C
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004D366B

Strings

+, xrefs: 004D35C7
TaskbarCreated, xrefs: 004D360E
0, xrefs: 004D35C0
AutoIt v3 GUI, xrefs: 004D35FA

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7ea43a7eb268a2fa7067444fa8f24faac4cc508e3396e5ad6a43d48c109bc94a
Instruction ID: 301c4112761a9ce441a7340d4f609b68452d19b78daa3661c84305e936b6dbd7
Opcode Fuzzy Hash: 7ea43a7eb268a2fa7067444fa8f24faac4cc508e3396e5ad6a43d48c109bc94a
Instruction Fuzzy Hash: 2821E5B1E05208AFDF00DF98EC49B9E7BB4FB19710F00451AF911A72A0D7B54588EFA1

Function 005109FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0051073A: CreateFileW.KERNELBASE(00000000,00000000,?,00510AA4,?,?,00000000,?,00510AA4,00000000,0000000C), ref: 00510757

GetLastError.KERNEL32 ref: 00510B0F
__dosmaperr.LIBCMT ref: 00510B16
GetFileType.KERNELBASE(00000000), ref: 00510B22
GetLastError.KERNEL32 ref: 00510B2C
__dosmaperr.LIBCMT ref: 00510B35
CloseHandle.KERNEL32(00000000), ref: 00510B55
CloseHandle.KERNEL32(?), ref: 00510C9F
GetLastError.KERNEL32 ref: 00510CD1
__dosmaperr.LIBCMT ref: 00510CD8

Strings

H, xrefs: 00510C5D

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7a959e5a1813fa37760b2e868fd886fee9d83dfeaac94b224dd6a52f5dd6f453
Instruction ID: fb70a02547141c27f0401191725c9c4dc1dccf1aa9dccdfbe4185643513c9391
Opcode Fuzzy Hash: 7a959e5a1813fa37760b2e868fd886fee9d83dfeaac94b224dd6a52f5dd6f453
Instruction Fuzzy Hash: 09A13332A041598FEF19AF68D852BEE3FA0AF06324F14115DF801DB3E1CB759886CB65

Function 004D522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00514B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 004D5539

Part of subcall function 004D51BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004D51E1

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004D534B
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00514BD7
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00514C18
RegCloseKey.ADVAPI32(?), ref: 00514C5A
_wcslen.LIBCMT ref: 00514CC1
_wcslen.LIBCMT ref: 00514CD0

Strings

Software\AutoIt v3\AutoIt, xrefs: 004D5341
\, xrefs: 00514CD6
\Include\, xrefs: 004D5308
Include, xrefs: 00514BCE, 00514C0F

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b0dd64ba7870419cdd30e366e73b7907b68f053942139f3bfaf56f0a27bb2947
Instruction ID: ca1bd1c1731d37db11b7d8a72666bccc118645984881740d34c68f5d8199350d
Opcode Fuzzy Hash: b0dd64ba7870419cdd30e366e73b7907b68f053942139f3bfaf56f0a27bb2947
Instruction Fuzzy Hash: F2718171508300AED700EF66EC559ABBBF8FF95348B40082FF54587260EF759A48DBA5

Function 004D345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004D3465
LoadCursorW.USER32(00000000,00007F00), ref: 004D3474
LoadIconW.USER32(00000063), ref: 004D348A
LoadIconW.USER32(000000A4), ref: 004D349C
LoadIconW.USER32(000000A2), ref: 004D34AE
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004D34C6
RegisterClassExW.USER32(?), ref: 004D3517

Part of subcall function 004D35AB: GetSysColorBrush.USER32(0000000F), ref: 004D35DE
Part of subcall function 004D35AB: RegisterClassExW.USER32(00000030), ref: 004D3608
Part of subcall function 004D35AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004D3619
Part of subcall function 004D35AB: InitCommonControlsEx.COMCTL32(?), ref: 004D3636
Part of subcall function 004D35AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004D3646
Part of subcall function 004D35AB: LoadIconW.USER32(000000A9), ref: 004D365C
Part of subcall function 004D35AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004D366B

Strings

AutoIt v3, xrefs: 004D3506
0, xrefs: 004D34E6
#, xrefs: 004D34ED

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 20e0113f040b0ed6ead775303668d0c35870e12ec25f145abaf9541eac47f3fa
Instruction ID: d75d8bb59670a892f25e048932b7d126dee63309ab00abccd3b8323b2c526907
Opcode Fuzzy Hash: 20e0113f040b0ed6ead775303668d0c35870e12ec25f145abaf9541eac47f3fa
Instruction Fuzzy Hash: A6213C70E00314AFDF109FA9EC56B997FF4FB1AB51F00481BE504A72A0C3B94549AF90

Function 004DCA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004DCE8E

Strings

p3Z, xrefs: 005215CC
p3Z, xrefs: 005215B8
x3Z, xrefs: 005214D1
p3Z, xrefs: 004DCDB2
p3Z, xrefs: 004DCEAB
x3Z, xrefs: 00521570
p5Z, xrefs: 004DCC1C
p5Z, xrefs: 004DCE72

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Init_thread_footer
String ID: p3Z$p3Z$p3Z$p3Z$p5Z$p5Z$x3Z$x3Z
API String ID: 1385522511-234116438
Opcode ID: 85c02cc9f68e06472fa67f5323c234003eea799cb548f2a7cb41c37478b80bf3
Instruction ID: 1f636e7e3f250852543b25ffafd3021586e39b2bff93bc7e068823a07972ff15
Opcode Fuzzy Hash: 85c02cc9f68e06472fa67f5323c234003eea799cb548f2a7cb41c37478b80bf3
Instruction Fuzzy Hash: F832DE74A002169FCF14CF58C895ABABBB5FF56304F18845BE906AB391C738ED41CB99

Function 004D3AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D7953: CloseHandle.KERNELBASE(?,?,00000000,00513A1C), ref: 004D7973

Part of subcall function 004D6E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,004D3B33,?,00008000), ref: 004D6E80

SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 004D3C17
_wcslen.LIBCMT ref: 004D3C96
SetCurrentDirectoryW.KERNEL32(?), ref: 004D3D81

Strings

Unterminated string, xrefs: 00514554
Error opening the file, xrefs: 00514509, 00514570
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0051413C
EA06, xrefs: 005141B4
Bad directive syntax error, xrefs: 005144E2
AU3!, xrefs: 004D3BC8

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 3350465876-3738523708
Opcode ID: f1eeabfe504446115c18b84548605c72516dd65ec816f9c389a81512b627c54d
Instruction ID: 0f307e0db1ba9eed313bfcb470f2d67022fc5ce4ebc0422a22ac2d1f0369ce32
Opcode Fuzzy Hash: f1eeabfe504446115c18b84548605c72516dd65ec816f9c389a81512b627c54d
Instruction Fuzzy Hash: C52299715083419FDB10EF25C8A1AAFBBE5BF94308F00091FF585972A2DB749A89CB57

Function 004DF680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D5Z, xrefs: 0052458D
D5Z, xrefs: 004DF890
Variable must be of type 'Object'., xrefs: 0052486A
D5Z, xrefs: 004DFB61
D5Z, xrefs: 005245E0
D5ZD5Z, xrefs: 004DF92E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID: D5Z$D5Z$D5Z$D5Z$D5ZD5Z$Variable must be of type 'Object'.
API String ID: 0-1895104004
Opcode ID: 75af23e54bbc1fb7c5f72c47c9eef846ce45bf7feed3297a59d49bddc7373a97
Instruction ID: a219a54f459ab68ae9a8befed7b8a7d1a0d00886906e008e765a2ae3a8095daa
Opcode Fuzzy Hash: 75af23e54bbc1fb7c5f72c47c9eef846ce45bf7feed3297a59d49bddc7373a97
Instruction Fuzzy Hash: 70C29E71A00215DFCB24CF58C890BAEB7F1BF49304F24816BE946AB391D379AD46CB59

Function 004E02F0 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004E15A2

Strings

D5Z, xrefs: 00525F9D
D5ZD5Z, xrefs: 004E070B
D5Z, xrefs: 004E0667
D5Z, xrefs: 004E0A1A
D5Z, xrefs: 00525FF1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Init_thread_footer
String ID: D5Z$D5Z$D5Z$D5Z$D5ZD5Z
API String ID: 1385522511-3374964535
Opcode ID: 4d7934dc44540e52bda8dcae0bb3b82ec08226acd16067de14543197820df658
Instruction ID: 4a856dfcc1652195e12661a2d14ba67dc8b1962193c2dc5434e53ab415e653cc
Opcode Fuzzy Hash: 4d7934dc44540e52bda8dcae0bb3b82ec08226acd16067de14543197820df658
Instruction Fuzzy Hash: A3B2B074A08380CFDB24CF1AC48062ABBE1BF99305F14495EF9958B391D779EC85CB96

Function 004D2A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004D2A9B
CoUninitialize.COMBASE ref: 004D2B3A
UnregisterHotKey.USER32(?), ref: 004D2D1F
DestroyWindow.USER32(?), ref: 005139F5
FreeLibrary.KERNEL32(?), ref: 00513A5A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00513A87

Strings

close all, xrefs: 004D2A96

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ff6cf2fa4be1cde4a5a7ee4525810e5ac597b3eb8ccf9f324eb941fe1e5ae271
Instruction ID: dc59492ea2e91397b3c4b117ffc173349049e47b2201b9df3944e2ff2d738d4d
Opcode Fuzzy Hash: ff6cf2fa4be1cde4a5a7ee4525810e5ac597b3eb8ccf9f324eb941fe1e5ae271
Instruction Fuzzy Hash: B0D1AB30701212CFDB19EF15C5A9A69FBA0BF14704F1442AFE84A6B352DB74AD52CF85

Function 0054874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00548907
SetCurrentDirectoryW.KERNELBASE(?), ref: 0054891B
GetFileAttributesW.KERNEL32(?), ref: 00548945
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0054895F
SetCurrentDirectoryW.KERNEL32(?), ref: 00548971
SetCurrentDirectoryW.KERNEL32(?), ref: 005489BA
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00548A0A

Strings

*.*, xrefs: 005489C0

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 70aac3f2e59d212304a8ff81b64f8166d3bfcc501cde38e8eea21b16c2eaa3d3
Instruction ID: a15a4bf328c94e40a5699ac63cdf294328c66792be254e842a585c537d06b40a
Opcode Fuzzy Hash: 70aac3f2e59d212304a8ff81b64f8166d3bfcc501cde38e8eea21b16c2eaa3d3
Instruction Fuzzy Hash: FA81BD729042059BCB20EF15C894AFEBBE8BF94718F544C2EF885D7251EB35D944CB92

Function 005090D5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0c34ae00c52ca970b1230f7e5c685412b897f391f71a00557b7a53e11c5e04
Instruction ID: 3d5e119b891de41fc3ee36b10d739b594a0cc22c32ac68b7a48ce7f6d3d927e6
Opcode Fuzzy Hash: 0a0c34ae00c52ca970b1230f7e5c685412b897f391f71a00557b7a53e11c5e04
Instruction Fuzzy Hash: 50C1EF70A0428AAFDF119FA8C845BADBFB0BF19300F184599E914AB3D3C7349946CF65

Function 004D2735 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D3205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004D3236
Part of subcall function 004D3205: MapVirtualKeyW.USER32(00000010,00000000), ref: 004D323E
Part of subcall function 004D3205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004D3249
Part of subcall function 004D3205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004D3254
Part of subcall function 004D3205: MapVirtualKeyW.USER32(00000011,00000000), ref: 004D325C
Part of subcall function 004D3205: MapVirtualKeyW.USER32(00000012,00000000), ref: 004D3264

Part of subcall function 004D318C: RegisterWindowMessageW.USER32(00000004,?,004D2906), ref: 004D31E4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004D29AC
OleInitialize.OLE32 ref: 004D29CA
CloseHandle.KERNEL32(00000000,00000000), ref: 005139E7

Strings

@(Z, xrefs: 004D2906
(&Z, xrefs: 004D28D4
0$Z, xrefs: 004D29D0
$Z, xrefs: 004D27AC

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&Z$0$Z$@(Z$$Z
API String ID: 1986988660-261712629
Opcode ID: ad81ef209c0949aa126d8eeda1c8695613684e60206534f611ba16f90d8ed4e4
Instruction ID: 31a02796e76c2f72f63e50404beef8b34d524f9e70714797348f408a0fbb2e8c
Opcode Fuzzy Hash: ad81ef209c0949aa126d8eeda1c8695613684e60206534f611ba16f90d8ed4e4
Instruction Fuzzy Hash: 21717DB0E052418E8788EF3EAD6B6153EE0FB6F308F00852EE509CB761EB744449AF55

Function 004D353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004D3568
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004D3589
ShowWindow.USER32(00000000,?,?,?,?,?,?,004D32EF,?), ref: 004D359D
ShowWindow.USER32(00000000,?,?,?,?,?,?,004D32EF,?), ref: 004D35A6

Strings

AutoIt v3, xrefs: 004D3560, 004D3565, 004D3566
edit, xrefs: 004D3583

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 657b93deb01f553837626998d169cac2fe861f7b11db37c2790d58a21ea5a11d
Instruction ID: cb01d7b3e767446e8d168c6b59535c0e45540f8f1bd4f710d48bd8a9dd778931
Opcode Fuzzy Hash: 657b93deb01f553837626998d169cac2fe861f7b11db37c2790d58a21ea5a11d
Instruction Fuzzy Hash: 23F0D071A402947AEB31571B6C09F373EBDE7D7F50F00081EB90497160D5A51859FA70

Function 004D55F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004D55EB,SwapMouseButtons,00000004,?), ref: 004D561C
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004D55EB,SwapMouseButtons,00000004,?), ref: 004D563D
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,004D55EB,SwapMouseButtons,00000004,?), ref: 004D565F

Strings

Control Panel\Mouse, xrefs: 004D561A

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0be2bff0f75c98047e80d5279050b77cd298aa9fd7b07fbe55678ca55c17e74d
Instruction ID: 572938410b98ef2677a25d52853837119a6aa7ff536692db4edd9cd23ad00137
Opcode Fuzzy Hash: 0be2bff0f75c98047e80d5279050b77cd298aa9fd7b07fbe55678ca55c17e74d
Instruction Fuzzy Hash: FA117C71610608BFDB208FA8CC44EAF77B8EF10744F40446BF809D7220EA71EE45A764

Function 0052E71E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0052E73D
FreeLibrary.KERNEL32 ref: 0052E763

Strings

X64, xrefs: 0052E626
GetSystemWow64DirectoryW, xrefs: 0052E737

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 8d9be09b3748026fb737fa02c63643b96558656cfcb2f2cd3c42654d8f13325d
Instruction ID: 19094ce42dfe18f5c8e6c13b98e28cf54d1efc03ec7c072dd228109661851dd0
Opcode Fuzzy Hash: 8d9be09b3748026fb737fa02c63643b96558656cfcb2f2cd3c42654d8f13325d
Instruction Fuzzy Hash: 2BE02B31D026709BDF725A246C49AAA3E34BF23701F180C55F801FB180DBB4DD48C2A8

Function 0053DA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0056DC30), ref: 0053DABB
GetLastError.KERNEL32 ref: 0053DACA
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0053DAD9
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0056DC30), ref: 0053DB36

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 22d674f70a2febd87c297c3177ff1aade9997efdead6fc5839c489a697b0514a
Instruction ID: 653fce07712fad3a6f380e264a3b7b058714dd79478f3196f4332aa6431ece27
Opcode Fuzzy Hash: 22d674f70a2febd87c297c3177ff1aade9997efdead6fc5839c489a697b0514a
Instruction Fuzzy Hash: 9B21B5305082059F8710DF29D9A186BBBF4FE59368F154A1EF499C32A1D730DD09CF62

Function 004D3A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00514115

Part of subcall function 004D557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D5558,?,?,00514B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 004D559E

Part of subcall function 004D39DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004D39FD

Strings

X, xrefs: 005140E3
`uY, xrefs: 0051410E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`uY
API String ID: 779396738-3912885437
Opcode ID: 982191d999057b06906f42782d9426109a026ac06a0d4daeba9d6843fd88607a
Instruction ID: 97b2f186904985cea9d1e61e3e852304d0813b49bfb1c31911515e2f4fc68d52
Opcode Fuzzy Hash: 982191d999057b06906f42782d9426109a026ac06a0d4daeba9d6843fd88607a
Instruction Fuzzy Hash: 4121A171A002489BDF01DF99C815AEE7BF8AF49304F00401BE508A7341DBF85A898FA6

Function 004F016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004F09F8

Part of subcall function 004F3634: RaiseException.KERNEL32(?,?,?,004F0A1A,?,00000000,?,?,?,?,?,?,004F0A1A,00000000,00599758,00000000), ref: 004F3694

__CxxThrowException@8.LIBVCRUNTIME ref: 004F0A15

Strings

Unknown exception, xrefs: 004F0A22

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f13df9dd077471a491d5a308f047b0962d23e465e3dffde8a840547d8869439b
Instruction ID: 5da0c20321c8add8e9388ef4d38fbd9d3f472e785f967b374bc71797cb5e8668
Opcode Fuzzy Hash: f13df9dd077471a491d5a308f047b0962d23e465e3dffde8a840547d8869439b
Instruction Fuzzy Hash: BDF0F47090020DB39B10BAA6D802CBE7BAC9A40314B50412ABB14C15A3FB79DA0685C9

Function 0052E59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0052E59E

Strings

X64, xrefs: 0052E626
%.3d, xrefs: 0052E5A9

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b362c68aa056bd8c741716820a5ae4fa3e5ae7ffe05fafd5b3efe36db4446aad
Instruction ID: d4215438efa1ede6e79ceed8bd77c36a3c8afcf95998fa6993112941ee1b6c8e
Opcode Fuzzy Hash: b362c68aa056bd8c741716820a5ae4fa3e5ae7ffe05fafd5b3efe36db4446aad
Instruction Fuzzy Hash: 45D012B1D04068D5CF909B91EC4A8BD7B7CBF1E301F544C53F406A1080E638A50CA721

Function 005588B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00558C52
TerminateProcess.KERNEL32(00000000), ref: 00558C59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00558E3A

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 7ea4e1646027db01f0591e6f989690488ae790c7abb34298396ecb3dc906f38a
Instruction ID: 600666ac2da300d1c5b3f4b346e634e90f63466d93654dc58ee2114665371a0c
Opcode Fuzzy Hash: 7ea4e1646027db01f0591e6f989690488ae790c7abb34298396ecb3dc906f38a
Instruction Fuzzy Hash: 60126B71A043419FC714DF28C494B2ABBE5FF84319F14895EE8899B352CB35E949CB92

Function 004D6BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 004D6CA1
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 004D6CB1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8622c788e35eba03e6b229d2ab9cc3482782a95e109d085b93828eea80f0982b
Instruction ID: 2ce566d0c9cdd30ffc1827d43d232b498c3d2934edf7e9dc15292a9ec8752047
Opcode Fuzzy Hash: 8622c788e35eba03e6b229d2ab9cc3482782a95e109d085b93828eea80f0982b
Instruction Fuzzy Hash: D8317A71A10609FFDB14CF68C980B99B7B4FB04714F15862BE81897340D7B5BE94CB94

Function 004EFCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D5F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004D6049

KillTimer.USER32(?,00000001,?,?), ref: 004EFD44
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004EFD53
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0052FDD3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 525537d73cfba9b2d278b9fed6e34922c4d29ba903b396d821509cca3731a40c
Instruction ID: 62a4165e757e7eefa30c1f72e341d474f7493f3c4a196aff47abf12c4d11f9c5
Opcode Fuzzy Hash: 525537d73cfba9b2d278b9fed6e34922c4d29ba903b396d821509cca3731a40c
Instruction Fuzzy Hash: B731B471904354AFEB228F24A845BE7BFFCAF12308F0408AED59A97281C7745A89CB55

Function 00508A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,0050895C,?,00599CE8,0000000C), ref: 00508A94
GetLastError.KERNEL32(?,0050895C,?,00599CE8,0000000C), ref: 00508A9E
__dosmaperr.LIBCMT ref: 00508AC9

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: e05bd02fc45d1aa57d610bb085a6e1d0c9a32abb301fa0c43c07c5d5831fefe0
Instruction ID: 980fd338160d3af971a259d1c22230d53a0f7db76bbef62e59293e8f39b3b77a
Opcode Fuzzy Hash: e05bd02fc45d1aa57d610bb085a6e1d0c9a32abb301fa0c43c07c5d5831fefe0
Instruction Fuzzy Hash: 250182327055604AD61423345889F7F2F45BBD1774F29061BF848DB5D2DF618CC996A4

Function 0050971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,005097CA,FF8BC369,00000000,00000002,00000000), ref: 00509754
GetLastError.KERNEL32(?,005097CA,FF8BC369,00000000,00000002,00000000,?,00505EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,004F6F61), ref: 0050975E
__dosmaperr.LIBCMT ref: 00509765

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: f63446ae2f944756e48b27349502e6919633aee182567926654a772425ab70ff
Instruction ID: b5f3341969610fa48788547c389b5476da60de401d8bec1190b148e3bcc5e720
Opcode Fuzzy Hash: f63446ae2f944756e48b27349502e6919633aee182567926654a772425ab70ff
Instruction Fuzzy Hash: 3D012833B20519ABCF059F99DC05C6E3F2AEF86320B240209FD149B2D1EB719D419BA0

Function 004E2AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004E2FB6

Strings

CALL, xrefs: 004E2F86

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: aeab915ba82cbb18e0ac0e7257be89949ed71d92e718a924643e84c4de25df9b
Instruction ID: b0cc21f21fd10a8a393004eba753781818f76d45b4c4cd4a0f51f0ba8774cc3b
Opcode Fuzzy Hash: aeab915ba82cbb18e0ac0e7257be89949ed71d92e718a924643e84c4de25df9b
Instruction Fuzzy Hash: 6922DE70608285DFC714CF16C884A2ABBF5BF89314F14895EF5868B3A2D7B9E941CB46

Function 004D41E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004D33E9,005A2418,?,?,?,?,?,?,?,004D32EF,?), ref: 004D4227

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

Strings

$Z, xrefs: 004D4241

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID: $Z
API String ID: 4019309064-2657603024
Opcode ID: 57439c5be7428e6d740f24da8821f378c4693569be45ac3ec39bceb344bb9708
Instruction ID: c3c40d81d0429fd96f57eae27c40e015d70222405800bdd1c0ad1dac51e1b0ce
Opcode Fuzzy Hash: 57439c5be7428e6d740f24da8821f378c4693569be45ac3ec39bceb344bb9708
Instruction Fuzzy Hash: 2111A571A042099BCF00EBA59C12EDD77F8BF89354F0040ABF945D7391EE78A7849B25

Function 0052E6E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0052E6F3

Strings

X64, xrefs: 0052E626

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: efc904ec87f6e409516ec815dca6200fee6451db4318ce6f48d66b776e4cd0ac
Instruction ID: fa361ab1811817e20722e1b8a2946cfdc832030cf810528db85395fb06eab39d
Opcode Fuzzy Hash: efc904ec87f6e409516ec815dca6200fee6451db4318ce6f48d66b776e4cd0ac
Instruction Fuzzy Hash: 44D0C9B4C05228EACF90CF80EC88DDD777CBB14300F100C56F002A2180D7746A489B20

Function 005495F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 004D557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D5558,?,?,00514B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 004D559E

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00549665
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00549673

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: PrivateProfileStringWrite$FullNamePath
String ID:
API String ID: 3876400906-0
Opcode ID: e0eb8844d703d7c0acda589884473bea786b1e7201223d8c7fa292f298106c8a
Instruction ID: 8284b46797886f4b351338ff9eb75f83d1fea913f283ae6bda8a85dc70f8512d
Opcode Fuzzy Hash: e0eb8844d703d7c0acda589884473bea786b1e7201223d8c7fa292f298106c8a
Instruction Fuzzy Hash: 1B1149396006259FCB00EB26C861D6EB7B5FF48328B05884AE856AB361CB34FC01CFD4

Function 004D6E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,004D3B33,?,00008000), ref: 004D6E80
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,004D3B33,?,00008000), ref: 005159A2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9abdde4b13ca7e5365f14c1cc39c57bf73767a5b9b657c863b7406e4c2b6ca28
Instruction ID: 8ec9733c9740ee5ad5c81ec6748f998b847498c6fb123019a345cf3caad5a768
Opcode Fuzzy Hash: 9abdde4b13ca7e5365f14c1cc39c57bf73767a5b9b657c863b7406e4c2b6ca28
Instruction Fuzzy Hash: 79018031245225B6E3300A2ACC0EF977F98EF46774F118216BE986A2E0C7B45855CB94

Function 004D32A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 004D32C4

Part of subcall function 004D326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004D3282
Part of subcall function 004D326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004D3299

Part of subcall function 004D3312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,004D32EF,?), ref: 004D3342
Part of subcall function 004D3312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,004D32EF,?), ref: 004D3355
Part of subcall function 004D3312: GetFullPathNameW.KERNEL32(00007FFF,?,?,005A2418,005A2400,?,?,?,?,?,?,004D32EF,?), ref: 004D33C1
Part of subcall function 004D3312: SetCurrentDirectoryW.KERNELBASE(?,00000001,005A2418,?,?,?,?,?,?,?,004D32EF,?), ref: 004D3442

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 004D32FE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 49a71325da6e4217893979e1742bcbf2e218f52df1c909f6a306d78bbcda03d2
Instruction ID: fba8450c8cb7d341d002aa58a4d67b31469f0309904854690ea1dd48f59e61f7
Opcode Fuzzy Hash: 49a71325da6e4217893979e1742bcbf2e218f52df1c909f6a306d78bbcda03d2
Instruction Fuzzy Hash: D4F0B431A043449FEB006F68ED0BB243BA0A72730AF004C0BF608865E2CBBD8448AB05

Function 004EF95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004EF97A
Sleep.KERNEL32(00000000), ref: 0052FAC2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: c5d88f87c6e18f8b5dabeea3b8b00d748e4e487e1f03c774cf976a71d2927640
Instruction ID: daa7e31d35b713c47ec5987bd9b7ada2fbf0938d2fb06bed5b532c387257d36b
Opcode Fuzzy Hash: c5d88f87c6e18f8b5dabeea3b8b00d748e4e487e1f03c774cf976a71d2927640
Instruction Fuzzy Hash: 43F0E2B12006059FC300EB6AD455B56B7F4FF45310F00042FE44AC7350DBB0A800CB95

Function 004D8774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,004DAE65,?,?,?), ref: 004D8793
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,004DAE65,?,?,?), ref: 004D87C9

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 907d4fc523d5f94a73658b702be56e1b5d2687c455d3d288c8fb932ea21f2241
Instruction ID: 236be44015688903eae04f863be2b6b51a09cd8fc1beee6127f1eeee133453d6
Opcode Fuzzy Hash: 907d4fc523d5f94a73658b702be56e1b5d2687c455d3d288c8fb932ea21f2241
Instruction Fuzzy Hash: FD01D4713001047FEB196B6A9D5BF7F7AADDB85740F10002FB102DA291EDA09C009228

Function 004FF126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7842580bf1ba0e02ab2c8957f5bcc7ddcbe1261dddd9713f08a196854d8435d
Instruction ID: a31c2dd82223f59728f492fda1279f658e683763386e43327ae5e08723382cbc
Opcode Fuzzy Hash: b7842580bf1ba0e02ab2c8957f5bcc7ddcbe1261dddd9713f08a196854d8435d
Instruction Fuzzy Hash: E8511D36A0010CAFDB10DF58C840B7A7BB1EF85364F1A81A9ED049B391C736DD46CB54

Function 0053FBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0053FBE3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 120b617f37a95c229bbae49697929a1f580b82e70db90cfb591917149b85c003
Instruction ID: 7a81e3e4d8d4a9e4f7f7ef2fec707b8560b464f1ad4c41d598c387f9cd31e387
Opcode Fuzzy Hash: 120b617f37a95c229bbae49697929a1f580b82e70db90cfb591917149b85c003
Instruction Fuzzy Hash: 0341A1B2A0020DAFDB11AF65C8859AEBBB8FF44314F11893FE91697251EB70DE04CB50

Function 004F0000 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 004F00AF

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 781f9986c800e3c513c66f2f79f39a00e49579a5570a159eabd1ddf07621f2f2
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6F31D974A00109DFC718CF58E480A7AF7A5FB99300B6486A6E50ACB356DB35EDC1CBD9

Function 00548E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004D557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D5558,?,?,00514B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 004D559E

GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00548EBE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FullNamePathPrivateProfileString
String ID:
API String ID: 1991638491-0
Opcode ID: 98784316dfd0f7f073df6cf93070ffc84cec2ce643a3b1af7f959d9ef291bba9
Instruction ID: 798b0c1fae79d162cfc952b6e89da0905629b45d6326d081a4d694db3041446e
Opcode Fuzzy Hash: 98784316dfd0f7f073df6cf93070ffc84cec2ce643a3b1af7f959d9ef291bba9
Instruction Fuzzy Hash: 97216F35600609AFCB00EB65C952CAEBBB5EF58324B04405AFA45AB3A1CB34FD51CBD4

Function 004D636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D6332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004D637F,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D633E
Part of subcall function 004D6332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004D6350
Part of subcall function 004D6332: FreeLibrary.KERNEL32(00000000,?,?,004D637F,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D6362

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D639F

Part of subcall function 004D62FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005154C3,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D6304
Part of subcall function 004D62FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004D6316
Part of subcall function 004D62FB: FreeLibrary.KERNEL32(00000000,?,?,005154C3,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D6329

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e3449b93b63cda9f576e7aa9ae9a36607e786e898f2e8917b1bd05e8345c3478
Instruction ID: 2ad80560edf384b2c52f50e4ad413bc74ca4a31289188cb98c8a02672c5b06cf
Opcode Fuzzy Hash: e3449b93b63cda9f576e7aa9ae9a36607e786e898f2e8917b1bd05e8345c3478
Instruction Fuzzy Hash: A9112B31600205AADF10FB25DC22AAD77A1AF50719F11842FF942A72D1EEB89A459B54

Function 00508792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 005087D0

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 642ef22842c51b600b67178b85f992f0f043a5dcca73cb3d5582329285062b09
Instruction ID: ddd6525b71a05f87bb1f5206dff920d21e42c8b490ab4f00b17dbb78c8581b7b
Opcode Fuzzy Hash: 642ef22842c51b600b67178b85f992f0f043a5dcca73cb3d5582329285062b09
Instruction Fuzzy Hash: 2C11487190410AAFCF05DF58E941EEE7BF9FF48310F144069F808AB352DA31EA118BA4

Function 004DB050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,004D6B73,?,00010000,00000000,00000000,00000000,00000000), ref: 004DB0AC

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 26a5bc61a9db2350a41dedfe3aadc57fd6c0d85543d05bc5f9ac4fc166e10dad
Instruction ID: 206f5141e6fd4fb9c3ff735de4801bd97dd0ab18066bd7011809da8d5449f64e
Opcode Fuzzy Hash: 26a5bc61a9db2350a41dedfe3aadc57fd6c0d85543d05bc5f9ac4fc166e10dad
Instruction Fuzzy Hash: BF116A35200704DFD721CE06C490B63B7E9EF45354F01C42FE9AA87B50CBB5A945CBA4

Function 00505390 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0050500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,005031B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0050504E

_free.LIBCMT ref: 005053FC

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
Instruction ID: ed360d7e27d96e532760aeb30a3b58d18282cb93f89e84a7fc27e4f768c3e48c
Opcode Fuzzy Hash: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
Instruction Fuzzy Hash: 270126B22047056BE3218E65D849A9EFFDCFB89370F250A1DE1C4832C0FA70A905CB74

Function 004FE992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
Instruction ID: e6ea59a5d0f351c5381d6e4ed6507b2c17bd9e4216c045f0018eb683c88d58b1
Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
Instruction Fuzzy Hash: 7AF0F97290062956D6213E679C09F7F3658AF81335F14071BF665921E1DFF8980285BA

Function 0050500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,005031B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0050504E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b0b591a86fccf04fc7da6cd1bb3298fccf4015b98ada259b3d0feaed461ea30a
Instruction ID: 853ab9ffd8d53d44788d2a2c94cd497f2ed888d3e572ec145929d8d55864821f
Opcode Fuzzy Hash: b0b591a86fccf04fc7da6cd1bb3298fccf4015b98ada259b3d0feaed461ea30a
Instruction Fuzzy Hash: 4CF0B431604924A7DB315A679C19B6F3F58BF417A1B144116AE05961D0EA74D8048EE0

Function 00503BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,004F6A99,?,0000015D,?,?,?,?,004F85D0,000000FF,00000000,?,?), ref: 00503BE2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c02b8b499270d097d5e1c443e9c1c726c593946c4d93b9a9ed9d949dd99264b5
Instruction ID: f90011f5fb578948abebcfe47f46b52a8d43371f23f6694a2ef758a7fc33c5ce
Opcode Fuzzy Hash: c02b8b499270d097d5e1c443e9c1c726c593946c4d93b9a9ed9d949dd99264b5
Instruction Fuzzy Hash: 97E0ED3120462857EB202A6B9C01F6E3E5CFF027A8F150122EE06D60E0EB79DE0082E5

Function 004D63DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e2a6b15f93cba972de44ce2871348d540b75fe994d7692791c49b6c3f518f9
Instruction ID: 9d0fa393e4230fc4d66591123fcf1a56a97328ac96464aef748b67054c62b10f
Opcode Fuzzy Hash: e5e2a6b15f93cba972de44ce2871348d540b75fe994d7692791c49b6c3f518f9
Instruction Fuzzy Hash: 07F08570600702CFCB348F24D4A0822BBE1BF1032A3218A3FE2C782620C775A880DB14

Function 004D653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004D6558

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
Instruction ID: cfae43ce4ad5159c199a407d7dcd7f9f19774a7aaded02ff8d825588626b6b81
Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
Instruction Fuzzy Hash: EEF0F87140020DFFDF05DF90C941EAE7B79FB04318F208549F9159A251D336DA61EBA1

Function 004D4154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D4159

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
Instruction ID: 0d1622c8b043a71cd659bdc734909df557b735ebca80010471a94a56cee51f70
Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
Instruction Fuzzy Hash: 26D0A72334205435B669313E2D0BC7F451CCBC26A4B05003FFB03CA1AAEC484C0300F4

Function 0053E783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 0053E7A2

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: NamePathShort_wcslen
String ID:
API String ID: 2021730007-0
Opcode ID: f65713566f94455e674a4d13102020a320dd37469a2a3597621453c08735bfeb
Instruction ID: 41fdcba6141b52583f1eb0d32f2bac6c842f9d6f8c57549708cd5af829c30088
Opcode Fuzzy Hash: f65713566f94455e674a4d13102020a320dd37469a2a3597621453c08735bfeb
Instruction Fuzzy Hash: 91E0CD76A0022557C71092599C05FEE77EDEFC8790F044075FD09D7248DDA8ED8085A0

Function 004D39DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004D39FD

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 3d52461e97ff8b2fab2c5bd1526ae3f298e796570939989909bf3e5e410be483
Instruction ID: 0987aab283abd293258878f2a75b6fe6673918bfcd90ed62093f5d78f20ef00e
Opcode Fuzzy Hash: 3d52461e97ff8b2fab2c5bd1526ae3f298e796570939989909bf3e5e410be483
Instruction Fuzzy Hash: A2E0CD76A0012557C71092589C05FEA77EDDFC8790F044075FC09D7248DDB8ED8095A0

Function 0053E753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0053E76C

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: c1d85488d97ffa06e40159aabd1aaeae186f999ac326cca9434650c722f927d9
Instruction ID: b11d94cc83b7feb2a917cdaeab6a55b6be49292a2062fffd907c8f39c1d1d5fe
Opcode Fuzzy Hash: c1d85488d97ffa06e40159aabd1aaeae186f999ac326cca9434650c722f927d9
Instruction Fuzzy Hash: 5DD05EA1A003282BDF60A6759C0DDB73AACC784254F004AA5786DD3242ED74ED4486B0

Function 0051073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00510AA4,?,?,00000000,?,00510AA4,00000000,0000000C), ref: 00510757

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 578fce36613a5fd1ba2667cbffbf24b99fe565d4990cdda195160eeaf3658503
Instruction ID: c8c0519cac395ab5c26e6c8ad49bd00f9efcfa7e3e391f4d30f5b31d8741f37a
Opcode Fuzzy Hash: 578fce36613a5fd1ba2667cbffbf24b99fe565d4990cdda195160eeaf3658503
Instruction Fuzzy Hash: B4D06C3210010DBBDF028F84DD06EDA3BAAFB4C714F014000FE1856020C772E821EB90

Function 0053E9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0053D755), ref: 0053E9C6

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 322a54e68fd460aa53408cc51592aaa4838d198bc7244024570b2fe80001a264
Instruction ID: d88e40a4c7e617d67ba036d4082432622660e9e44296f3dc3169e873bf54d0ed
Opcode Fuzzy Hash: 322a54e68fd460aa53408cc51592aaa4838d198bc7244024570b2fe80001a264
Instruction Fuzzy Hash: 51B0922900061005BD780A3C1A1A2FA2B9078533A6BD81BD5E4BA961F2C339880BE720

Function 004D7953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,00513A1C), ref: 004D7973

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 184da32c705bbb7f5b3c94e0b4f45c6835ce497674ec2d306a1d55c73af37b71
Instruction ID: 5ba1820955d0d9a5ff926c0196c314934f1239733d44982787c9f628c33a5fd9
Opcode Fuzzy Hash: 184da32c705bbb7f5b3c94e0b4f45c6835ce497674ec2d306a1d55c73af37b71
Instruction Fuzzy Hash: 09E092B6904B12CFD3314F1AE864412FBF4FEE63613204A6FD0E582760E3B4588ADB54

Non-executed Functions

Function 0054A0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0054A11B
FindNextFileW.KERNEL32(00000000,?), ref: 0054A176
FindClose.KERNEL32(00000000), ref: 0054A181
FindFirstFileW.KERNEL32(*.*,?), ref: 0054A19D
SetCurrentDirectoryW.KERNEL32(?), ref: 0054A1ED
SetCurrentDirectoryW.KERNEL32(00597B94), ref: 0054A20B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0054A215
FindClose.KERNEL32(00000000), ref: 0054A222
FindClose.KERNEL32(00000000), ref: 0054A232

Part of subcall function 0053E2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0053E2C9

Strings

*.*, xrefs: 0054A198

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 455fbfd029ec0d55c973ae7b785518f65b6bea775809dc3da7ea63f21a015127
Instruction ID: 068fe36179dfb53d9fa22a9b848d955240b10bb82f0a86a638157a266ba122f2
Opcode Fuzzy Hash: 455fbfd029ec0d55c973ae7b785518f65b6bea775809dc3da7ea63f21a015127
Instruction Fuzzy Hash: 2931243664420D7ADF10AFB4DC08ADE7BBCBF09328F100556E911A3190EBB5CE44DA61

Function 0055C7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0055D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0055C00D,?,?), ref: 0055D314
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D350
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D3C7
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0055C89D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0055C908
RegCloseKey.ADVAPI32(00000000), ref: 0055C92C
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0055C98B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0055CA46
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0055CAB3
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0055CB48
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0055CB99
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0055CC42
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0055CCE1
RegCloseKey.ADVAPI32(00000000), ref: 0055CCEE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 9b9e7cc2c7be7914c87a0e09d69a7d421fdd6213f95a45553062c44126e5b1f9
Instruction ID: c5bd69e612affd343c4aee690c34b0ae82db067252b4773965e6d5c471a52005
Opcode Fuzzy Hash: 9b9e7cc2c7be7914c87a0e09d69a7d421fdd6213f95a45553062c44126e5b1f9
Instruction Fuzzy Hash: 3B021D716042009FD714DF29C8A5E2ABBE5FF48318F18849EE84ADB3A2D735ED45CB91

Function 0053A54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0053A572
GetAsyncKeyState.USER32(000000A0), ref: 0053A5F3
GetKeyState.USER32(000000A0), ref: 0053A60E
GetAsyncKeyState.USER32(000000A1), ref: 0053A628
GetKeyState.USER32(000000A1), ref: 0053A63D
GetAsyncKeyState.USER32(00000011), ref: 0053A655
GetKeyState.USER32(00000011), ref: 0053A667
GetAsyncKeyState.USER32(00000012), ref: 0053A67F
GetKeyState.USER32(00000012), ref: 0053A691
GetAsyncKeyState.USER32(0000005B), ref: 0053A6A9
GetKeyState.USER32(0000005B), ref: 0053A6BB

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8dccd826ced9e8c3aa54d3c490eaafbbf4d98ef94c10ebab5395b7f4889351a4
Instruction ID: 9dc68e78c7575772045ba9979f1bdf01edb04de3ba39fb992eb1ac585b20d90f
Opcode Fuzzy Hash: 8dccd826ced9e8c3aa54d3c490eaafbbf4d98ef94c10ebab5395b7f4889351a4
Instruction Fuzzy Hash: 43419174E087C96AFF318B6488153A5BFA0BB21344F08845DD5C64B6C2EBE499C88B63

Function 00554089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005540D1
CoUninitialize.OLE32 ref: 005540DC
CoCreateInstance.OLE32(?,00000000,00000017,00570B44,?), ref: 00554136
IIDFromString.OLE32(?,?), ref: 005541A9
VariantInit.OLEAUT32(?), ref: 00554241
VariantClear.OLEAUT32(?), ref: 00554293

Strings

Invalid parameter, xrefs: 005541C2
Failed to create object, xrefs: 00554141, 005541F7
NULL Pointer assignment, xrefs: 0055417B

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c50675cf2c87388ec4c43b44ae671856e2a808af48ae6522698a927a5723eba7
Instruction ID: d055899a1b153a43d583dd889fd6a5115116438be834c6d8ca5e9b4e0a3b635d
Opcode Fuzzy Hash: c50675cf2c87388ec4c43b44ae671856e2a808af48ae6522698a927a5723eba7
Instruction Fuzzy Hash: 92619D746087119FC710DF65C858B6ABBE8BF99759F10080EF9859B291CB70ED88CF92

Function 0054A488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0054A4D5
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0054A5E8

Part of subcall function 005441CE: GetInputState.USER32 ref: 00544225
Part of subcall function 005441CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005442C0

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0054A505
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0054A5D2

Strings

*.*, xrefs: 0054A4BA

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 25ee70a016471768c12de9553a32ed41ae07e659f979b220696676b35c99cbfd
Instruction ID: 1d8ecaa24939283a7fc5ec0faf7761fe0a7a8165cdf90ce7107ef738aadf208e
Opcode Fuzzy Hash: 25ee70a016471768c12de9553a32ed41ae07e659f979b220696676b35c99cbfd
Instruction Fuzzy Hash: 5C41BE7194020AAFDF50DFA4C949AEEBFB4FF14318F20445AE805A3291EB749E84CB61

Function 004D225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 004D22EE
GetSysColor.USER32(0000000F), ref: 004D23C3
SetBkColor.GDI32(?,00000000), ref: 004D23D6

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: e517f1f3d29eea0e2abac41e83982ecc7ef006b46fce2a52513db8a40caa04a0
Instruction ID: 02552a34c76accac4399838a2441dfd12a28735add3dfd68cdb878b64044fab2
Opcode Fuzzy Hash: e517f1f3d29eea0e2abac41e83982ecc7ef006b46fce2a52513db8a40caa04a0
Instruction Fuzzy Hash: CC81D5F0204054BAF629663D8E79EBB2D5DFBA2300B14051BF542C7795CA9E8F46D23A

Function 00552163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005539AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005539D7
Part of subcall function 005539AB: _wcslen.LIBCMT ref: 005539F8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005521BA
WSAGetLastError.WSOCK32 ref: 005521E1
bind.WSOCK32(00000000,?,00000010), ref: 00552238
WSAGetLastError.WSOCK32 ref: 00552243
closesocket.WSOCK32(00000000), ref: 00552272

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 85080ef4dae872062cf1915b5a342b3002f6730b61acdae3bdbeaefc4e75568f
Instruction ID: 5c9ba650f0d45dac5270328b128ba329c905d52bcbdb5cbcc93b275b7ffcfa7b
Opcode Fuzzy Hash: 85080ef4dae872062cf1915b5a342b3002f6730b61acdae3bdbeaefc4e75568f
Instruction Fuzzy Hash: 3151D375A002009FD710AF25C8AAF2A7BA5AB55718F14844EF9169F3D3C674ED41CBE1

Function 005625A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0056261F
IsWindowEnabled.USER32 ref: 0056262D
GetForegroundWindow.USER32(?,?,00000001,?), ref: 0056263A
IsIconic.USER32 ref: 00562648
IsZoomed.USER32 ref: 00562656

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 10468fa8da8ed4402f8cb36f515baeff93f0eff7f6af886624aa4ccf961fafb5
Instruction ID: 4cc0f16261965253f46d730f48318bc039ec7f2d140d93c7c678fdff89b03c63
Opcode Fuzzy Hash: 10468fa8da8ed4402f8cb36f515baeff93f0eff7f6af886624aa4ccf961fafb5
Instruction Fuzzy Hash: 4F21E2317006018FD7209F1AC858B5A7FA5FFA4324F19846DE88ACB351DB71EC42DBA0

Function 0053EBE5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0053EC19

Strings

DOWN, xrefs: 0053EBFE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 0aad69190bc8b67a0df32f3ecfd8bf60b978f6e52011b9e2debb9041a2bbb3cf
Instruction ID: ba9d5738eceb9e27a344361c4f814d07029e8e619cabe30b784c7b12fc1ad790
Opcode Fuzzy Hash: 0aad69190bc8b67a0df32f3ecfd8bf60b978f6e52011b9e2debb9041a2bbb3cf
Instruction Fuzzy Hash: A3E0862619D72638BD4421197C03DF707CCEF22734B51014BF801D51C0EE841D826078

Function 0055306E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0055309B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005531C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00553206
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00553216
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0055325D
GetClientRect.USER32(00000000,?), ref: 00553269
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005532B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005532C1
GetStockObject.GDI32(00000011), ref: 005532D1
SelectObject.GDI32(00000000,00000000), ref: 005532D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005532E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005532EE
DeleteDC.GDI32(00000000), ref: 005532F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00553323
SendMessageW.USER32(00000030,00000000,00000001), ref: 0055333A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0055337A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0055338E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0055339F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005533D4
GetStockObject.GDI32(00000011), ref: 005533DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005533EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005533F4

Strings

msctls_progress32, xrefs: 00553370
static, xrefs: 005532AC, 005533CE
AutoIt v3, xrefs: 00553255
DISPLAY, xrefs: 005532B7

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 3fa5416c3364d6d35240a2d1808aabe87fff46b6fb73cf76080968db4778416d
Instruction ID: d0b60bc7a7b2bbaf51c8341bc28659c4dc6f301004b64ea1abddb8936d49c5e5
Opcode Fuzzy Hash: 3fa5416c3364d6d35240a2d1808aabe87fff46b6fb73cf76080968db4778416d
Instruction Fuzzy Hash: A4B180B1A00205AFEB14DF69CC5AFAE7BB9FB19710F00451AF915E7290C7B4AD04DBA4

Function 00560BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00560C44
_wcslen.LIBCMT ref: 00560C7E
_wcslen.LIBCMT ref: 00560CE8
_wcslen.LIBCMT ref: 00560D50
_wcslen.LIBCMT ref: 00560DD4
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00560E24
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00560E63

Part of subcall function 004EFD60: _wcslen.LIBCMT ref: 004EFD6B

Part of subcall function 00532ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00532AE8
Part of subcall function 00532ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00532B1A

Strings

SELECTCLEAR, xrefs: 00560E8C
ISSELECTED, xrefs: 00560E3C
GETSUBITEMCOUNT, xrefs: 00560CE3, 00560CFE
GETITEMCOUNT, xrefs: 00560C75, 00560C96
VIEWCHANGE, xrefs: 00560FD4
GETSELECTEDCOUNT, xrefs: 00560DCF, 00560DEA
SELECTALL, xrefs: 00560E74
FINDITEM, xrefs: 00560F86
GETSELECTED, xrefs: 00560F40
DESELECT, xrefs: 00560EFB
SELECT, xrefs: 00560EA7
GETTEXT, xrefs: 00560D4B, 00560D66
SELECTINVERT, xrefs: 00560EDD

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b3a9e7d7eb00b56173dd6e711e212de918a25b30706765be2d853eb27886b9d7
Instruction ID: 361b616ff094d8260a8382551f2e5ec6a5c26c2b4943ad9d8c71842ef2755e40
Opcode Fuzzy Hash: b3a9e7d7eb00b56173dd6e711e212de918a25b30706765be2d853eb27886b9d7
Instruction Fuzzy Hash: A5E19D312046418FCB14EF29C85183BBBE6FF99318B148A5EF8969B3A1DB34ED45CB51

Function 004D24C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004D259A
GetSystemMetrics.USER32(00000007), ref: 004D25A2
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004D25CD
GetSystemMetrics.USER32(00000008), ref: 004D25D5
GetSystemMetrics.USER32(00000004), ref: 004D25FA
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004D2617
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004D2627
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004D265A
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004D266E
GetClientRect.USER32(00000000,000000FF), ref: 004D268C
GetStockObject.GDI32(00000011), ref: 004D26A8
SendMessageW.USER32(00000000,00000030,00000000), ref: 004D26B3

Part of subcall function 004D19CD: GetCursorPos.USER32(?), ref: 004D19E1
Part of subcall function 004D19CD: ScreenToClient.USER32(00000000,?), ref: 004D19FE
Part of subcall function 004D19CD: GetAsyncKeyState.USER32(00000001), ref: 004D1A23
Part of subcall function 004D19CD: GetAsyncKeyState.USER32(00000002), ref: 004D1A3D

SetTimer.USER32(00000000,00000000,00000028,004D199C), ref: 004D26DA

Strings

AutoIt v3 GUI, xrefs: 004D2652

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c052463dc6935530ed86a681d60a3e2034509446b477d07308e88f48db6cb558
Instruction ID: a241b6ec42fd1ca1bbf86c39fa288d7b66daa1cb26dbecb89ca8c44ec8b5562a
Opcode Fuzzy Hash: c052463dc6935530ed86a681d60a3e2034509446b477d07308e88f48db6cb558
Instruction Fuzzy Hash: E8B1CC71A0020AAFDB04DFA8CD65BEE3BB0FB58314F00422AFA05A7290D7B4D945DF65

Function 00568C9B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00568CB9
_wcslen.LIBCMT ref: 00568CCD
_wcslen.LIBCMT ref: 00568CF0
_wcslen.LIBCMT ref: 00568D13
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00568D51
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00566551), ref: 00568DAD
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00568DE6
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00568E29
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00568E60
FreeLibrary.KERNEL32(?), ref: 00568E6C
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00568E7C
DestroyIcon.USER32(?,?,?,?,?,00566551), ref: 00568E8B
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00568EA8
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00568EB4

Strings

.icl, xrefs: 00568CC7
.dll, xrefs: 00568D0A
.exe, xrefs: 00568CE7
QeV, xrefs: 00568CA4, 00568EBA, 00568D64, 00568E3B, 00568DC2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$QeV
API String ID: 799131459-3279563497
Opcode ID: c21d14d90bafd7a8794341fff8ee9a4ee68a422a061bb20a062871dfef0fac57
Instruction ID: 7dd0c51b19839bdf196c3afaf89a2faf6bdb9ce6181fce93796dedb02c27ffce
Opcode Fuzzy Hash: c21d14d90bafd7a8794341fff8ee9a4ee68a422a061bb20a062871dfef0fac57
Instruction Fuzzy Hash: F761ADB1A00619BAEB149B64CC41BBE7BBCBB18714F10460AF915DB1D0DFB59D84DBA0

Function 0055CD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0055CE1C
RegCreateKeyExW.ADVAPI32(?,?,00000000,0056DCD0,00000000,?,00000000,?,?), ref: 0055CEA3
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0055CF03
_wcslen.LIBCMT ref: 0055CF53
_wcslen.LIBCMT ref: 0055CFCE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0055D011
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0055D120
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0055D1AC
RegCloseKey.ADVAPI32(?), ref: 0055D1E0
RegCloseKey.ADVAPI32(00000000), ref: 0055D1ED
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0055D2BF

Strings

REG_DWORD, xrefs: 0055D163
REG_SZ, xrefs: 0055CFA3
REG_QWORD, xrefs: 0055D222
REG_EXPAND_SZ, xrefs: 0055CF2C
REG_BINARY, xrefs: 0055D272
REG_MULTI_SZ, xrefs: 0055D054

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2d9ad276a758a4529bf6c88570536fd747a8100716d9342d70a7eced27a2ed65
Instruction ID: 97d97b360149d2882c38f4d9ac0bfd204c9151614df75d19a6998c5b1918e940
Opcode Fuzzy Hash: 2d9ad276a758a4529bf6c88570536fd747a8100716d9342d70a7eced27a2ed65
Instruction Fuzzy Hash: 70129C352046019FC714DF15C8A5A2ABBF5FF88318F04885EF88A9B3A2DB35ED45CB95

Function 005447D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00544852
_wcslen.LIBCMT ref: 0054485D
_wcslen.LIBCMT ref: 005448B4
_wcslen.LIBCMT ref: 005448F2
GetDriveTypeW.KERNEL32(?), ref: 00544930
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00544978
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005449B3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005449E1

Strings

open, xrefs: 005448AE, 005448B3
wait, xrefs: 0054499E
close cd wait, xrefs: 005449CC
closed, xrefs: 00544862, 00544887, 005448A0, 005448D8, 005448F1
close, xrefs: 00544858, 00544872
type cdaudio alias cd wait, xrefs: 0054495B
set cd door , xrefs: 00544982
open , xrefs: 0054493F

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: fe7b3bf09c4959ac193c2e2212e4bb95ec96b6326ae511bc7df4faf063eb6a0f
Instruction ID: b89cc741cd7e777755e28f995ca46e5e45290a10b6667beb0e9c26b91555864e
Opcode Fuzzy Hash: fe7b3bf09c4959ac193c2e2212e4bb95ec96b6326ae511bc7df4faf063eb6a0f
Instruction Fuzzy Hash: 9271D0326442069FC710EF25C890AABBBE5FFA8758F00492EF89697351EB34DD45CB91

Function 005362AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005362BD
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005362CF
SetWindowTextW.USER32(?,?), ref: 005362E6
GetDlgItem.USER32(?,000003EA), ref: 005362FB
SetWindowTextW.USER32(00000000,?), ref: 00536301
GetDlgItem.USER32(?,000003E9), ref: 00536311
SetWindowTextW.USER32(00000000,?), ref: 00536317
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00536338
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00536352
GetWindowRect.USER32(?,?), ref: 0053635B
_wcslen.LIBCMT ref: 005363C2
SetWindowTextW.USER32(?,?), ref: 005363FE
GetDesktopWindow.USER32 ref: 00536404
GetWindowRect.USER32(00000000), ref: 0053640B
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00536462
GetClientRect.USER32(?,?), ref: 0053646F
PostMessageW.USER32(?,00000005,00000000,?), ref: 00536494
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005364BE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 2e58733c49ddb4c51309eafc4b51271386a27b23d4c061bcc4e806b1e60eb996
Instruction ID: 8526eb497e30dd333fca2aac1dd76f81b46c93623088c41943b0cc65f04b1bdf
Opcode Fuzzy Hash: 2e58733c49ddb4c51309eafc4b51271386a27b23d4c061bcc4e806b1e60eb996
Instruction Fuzzy Hash: 57716C31A00705AFDB20DFA8CE85AAEBBF5FF48705F10491CE546A71A0D7B5E944DB60

Function 0055076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00550784
LoadCursorW.USER32(00000000,00007F8A), ref: 0055078F
LoadCursorW.USER32(00000000,00007F00), ref: 0055079A
LoadCursorW.USER32(00000000,00007F03), ref: 005507A5
LoadCursorW.USER32(00000000,00007F8B), ref: 005507B0
LoadCursorW.USER32(00000000,00007F01), ref: 005507BB
LoadCursorW.USER32(00000000,00007F81), ref: 005507C6
LoadCursorW.USER32(00000000,00007F88), ref: 005507D1
LoadCursorW.USER32(00000000,00007F80), ref: 005507DC
LoadCursorW.USER32(00000000,00007F86), ref: 005507E7
LoadCursorW.USER32(00000000,00007F83), ref: 005507F2
LoadCursorW.USER32(00000000,00007F85), ref: 005507FD
LoadCursorW.USER32(00000000,00007F82), ref: 00550808
LoadCursorW.USER32(00000000,00007F84), ref: 00550813
LoadCursorW.USER32(00000000,00007F04), ref: 0055081E
LoadCursorW.USER32(00000000,00007F02), ref: 00550829
GetCursorInfo.USER32(?), ref: 00550839
GetLastError.KERNEL32 ref: 0055087B

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 59841a408bd8988cca1750a152bb408177093a6a3cc72208ff483a452e2bf2ed
Instruction ID: 59375a7fec0998cd28ad2a22a5d13334692c9d1692e627b960ba0317b118c15b
Opcode Fuzzy Hash: 59841a408bd8988cca1750a152bb408177093a6a3cc72208ff483a452e2bf2ed
Instruction Fuzzy Hash: 6E414570E083196ADB10DFBA8C89C5EBFE8FF04754B50452AE51CEB291DA78E905CF91

Function 004F0456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004F0456

Part of subcall function 004F047D: InitializeCriticalSectionAndSpinCount.KERNEL32(005A170C,00000FA0,2AE8C1DE,?,?,?,?,00512753,000000FF), ref: 004F04AC
Part of subcall function 004F047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00512753,000000FF), ref: 004F04B7
Part of subcall function 004F047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00512753,000000FF), ref: 004F04C8
Part of subcall function 004F047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 004F04DE
Part of subcall function 004F047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004F04EC
Part of subcall function 004F047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004F04FA
Part of subcall function 004F047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004F0525
Part of subcall function 004F047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004F0530

___scrt_fastfail.LIBCMT ref: 004F0477

Part of subcall function 004F0433: __onexit.LIBCMT ref: 004F0439

Strings

WakeAllConditionVariable, xrefs: 004F04F2
InitializeConditionVariable, xrefs: 004F04D8
SleepConditionVariableCS, xrefs: 004F04E4
kernel32.dll, xrefs: 004F04C3
api-ms-win-core-synch-l1-2-0.dll, xrefs: 004F04B2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 57e38bd6be8028e6d758d53985ae5b823f1854d59972d45700f8bd5847c94a7d
Instruction ID: bfb81c04fded0507ab03b027bc5a2b951c2a6389a0d0d866bf344720a101342a
Opcode Fuzzy Hash: 57e38bd6be8028e6d758d53985ae5b823f1854d59972d45700f8bd5847c94a7d
Instruction Fuzzy Hash: 05212C32B40714BBD7106BA9AC05B3A37E5EB95BA5F00551BFA05973C1DFF88C04DA68

Function 00544E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0056DCD0), ref: 00544E81
_wcslen.LIBCMT ref: 00544E95
_wcslen.LIBCMT ref: 00544EF3
_wcslen.LIBCMT ref: 00544F4E
_wcslen.LIBCMT ref: 00544F99
_wcslen.LIBCMT ref: 00545001

Part of subcall function 004EFD60: _wcslen.LIBCMT ref: 004EFD6B

GetDriveTypeW.KERNEL32(?,00597C10,00000061), ref: 0054509D

Strings

removable, xrefs: 00544F44, 00544F49
network, xrefs: 00544FF7, 00544FFC
all, xrefs: 00544E8B, 00544E90
fixed, xrefs: 00544F8F, 00544F94
cdrom, xrefs: 00544EE9, 00544EEE
unknown, xrefs: 00545062
ramdisk, xrefs: 0054504B

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 255feb5aa91e64383695e45ac169f7410c47ee47267bfa8e0a37501e8d25ffdd
Instruction ID: de5104842d55254e2ac4e1f9d8f27845f294e866e5a8ee8741e3d4e028097f9b
Opcode Fuzzy Hash: 255feb5aa91e64383695e45ac169f7410c47ee47267bfa8e0a37501e8d25ffdd
Instruction Fuzzy Hash: 1CB1E5356083029FC710DF29C894ABABBE5BFA4718F50491EF59687392EB34D845CB92

Function 00554946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0056DCD0), ref: 00554A18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00554A2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0056DCD0), ref: 00554A4F
FreeLibrary.KERNEL32(00000000,?,0056DCD0), ref: 00554A9B
StringFromGUID2.OLE32(?,?,00000028,?,0056DCD0), ref: 00554B05
SysFreeString.OLEAUT32(00000009), ref: 00554BBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00554C25
SysFreeString.OLEAUT32(?), ref: 00554C4F

Strings

GetModuleHandleExW, xrefs: 00554A24
kernel32.dll, xrefs: 00554A13

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 84536dfaa563c26207e6772d76e12fd0d9933899b4baf5b89743f94af7e7686d
Instruction ID: 02392e669e895cea245f566b811a893fd96b4a278bc82d233a80a31bf3c4e8a5
Opcode Fuzzy Hash: 84536dfaa563c26207e6772d76e12fd0d9933899b4baf5b89743f94af7e7686d
Instruction Fuzzy Hash: C4127D71A00105EFCB14CF94C898EAEBBB9FF45319F148099E905AB251D771ED8ACFA0

Function 0054CDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0054CE0D
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0054CE20
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0054CE34
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0054CE4D
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0054CE90
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0054CEA6
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0054CEB1
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0054CEE1
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0054CF39
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0054CF4D
InternetCloseHandle.WININET(00000000), ref: 0054CF58

Strings

, xrefs: 0054CED2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 7fc97b5aa97b66246a2a23095d46079cad76bf0d5477ddbe46773e0a269d9c53
Instruction ID: 0f8e20cc979245d056305430ce063722c165d741972db8d7a197b555627c80b7
Opcode Fuzzy Hash: 7fc97b5aa97b66246a2a23095d46079cad76bf0d5477ddbe46773e0a269d9c53
Instruction Fuzzy Hash: 83518D70601208BFDB619F64CC88AAA7FFDFF58748F004819F94597210D778D908ABA0

Function 00568ECE Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00568EF1
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00568F01
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00568F0C
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00568F19
GlobalLock.KERNEL32(00000000), ref: 00568F27
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00568F36
GlobalUnlock.KERNEL32(00000000), ref: 00568F3F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00568F46
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00568F57
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00570C04,?), ref: 00568F70
GlobalFree.KERNEL32(00000000), ref: 00568F80
GetObjectW.GDI32(?,00000018,?), ref: 00568FA0
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00568FD0
DeleteObject.GDI32(?), ref: 00568FF8
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0056900E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4ba8ab91a9f8df319b76c388e100e37b3bbe030cc6ed7af5c47671c1fe40af2b
Instruction ID: 34430c866451828663753d61ab9e8bc8030ec23e681cb51a14bf12434bc1dfbc
Opcode Fuzzy Hash: 4ba8ab91a9f8df319b76c388e100e37b3bbe030cc6ed7af5c47671c1fe40af2b
Instruction Fuzzy Hash: 93412875A00204AFDB21DF69CC88EAABBB9FF99711F104558F906D7260DBB0AD45DB20

Function 00552EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00552F35
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00552F45
CreateCompatibleDC.GDI32(?), ref: 00552F51
SelectObject.GDI32(00000000,?), ref: 00552F5E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00552FCA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00553009
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0055302D
SelectObject.GDI32(?,?), ref: 00553035
DeleteObject.GDI32(?), ref: 0055303E
DeleteDC.GDI32(?), ref: 00553045
ReleaseDC.USER32(00000000,?), ref: 00553050

Strings

(, xrefs: 00552FEA

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 989085663031aa7f67aff52b3e3c661c48ff49bda2e411538be0047703b1db4f
Instruction ID: 751dfb692747322c20cb9e2f357006bc7338fb6cbb540396de90e6ce36e4c68a
Opcode Fuzzy Hash: 989085663031aa7f67aff52b3e3c661c48ff49bda2e411538be0047703b1db4f
Instruction Fuzzy Hash: 9C610571E00219EFCF14CFA8D885AAEBBB5FF48310F20851AE955A7250D771A945DF60

Function 0053C80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(005A2990,000000FF,00000000,00000030), ref: 0053C888
SetMenuItemInfoW.USER32(005A2990,00000004,00000000,00000030), ref: 0053C8BD
Sleep.KERNEL32(000001F4), ref: 0053C8CF
GetMenuItemCount.USER32(?), ref: 0053C915
GetMenuItemID.USER32(?,00000000), ref: 0053C932
GetMenuItemID.USER32(?,-00000001), ref: 0053C95E
GetMenuItemID.USER32(?,?), ref: 0053C9A5
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0053C9EB
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0053CA00
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0053CA21

Strings

0, xrefs: 0053C819

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 42e03803a12ca1b0d3ae6996a6a65a98f5986768331445becafea3b3113ea9d8
Instruction ID: 2c038671d54660fd6c9815684e27fd7b69dc61489a6c691dac3840e59e763bd8
Opcode Fuzzy Hash: 42e03803a12ca1b0d3ae6996a6a65a98f5986768331445becafea3b3113ea9d8
Instruction Fuzzy Hash: 91617B71A0024AAFDF11CF68C888ABEBFB8FB55308F004559E842B3291D774AD45DB60

Function 0053E3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0053E3E9
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0053E40F
_wcslen.LIBCMT ref: 0053E419
_wcsstr.LIBVCRUNTIME ref: 0053E469
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0053E485

Strings

\VarFileInfo\Translation, xrefs: 0053E47D
04090000, xrefs: 0053E4BB
DefaultLangCodepage, xrefs: 0053E4E8
%u.%u.%u.%u, xrefs: 0053E563
StringFileInfo\, xrefs: 0053E458

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 40e1227a3c1bcdab289d21fb4318061a702ae8101ee008e5414fd68efef59d21
Instruction ID: 849438037965f1a7498562002963d98982e34ffcc99a7c2de957e69539054649
Opcode Fuzzy Hash: 40e1227a3c1bcdab289d21fb4318061a702ae8101ee008e5414fd68efef59d21
Instruction Fuzzy Hash: 99410E72A4020C7AEB05A7658D47FBF3BBCEF59714F00045BFA00A71C2EB78990196B9

Function 00544678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0054469A
_wcslen.LIBCMT ref: 005446C7
CreateDirectoryW.KERNEL32(?,00000000), ref: 005446F7
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00544718
RemoveDirectoryW.KERNEL32(?), ref: 00544728
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005447AF
CloseHandle.KERNEL32(00000000), ref: 005447BA
CloseHandle.KERNEL32(00000000), ref: 005447C5

Strings

:, xrefs: 005446DC
\??\%s, xrefs: 005446B5
\, xrefs: 005446D1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 9624b863a8a6632f0372a72229b229f7acf173a0e7ad8e74ce27fa383c8e6db3
Instruction ID: 8267f05c39c736c82518f4e62be0a9ac8760d5199bc9f76bb8fdf7c35cfb69f8
Opcode Fuzzy Hash: 9624b863a8a6632f0372a72229b229f7acf173a0e7ad8e74ce27fa383c8e6db3
Instruction Fuzzy Hash: 5831E375A40249ABDB209F64DC44FEB37BCFF89744F1000AAF605D2160EBB496858F34

Function 0053EEDC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0053EEE0

Part of subcall function 004EF27E: timeGetTime.WINMM(?,?,0053EF00), ref: 004EF282

Sleep.KERNEL32(0000000A), ref: 0053EF0D
EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 0053EF31
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0053EF53
SetActiveWindow.USER32 ref: 0053EF72
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0053EF80
SendMessageW.USER32(00000010,00000000,00000000), ref: 0053EF9F
Sleep.KERNEL32(000000FA), ref: 0053EFAA
IsWindow.USER32 ref: 0053EFB6
EndDialog.USER32(00000000), ref: 0053EFC7

Strings

BUTTON, xrefs: 0053EF45

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4590a0994149312a1b173e63f41e47df24a322b850832144a4e77df58a15e373
Instruction ID: ecfcb0c186c363c9313eb8d89051d629165e137ac2af5bc4635b82122b0958ab
Opcode Fuzzy Hash: 4590a0994149312a1b173e63f41e47df24a322b850832144a4e77df58a15e373
Instruction Fuzzy Hash: 25215074640205BFEF016F64EC8AA267FEAFB66748F100815F511932A1CBF59D08BA75

Function 0053A86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0053A8EE
SetKeyboardState.USER32(?), ref: 0053A959
GetAsyncKeyState.USER32(000000A0), ref: 0053A979
GetKeyState.USER32(000000A0), ref: 0053A990
GetAsyncKeyState.USER32(000000A1), ref: 0053A9BF
GetKeyState.USER32(000000A1), ref: 0053A9D0
GetAsyncKeyState.USER32(00000011), ref: 0053A9FC
GetKeyState.USER32(00000011), ref: 0053AA0A
GetAsyncKeyState.USER32(00000012), ref: 0053AA33
GetKeyState.USER32(00000012), ref: 0053AA41
GetAsyncKeyState.USER32(0000005B), ref: 0053AA6A
GetKeyState.USER32(0000005B), ref: 0053AA78

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cf250539504854160f922cf63171a0d921e4c775af0a641b3a7037a05eb259a3
Instruction ID: b388117765e2a6a063446793f65454c4f86177ba695aaeebc3f8dfb08f8976c7
Opcode Fuzzy Hash: cf250539504854160f922cf63171a0d921e4c775af0a641b3a7037a05eb259a3
Instruction Fuzzy Hash: EF51E731A0478969FB35EBB089157EAFFB4AF12340F48859EC5C25B1C3DA549A4CCB63

Function 00536555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00536571
GetWindowRect.USER32(00000000,?), ref: 0053658A
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005365E8
GetDlgItem.USER32(?,00000002), ref: 005365F8
GetWindowRect.USER32(00000000,?), ref: 0053660A
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 0053665E
GetDlgItem.USER32(?,000003E9), ref: 0053666C
GetWindowRect.USER32(00000000,?), ref: 0053667E
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005366C0
GetDlgItem.USER32(?,000003EA), ref: 005366D3
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005366E9
InvalidateRect.USER32(?,00000000,00000001), ref: 005366F6

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5c9ab882e35d48e6c5ab2b4367fb93d28f9d9b10491699d0c89b5b306b54ac13
Instruction ID: c4cf617d60786cfdc2378ed1cab5c7430eebc4ad5922174895bb37dcba419ac5
Opcode Fuzzy Hash: 5c9ab882e35d48e6c5ab2b4367fb93d28f9d9b10491699d0c89b5b306b54ac13
Instruction Fuzzy Hash: 5F510CB1F00205AFDB18CF69DD99AAEBBB5FB58300F10852DF919E7290D7B09D048B60

Function 004D20D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004D21E4: GetWindowLongW.USER32(?,000000EB), ref: 004D21F2

GetSysColor.USER32(0000000F), ref: 004D2102

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6c8bda557b471614c7fb4df279f72b1235d0fe21950ef46312e9b717034d7b20
Instruction ID: 45468132f40a46c948d6f71fbb5f18f80be62e538caff6260e31fd5d7cb78b36
Opcode Fuzzy Hash: 6c8bda557b471614c7fb4df279f72b1235d0fe21950ef46312e9b717034d7b20
Instruction Fuzzy Hash: 7D41B331600650AFDB205F38DC54BBE3B75AB62721F148617FAA2873E1C7B58D42DB25

Function 00530F6E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00531032
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0053104E
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0053106A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00531094
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005310BC
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005310C7
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005310CC

Strings

SOFTWARE\Classes\, xrefs: 00530F9E
\CLSID, xrefs: 00530FB4
\IPC$, xrefs: 00531014

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 48ee8fc280dd80fa3b92ee7a560245229067ee9824cc4a5ef6f4457d40faed70
Instruction ID: 78fbb06c57012c237f5b10fc3df221efe6e266953f8c2d15c903f6ae8b33276b
Opcode Fuzzy Hash: 48ee8fc280dd80fa3b92ee7a560245229067ee9824cc4a5ef6f4457d40faed70
Instruction Fuzzy Hash: 7C412C72D10229ABCF11EBA5DC959EDBBB8FF14314F01442AF901A7260EB749D48CBA4

Function 005648F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0056499A
CreateCompatibleDC.GDI32(00000000), ref: 005649A1
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 005649B4
SelectObject.GDI32(00000000,00000000), ref: 005649BC
GetPixel.GDI32(00000000,00000000,00000000), ref: 005649C7
DeleteDC.GDI32(00000000), ref: 005649D1
GetWindowLongW.USER32(?,000000EC), ref: 005649DB
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 005649F1
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 005649FD

Strings

static, xrefs: 00564932

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0ce2be16fa818b10ad9243c34667805bb710a745cb39a5e0afbac908270ddc94
Instruction ID: 5bad97d10bc70890c22fe1e88132e47a663463578f6db6849b60933fd8e3c9f3
Opcode Fuzzy Hash: 0ce2be16fa818b10ad9243c34667805bb710a745cb39a5e0afbac908270ddc94
Instruction Fuzzy Hash: 94315A32640219ABDF119FA8CC09FEA3FA9FF19724F100611FA55A71A0D7B5D814EBA4

Function 0055458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005545B9
CoInitialize.OLE32(00000000), ref: 005545E7
CoUninitialize.OLE32 ref: 005545F1
_wcslen.LIBCMT ref: 0055468A
GetRunningObjectTable.OLE32(00000000,?), ref: 0055470E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00554832
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0055486B
CoGetObject.OLE32(?,00000000,00570B64,?), ref: 0055488A
SetErrorMode.KERNEL32(00000000), ref: 0055489D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00554921
VariantClear.OLEAUT32(?), ref: 00554935

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 213f859873d5bd3e155d0efe7e6306f90178cec7ef66d4873b433977b7d8612e
Instruction ID: 95475d5bd0d092c11e663369b1a303524acd0617fd876bd556b17aa3dd1629f8
Opcode Fuzzy Hash: 213f859873d5bd3e155d0efe7e6306f90178cec7ef66d4873b433977b7d8612e
Instruction Fuzzy Hash: FBC146B1604305AFC700DF68C89492BBBE9FF89749F14491EF9899B250DB70ED4ACB52

Function 005483F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0054844D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005484E9
SHGetDesktopFolder.SHELL32(?), ref: 005484FD
CoCreateInstance.OLE32(00570CD4,00000000,00000001,00597E8C,?), ref: 00548549
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005485CE
CoTaskMemFree.OLE32(?,?), ref: 00548626
SHBrowseForFolderW.SHELL32(?), ref: 005486B1
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005486D4
CoTaskMemFree.OLE32(00000000), ref: 005486DB
CoTaskMemFree.OLE32(00000000), ref: 00548730
CoUninitialize.OLE32 ref: 00548736

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f3cb90fff9ae3178a80914bfee9696b8aea5959f6b3aef890aebc9ee946f7283
Instruction ID: 761c250df0595e4a0c4dbec18f98d1852fdf0718a40bec21bcc8e2c1404d91ef
Opcode Fuzzy Hash: f3cb90fff9ae3178a80914bfee9696b8aea5959f6b3aef890aebc9ee946f7283
Instruction Fuzzy Hash: F2C12B75A00109AFCB14DFA4C898DAEBBF9FF48308B158499E419EB361CB31ED45CB50

Function 00530318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0053033F
SafeArrayAllocData.OLEAUT32(?), ref: 00530398
VariantInit.OLEAUT32(?), ref: 005303AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 005303CA
VariantCopy.OLEAUT32(?,?), ref: 0053041D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00530431
VariantClear.OLEAUT32(?), ref: 00530446
SafeArrayDestroyData.OLEAUT32(?), ref: 00530453
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0053045C
VariantClear.OLEAUT32(?), ref: 0053046E
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00530479

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: aabcf9ecb866552fca3926cda9beee71832e50d2fa42aebbcadb15c3aa113af0
Instruction ID: ec44e1b86c4ab5d6ef065b575e601a6164c331f98f087f23b777bbc420d2e18d
Opcode Fuzzy Hash: aabcf9ecb866552fca3926cda9beee71832e50d2fa42aebbcadb15c3aa113af0
Instruction Fuzzy Hash: E4418034E002199FCF00DF69C8589AEBFB9FF58345F008429E955A7261CBB0EE45DBA0

Function 0056A8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D2441: GetWindowLongW.USER32(00000000,000000EB), ref: 004D2452

GetSystemMetrics.USER32(0000000F), ref: 0056A926
GetSystemMetrics.USER32(0000000F), ref: 0056A946
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0056AB83
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0056ABA1
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0056ABC2
ShowWindow.USER32(00000003,00000000), ref: 0056ABE1
InvalidateRect.USER32(?,00000000,00000001), ref: 0056AC06
DefDlgProcW.USER32(?,00000005,?,?), ref: 0056AC29

Strings

, xrefs: 0056AB37

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-3916222277
Opcode ID: 88e8346188e56286f2392215885772d95c3a9d103f06ce4c3846bde3d6b7e3e7
Instruction ID: d7af46af8b9b456e754a89b853586c4ec3e99e095d460989aa65d574a14b7b88
Opcode Fuzzy Hash: 88e8346188e56286f2392215885772d95c3a9d103f06ce4c3846bde3d6b7e3e7
Instruction Fuzzy Hash: 6EB189316002199FDF14CF68C9857AE7BB2FF84701F18806AED45AB2A5D770A984CF62

Function 00550EB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00550F19
inet_addr.WSOCK32(?), ref: 00550F79
gethostbyname.WSOCK32(?), ref: 00550F85
IcmpCreateFile.IPHLPAPI ref: 00550F93
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00551023
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00551042
IcmpCloseHandle.IPHLPAPI(?), ref: 00551116
WSACleanup.WSOCK32 ref: 0055111C

Strings

Ping, xrefs: 00550FD3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 12496b79662b3d7f5e1d2d69af2ec1c304ef077c5479d463f87066560f0fcf1e
Instruction ID: b7ff5dc1947516ea5e977671743204b5a14d01eb89651ea07134901c07026443
Opcode Fuzzy Hash: 12496b79662b3d7f5e1d2d69af2ec1c304ef077c5479d463f87066560f0fcf1e
Instruction Fuzzy Hash: 3D91D0316046419FD320DF15C899B16BFE0FF44318F14899AF8698B7A2C775EC89CB91

Function 00548AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00548BB1
SystemTimeToFileTime.KERNEL32(?,?), ref: 00548BC1
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00548BCD
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00548C6A
SetCurrentDirectoryW.KERNEL32(?), ref: 00548C7E
SetCurrentDirectoryW.KERNEL32(?), ref: 00548CB0
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00548CE6
SetCurrentDirectoryW.KERNEL32(?), ref: 00548CEF

Strings

*.*, xrefs: 00548CF5

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 60f1027da4cb376c5db0f2c5e55ee7c39a6c3c3409a8e10c38f89d6b3215445a
Instruction ID: 290c2a1b2e6005d5b9e09da2680db8f6b94f77bf584da58fbfc1f08254f7538a
Opcode Fuzzy Hash: 60f1027da4cb376c5db0f2c5e55ee7c39a6c3c3409a8e10c38f89d6b3215445a
Instruction Fuzzy Hash: 81616AB26043059FC710EF21C8959AEB7E8FF99318F04881EF98987251DB35E945CB96

Function 005645A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005645D8
SetMenu.USER32(?,00000000), ref: 005645E7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0056466F
IsMenu.USER32(?), ref: 00564683
CreatePopupMenu.USER32 ref: 0056468D
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005646BA
DrawMenuBar.USER32 ref: 005646C2

Strings

F, xrefs: 005646AD
0, xrefs: 005645B3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 6c7e130dc4f44947cf813904518bdf65dd534357ffee8661f72cec276f1c561f
Instruction ID: ba2517f1634e92a46324baf376d34ed862853285c35b1a8fcc35d20073a967dc
Opcode Fuzzy Hash: 6c7e130dc4f44947cf813904518bdf65dd534357ffee8661f72cec276f1c561f
Instruction Fuzzy Hash: 5241A974A01209EFDF14CF68D894AEA7BB5FF1A314F040429FA46A7360C770A924DF60

Function 0053276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 00534536: GetClassNameW.USER32(?,?,000000FF), ref: 00534559

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 005327F4
GetDlgCtrlID.USER32 ref: 005327FF
GetParent.USER32 ref: 0053281B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0053281E
GetDlgCtrlID.USER32(?), ref: 00532827
GetParent.USER32(?), ref: 0053283B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0053283E

Strings

ComboBox, xrefs: 0053277C
ListBox, xrefs: 005327B1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c11924c91591f6e1dfc52defd7e04dfe3d91c971521bbaa5866e593b0cecfbc0
Instruction ID: 7a305c804dbc34d4024e66e98279788838483d183066a3443b57b7a2b957a684
Opcode Fuzzy Hash: c11924c91591f6e1dfc52defd7e04dfe3d91c971521bbaa5866e593b0cecfbc0
Instruction Fuzzy Hash: DC21D370E00114FBCF00ABA4DC95AEEBFB5FF15310F004556F951932A1CB785808DB60

Function 00532850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 00534536: GetClassNameW.USER32(?,?,000000FF), ref: 00534559

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 005328D3
GetDlgCtrlID.USER32 ref: 005328DE
GetParent.USER32 ref: 005328FA
SendMessageW.USER32(00000000,?,00000111,?), ref: 005328FD
GetDlgCtrlID.USER32(?), ref: 00532906
GetParent.USER32(?), ref: 0053291A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0053291D

Strings

ComboBox, xrefs: 0053285D
ListBox, xrefs: 00532892

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: dde0cbea3a55a2c352e9a1c1468e92fb96aa4eb2464e4d22152562fd1d0e11c2
Instruction ID: 84ba2a83e9b4a1ff23b5314efc123294aedbfeae5e0a75035c37b5ebaaaa0352
Opcode Fuzzy Hash: dde0cbea3a55a2c352e9a1c1468e92fb96aa4eb2464e4d22152562fd1d0e11c2
Instruction Fuzzy Hash: 9521BE75E00218BBCF11ABA4DC89AEEBFB9FF14300F004556F951A32A5DB785848DB60

Function 00564382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005643FC
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005643FF
GetWindowLongW.USER32(?,000000F0), ref: 00564426
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00564449
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005644C1
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 0056450B
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00564526
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00564541
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00564555
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00564572

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 18cc8cd1b83c15af3e3eb7f6a2e50822d5507c8dfaf64c5399bdc1b07e052e00
Instruction ID: 544311c3fc27014a2c9915337993c3446d955f9642caf0dd879943dbd6d40194
Opcode Fuzzy Hash: 18cc8cd1b83c15af3e3eb7f6a2e50822d5507c8dfaf64c5399bdc1b07e052e00
Instruction Fuzzy Hash: D4618A75A00208AFDB11CFA8CC81EEE7BB8FF59710F104169FA15A72A1C774AA85DF50

Function 0054CBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0054CBCF
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0054CBF7
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0054CC27
GetLastError.KERNEL32 ref: 0054CC7F
SetEvent.KERNEL32(?), ref: 0054CC93
InternetCloseHandle.WININET(00000000), ref: 0054CC9E

Strings

, xrefs: 0054CC18

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 14f2b5d40131f6392ee26a9430c31bfb84137224e7b8b281f4d0c68b95178028
Instruction ID: dd61ec1e0c6b54c9db5d3361594504777f492f22a94bdee17557b0bd2a58aae1
Opcode Fuzzy Hash: 14f2b5d40131f6392ee26a9430c31bfb84137224e7b8b281f4d0c68b95178028
Instruction Fuzzy Hash: 9D318BB1A01205AFD7619F65CD88AAB7FFCFB99748B10091EE45AD7200DB34DD089B71

Function 0053A12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00515437,?,?,Bad directive syntax error,0056DCD0,00000000,00000010,?,?), ref: 0053A14B
LoadStringW.USER32(00000000,?,00515437,?), ref: 0053A152

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0053A216

Strings

., xrefs: 0053A1FC
Line %d (File "%s"):, xrefs: 0053A1BC
Line %d:, xrefs: 0053A1A1
%s (%d) : ==> %s.: %s %s, xrefs: 0053A180
Error: , xrefs: 0053A1E4

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 9f8ef2aa637c028442078af44758239bfe5335882b1abaa55a2ab28e28749992
Instruction ID: 871f4ba85bbbca0a30f39b7dd51f35af5b82b042d748d6638c26c9f3d9d85be3
Opcode Fuzzy Hash: 9f8ef2aa637c028442078af44758239bfe5335882b1abaa55a2ab28e28749992
Instruction Fuzzy Hash: 73219E3290021EEBCF01AF90CC1AEEE7B75BF18308F04485BF515661A2DB75AA58DB51

Function 0053292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0053293B
GetClassNameW.USER32(00000000,?,00000100), ref: 00532950
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005329DD

Strings

SHELLDLL_DefView, xrefs: 0053295C
details, xrefs: 0053298B
list, xrefs: 005329BF
smallicons, xrefs: 005329A5
largeicons, xrefs: 00532971

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5b9d31a2cde4f1e32a81957a4a49b645a6e63906dd616682724cc590c8203d8c
Instruction ID: 694b54cb262268c646deb7366e7378d922f07d8355519284027bdd121fe403fe
Opcode Fuzzy Hash: 5b9d31a2cde4f1e32a81957a4a49b645a6e63906dd616682724cc590c8203d8c
Instruction Fuzzy Hash: 9311A37764470ABAFA002625EC07EF67FEDAF15724F200117FA00E50D1FFA558855554

Function 0054CAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0054CADF
GetLastError.KERNEL32 ref: 0054CAF2
SetEvent.KERNEL32(?), ref: 0054CB06

Part of subcall function 0054CBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0054CBCF
Part of subcall function 0054CBB0: GetLastError.KERNEL32 ref: 0054CC7F
Part of subcall function 0054CBB0: SetEvent.KERNEL32(?), ref: 0054CC93
Part of subcall function 0054CBB0: InternetCloseHandle.WININET(00000000), ref: 0054CC9E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e8f28047f40e56ecf1eaba8ba3224e6ecdd3001c242b93f8db6e248da2f6427b
Instruction ID: 5036f754fff794dc5425a6b1c7059e2b740d49eff04330726428dcda7ef08bc0
Opcode Fuzzy Hash: e8f28047f40e56ecf1eaba8ba3224e6ecdd3001c242b93f8db6e248da2f6427b
Instruction Fuzzy Hash: 6D31AC71602705AFDB619F65CD49AB6BFF8FF98308B40481DF85687610D771E814ABA0

Function 00532E32 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005342CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005342E6
Part of subcall function 005342CC: GetCurrentThreadId.KERNEL32 ref: 005342ED
Part of subcall function 005342CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00532E43), ref: 005342F4

MapVirtualKeyW.USER32(00000025,00000000), ref: 00532E4D
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00532E6B
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00532E6F
MapVirtualKeyW.USER32(00000025,00000000), ref: 00532E79
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00532E91
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00532E95
MapVirtualKeyW.USER32(00000025,00000000), ref: 00532E9F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00532EB3
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00532EB7

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5ab77b6a973083fcbec0f94561f315ca7d37119dfdbd7c0fafb1bc8ebd90a42a
Instruction ID: 875d959da563f991624c67770a5a24a03767b2a9272f9b6e1b2f494574a6fa28
Opcode Fuzzy Hash: 5ab77b6a973083fcbec0f94561f315ca7d37119dfdbd7c0fafb1bc8ebd90a42a
Instruction Fuzzy Hash: 2901B5317806157BFB106769DC8AF563F69EB9AB11F100401F318AF1E0C9F12444DA79

Function 00532093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00531CD9,?,?,00000000), ref: 0053209C
HeapAlloc.KERNEL32(00000000,?,00531CD9,?,?,00000000), ref: 005320A3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00531CD9,?,?,00000000), ref: 005320B8
GetCurrentProcess.KERNEL32(?,00000000,?,00531CD9,?,?,00000000), ref: 005320C0
DuplicateHandle.KERNEL32(00000000,?,00531CD9,?,?,00000000), ref: 005320C3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00531CD9,?,?,00000000), ref: 005320D3
GetCurrentProcess.KERNEL32(00531CD9,00000000,?,00531CD9,?,?,00000000), ref: 005320DB
DuplicateHandle.KERNEL32(00000000,?,00531CD9,?,?,00000000), ref: 005320DE
CreateThread.KERNEL32(00000000,00000000,00532104,00000000,00000000,00000000), ref: 005320F8

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 235689befc8edd547d2328f281436def90fd7b04b9949dd6c38eba5346e11a39
Instruction ID: a0412183c176238f577018dcb7975ee29e9d6b863ff55aee44a104759f31e20f
Opcode Fuzzy Hash: 235689befc8edd547d2328f281436def90fd7b04b9949dd6c38eba5346e11a39
Instruction Fuzzy Hash: 3401BBB5740348BFE710ABA9DC4DF6B3BACEB99711F004811FA05DB2A1CAB19844DB31

Function 0055AA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0053DC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 0053DCC1
Part of subcall function 0053DC9C: Process32FirstW.KERNEL32(00000000,?), ref: 0053DCCF
Part of subcall function 0053DC9C: CloseHandle.KERNELBASE(00000000), ref: 0053DD9C

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0055AACC
GetLastError.KERNEL32 ref: 0055AADF
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0055AB12
TerminateProcess.KERNEL32(00000000,00000000), ref: 0055ABC7
GetLastError.KERNEL32(00000000), ref: 0055ABD2
CloseHandle.KERNEL32(00000000), ref: 0055AC23

Strings

SeDebugPrivilege, xrefs: 0055AAEE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1ce789078fad6a6cabc8c64dc8792346a751240124a71570027cd7664cd7341e
Instruction ID: 62151ad57ed1069bacdd8e7921e4bb28abbc65dddb756f470522cf1674eaf686
Opcode Fuzzy Hash: 1ce789078fad6a6cabc8c64dc8792346a751240124a71570027cd7664cd7341e
Instruction Fuzzy Hash: C3618E302042429FD710DF19C4A8F16BBE1BF54319F14899EE8664F7A2C7B5ED49CB92

Function 005641E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00564284
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00564299
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005642B3
_wcslen.LIBCMT ref: 005642F8
SendMessageW.USER32(?,00001057,00000000,?), ref: 00564325
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00564353

Strings

SysListView32, xrefs: 00564256

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: be481df06ea34821d35479e44afbd768b97dca919fe97129484f3e6b3f7fdc15
Instruction ID: c63aefaaab74ccf7a459c2a3e4cf6aa96b36e8ec54a7cb873bbc33cc9bce52d8
Opcode Fuzzy Hash: be481df06ea34821d35479e44afbd768b97dca919fe97129484f3e6b3f7fdc15
Instruction Fuzzy Hash: 2341BF31A00309ABDF219F64CC49BEA7BA9FF48360F10052AF954E7291D7749994CFA0

Function 0053C53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0053C5D9
IsMenu.USER32(00000000), ref: 0053C5F9
CreatePopupMenu.USER32 ref: 0053C62F
GetMenuItemCount.USER32(01805AA8), ref: 0053C680
InsertMenuItemW.USER32(01805AA8,?,00000001,00000030), ref: 0053C6A8

Strings

2, xrefs: 0053C613
0, xrefs: 0053C584

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cd3784258d54e73342bde603ee0c52c4b74d1dac2625e8cb29153f26e3a61b5d
Instruction ID: bf0ce0b784d4df2c67d2dc6c8fb7b1bbfafb63a867aeb5074040629fb35e6f35
Opcode Fuzzy Hash: cd3784258d54e73342bde603ee0c52c4b74d1dac2625e8cb29153f26e3a61b5d
Instruction Fuzzy Hash: 3651E271A00305ABDF20CF6CC98ABAEBFF4BF59314F149529E801BB2A1D7709944CB21

Function 0053E653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0053E66E
gethostname.WSOCK32(?,00000100), ref: 0053E688
gethostbyname.WSOCK32(?), ref: 0053E695
inet_ntoa.WSOCK32(?), ref: 0053E6D7
_strcat.LIBCMT ref: 0053E6E5
WSACleanup.WSOCK32 ref: 0053E70A

Strings

0.0.0.0, xrefs: 0053E6B3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 2b1c63d301dd4de3c24baba5516bfe53ede451b9f211b1c2e2afcb8183d36cba
Instruction ID: 8828242230ccd1aef4b4a2f1598c820b27d04cb6ec2bd211a45c0eb310150d3a
Opcode Fuzzy Hash: 2b1c63d301dd4de3c24baba5516bfe53ede451b9f211b1c2e2afcb8183d36cba
Instruction Fuzzy Hash: 40113A71D002096BDB2067359C4BEEE7BBCEF50310F10006AF541930D1EFB48A85AB60

Function 00554E80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00554FA5
VariantInit.OLEAUT32(?), ref: 005550A6
VariantClear.OLEAUT32(?), ref: 005550B0
VariantClear.OLEAUT32(?), ref: 0055510D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00554F35, 00555063, 0055511B
Incorrect Object type in FOR..IN loop, xrefs: 00555089

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f99527a18416e9917b40d0c7b91c4958598565857902369fd22397e50b32a9d7
Instruction ID: 583bdf2ef1c67468eedd9aadd4f0e4a099c7c67c9cb4afb8f62aeb49bf65f1d6
Opcode Fuzzy Hash: f99527a18416e9917b40d0c7b91c4958598565857902369fd22397e50b32a9d7
Instruction Fuzzy Hash: 9891A571A00615ABDF20CF95C868FAE7FB8FF45315F10855AF905AB290D7709949CFA0

Function 005542A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005542C8
CharUpperBuffW.USER32(?,?), ref: 005543D7
_wcslen.LIBCMT ref: 005543E7
VariantClear.OLEAUT32(?), ref: 0055457C

Part of subcall function 005415B3: VariantInit.OLEAUT32(00000000), ref: 005415F3
Part of subcall function 005415B3: VariantCopy.OLEAUT32(?,?), ref: 005415FC
Part of subcall function 005415B3: VariantClear.OLEAUT32(?), ref: 00541608

Strings

AUTOIT.ERROR, xrefs: 005543DD, 005543E2
Incorrect Parameter format, xrefs: 00554303, 005544FE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b16eb07f6a3866f796c7d8797482b3dd5f6595642559bb5a3605191bfca144f2
Instruction ID: 92e939ef1ac8c2aaa82116910a4024b063fa6d1c9b7973393af2e99510a5d6db
Opcode Fuzzy Hash: b16eb07f6a3866f796c7d8797482b3dd5f6595642559bb5a3605191bfca144f2
Instruction Fuzzy Hash: 539137746083419FCB00DF69C49596ABBE5BF88319F14882EF88987351DB34ED49CF92

Function 00562A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00562AE2
GetMenuItemCount.USER32(00000000), ref: 00562B14
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00562B3C
_wcslen.LIBCMT ref: 00562B72
GetMenuItemID.USER32(?,?), ref: 00562BAC
GetSubMenu.USER32(?,?), ref: 00562BBA

Part of subcall function 005342CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005342E6
Part of subcall function 005342CC: GetCurrentThreadId.KERNEL32 ref: 005342ED
Part of subcall function 005342CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00532E43), ref: 005342F4

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00562C42

Part of subcall function 0053F1A7: Sleep.KERNEL32 ref: 0053F21F

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cb3e167648f43756f414edd2c834d4d7fd3f5977821499a3603aae8649ca53f3
Instruction ID: 0e8e25f209efd2625dbc4b43eda78e5da5403948457f2adf158382450d7f7a9e
Opcode Fuzzy Hash: cb3e167648f43756f414edd2c834d4d7fd3f5977821499a3603aae8649ca53f3
Instruction Fuzzy Hash: C8719075A00605AFDB10EF65C845AAEBBF1FF98314F108859E816EB351DB74ED418F90

Function 005687FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00568896
IsWindowEnabled.USER32(00000000), ref: 005688A2
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0056897D
SendMessageW.USER32(00000000,000000B0,?,?), ref: 005689B0
IsDlgButtonChecked.USER32(?,00000000), ref: 005689E8
GetWindowLongW.USER32(00000000,000000EC), ref: 00568A0A
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00568A22

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: bc9e5a997ee45c70b362c9acf3c7255440d71ac5e4d427169a8700c27716821c
Instruction ID: e7ed84752e2c288a96bfa5853071d6659e6e5e9cc789802f006b75e4c7260b04
Opcode Fuzzy Hash: bc9e5a997ee45c70b362c9acf3c7255440d71ac5e4d427169a8700c27716821c
Instruction Fuzzy Hash: F371EF34A00205AFEF218F55C894FBA7FB9FF5A300F140A59F84593261CB71AD84DB12

Function 0053808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005380D1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005380F7
SysAllocString.OLEAUT32(00000000), ref: 005380FA
SysAllocString.OLEAUT32 ref: 0053811B
SysFreeString.OLEAUT32 ref: 00538124
StringFromGUID2.OLE32(?,?,00000028), ref: 0053813E
SysAllocString.OLEAUT32(?), ref: 0053814C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e2a4075479bd26831047ccf924c0c7e28b4be8bf1f5e39ba602a14d3f5453b7c
Instruction ID: b4eea33d31f311dca404185c7f87f3a7deba2e0c273020c28cb4f33aa4c4bd93
Opcode Fuzzy Hash: e2a4075479bd26831047ccf924c0c7e28b4be8bf1f5e39ba602a14d3f5453b7c
Instruction Fuzzy Hash: 29218671600204AFDF149FADDC88CBA7BECFB59360B008525F905CB2A1DAB4EC89D764

Function 00540D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00540DAE
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00540DEA

Strings

nul, xrefs: 00540E23

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 71ff9519a0b5cc5ed38aea33e5f7ffe28b7903a0b941d4a4796d58d40c9ac20d
Instruction ID: 4b708cf7080d549c646825ef9296f4ce937d6a160acf26f41cb88b6691786fbb
Opcode Fuzzy Hash: 71ff9519a0b5cc5ed38aea33e5f7ffe28b7903a0b941d4a4796d58d40c9ac20d
Instruction Fuzzy Hash: 35215E74A00305EFDB208F69D804ADABFB8BF55728F305E19EAA1D72D0D7709864DB60

Function 00540E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00540E82
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00540EBD

Strings

nul, xrefs: 00540EF5

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 03d59dab4bf0035c05b333e2f7cd0e37f20200f34a606ab3f38662e677fc83b4
Instruction ID: 784aa2f830f1700a19fd445db93d933a643595a633998463798b7c14342f6718
Opcode Fuzzy Hash: 03d59dab4bf0035c05b333e2f7cd0e37f20200f34a606ab3f38662e677fc83b4
Instruction Fuzzy Hash: CE217175604305ABDB249F289C04ADABBB8FF55728F301E2DFAA1D32D0D7719854CB60

Function 00564A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004D7759
Part of subcall function 004D771B: GetStockObject.GDI32(00000011), ref: 004D776D
Part of subcall function 004D771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 004D7777

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00564A71
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00564A7E
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00564A89
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00564A98
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00564AA4

Strings

Msctls_Progress32, xrefs: 00564A42

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c0c6d49ea5d0eb568cc8652e0df4854360e1d95969b151663aa4d55b7d7e2fe9
Instruction ID: 4ccea0e3b3b84100074a9d9c68361d02a860e8c1f29e30c0a62076d8609fcd85
Opcode Fuzzy Hash: c0c6d49ea5d0eb568cc8652e0df4854360e1d95969b151663aa4d55b7d7e2fe9
Instruction Fuzzy Hash: 461163B1150219BEEF119EA4CC85EE77F9DFF09758F014111BA14A7150C6759C21DBA4

Function 0053E223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0053E23D
LoadStringW.USER32(00000000), ref: 0053E244
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0053E25A
LoadStringW.USER32(00000000), ref: 0053E261
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0053E2A5

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0053E282

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c5f1c73db870a5bdab0fd302298d243033f70c47b724a955d64fca3f5cc5f2da
Instruction ID: de6e1c33c430fda287de5f07345d1fbc7bf0880a7f9287571afbf6d77a136795
Opcode Fuzzy Hash: c5f1c73db870a5bdab0fd302298d243033f70c47b724a955d64fca3f5cc5f2da
Instruction Fuzzy Hash: B30112F6A002087FE7119794DD8AEE77B7CE708300F404991F746E3041EAB49E889B71

Function 005525BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0055271D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0055273E
WSAGetLastError.WSOCK32 ref: 0055274F
htons.WSOCK32(?,?,?,?,?), ref: 00552838
inet_ntoa.WSOCK32(?), ref: 005527E9

Part of subcall function 00534277: _strlen.LIBCMT ref: 00534281

Part of subcall function 00553B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0054F569), ref: 00553B9D

_strlen.LIBCMT ref: 00552892

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 4bc0b58bdf4070bfa39610d80d99b21d162dcda60ab207719a50950611a7555e
Instruction ID: 8969673be8d1f858e1e30e9ec80c1c8cc14be9876d87fd06d58d9a40dee5d865
Opcode Fuzzy Hash: 4bc0b58bdf4070bfa39610d80d99b21d162dcda60ab207719a50950611a7555e
Instruction Fuzzy Hash: B4B1F231604301AFD310DF25C8A5E2A7BB5BF89318F54894EF8564B3A2DB35ED49CB91

Function 00500547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0050044A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00500466
__allrem.LIBCMT ref: 0050047D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0050049B
__allrem.LIBCMT ref: 005004B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005004D0

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
Instruction ID: 43b9373d2a2e4e5174d16f802aa52ad7e566c10366afeb3a98c87bd0fdece373
Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
Instruction Fuzzy Hash: E3811B726007069BEB259E6DCC86BAF7BE8BF80324F24552EF611D72C1E770D9408B54

Function 0050658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004F8669,004F8669,?,?,?,005067DF,00000001,00000001,8BE85006), ref: 005065E8
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005067DF,00000001,00000001,8BE85006,?,?,?), ref: 0050666E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00506768
__freea.LIBCMT ref: 00506775

Part of subcall function 00503BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,004F6A99,?,0000015D,?,?,?,?,004F85D0,000000FF,00000000,?,?), ref: 00503BE2

__freea.LIBCMT ref: 0050677E
__freea.LIBCMT ref: 005067A3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 8332a2b185c5ef6bc3d255bf462f14dc6b7717edcd0caf0c1f982b551a56c9bf
Instruction ID: 5829bdf50eb57be0e969d82fdd0e11ab470ca29a4d5a8dfe1aa6f1727a7b8b14
Opcode Fuzzy Hash: 8332a2b185c5ef6bc3d255bf462f14dc6b7717edcd0caf0c1f982b551a56c9bf
Instruction Fuzzy Hash: DE51CF72600216AFEB258F64CD86EAF7FA9FF84754F144628F804D6180EB74DD64C6A1

Function 0055C53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 0055D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0055C00D,?,?), ref: 0055D314
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D350
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D3C7
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0055C629
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0055C684
RegCloseKey.ADVAPI32(00000000), ref: 0055C6C9
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0055C6F8
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0055C752
RegCloseKey.ADVAPI32(?), ref: 0055C75E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a347f9b025153c34713d3d29138fc97736747075303061be3bacf77b025a3e97
Instruction ID: 585f02eb37b59c411954fa58a1dae21c128cbcdd527af52a5c98862cda2ad143
Opcode Fuzzy Hash: a347f9b025153c34713d3d29138fc97736747075303061be3bacf77b025a3e97
Instruction Fuzzy Hash: 8D816C71208341AFD714DF24C8A5E2ABBE5FF84308F14895EF5558B2A2DB31ED49CB91

Function 0053003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00530049
SysAllocString.OLEAUT32(00000000), ref: 005300F0
VariantCopy.OLEAUT32(005302F4,00000000), ref: 00530119
VariantClear.OLEAUT32(005302F4), ref: 0053013D
VariantCopy.OLEAUT32(005302F4,00000000), ref: 00530141
VariantClear.OLEAUT32(?), ref: 0053014B

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 248b718e04786a0a6a2df471c22a4f64b7aab3f7e49a8af6bf3ff6496a3bfc09
Instruction ID: a3c275f52f3343613c8d5f4832c6dd952092b7050be749557ce0fed1b802bbc4
Opcode Fuzzy Hash: 248b718e04786a0a6a2df471c22a4f64b7aab3f7e49a8af6bf3ff6496a3bfc09
Instruction Fuzzy Hash: 7B511635600310AACF20AB65D8A9B2ABBA4FF55310F14684BF901DF2D6DB748C44CB95

Function 00568B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0052FB8F,00000000,?,?,00000000,?,005139BC,00000004,00000000,00000000), ref: 00568BAB
EnableWindow.USER32(?,00000000), ref: 00568BD1
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00568C30
ShowWindow.USER32(?,00000004), ref: 00568C44
EnableWindow.USER32(?,00000001), ref: 00568C6A
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00568C8E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 36f1bfd093c354f70c845bfb037d790190326e13d9a9798fd625f6da722ffe2c
Instruction ID: b083b9c762fa419d751cd99055469a0d9508ba4aad4e2a7283988c958aba3711
Opcode Fuzzy Hash: 36f1bfd093c354f70c845bfb037d790190326e13d9a9798fd625f6da722ffe2c
Instruction Fuzzy Hash: 34416374601144EFDB25CF18C899BB57FF0FB56704F184269E9084F272CB71A885DB51

Function 00552C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00552C45

Part of subcall function 0054EE49: GetWindowRect.USER32(?,?), ref: 0054EE61

GetDesktopWindow.USER32 ref: 00552C6F
GetWindowRect.USER32(00000000), ref: 00552C76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00552CB2
GetCursorPos.USER32(?), ref: 00552CDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00552D3C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 82a3e3ace3b341ba444b0b6ea3f1c705e76529d6f000042479416bd006b6d188
Instruction ID: 68a9791403941ec12134ef6506b3fc0ba59cf304b072d4996740a56bfdccffcb
Opcode Fuzzy Hash: 82a3e3ace3b341ba444b0b6ea3f1c705e76529d6f000042479416bd006b6d188
Instruction Fuzzy Hash: 6F31F472504316ABD720DF18D849B5F7BE9FFC5314F00091AF895A7181DB70E908CBA2

Function 00546178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004D557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D5558,?,?,00514B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 004D559E

_wcslen.LIBCMT ref: 005461D5
CoInitialize.OLE32(00000000), ref: 005462EF
CoCreateInstance.OLE32(00570CC4,00000000,00000001,00570B34,?), ref: 00546308
CoUninitialize.OLE32 ref: 00546326

Strings

.lnk, xrefs: 005461D0, 0054621B, 005462DF

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0384a762e5ee169b6ea82315db6529a8ab6f115fe3f8fb0287964d5c7a1830fb
Instruction ID: 0d1400395188b0683fd6c854a4b8004e0d655965d78e3332e4d2f566fa672634
Opcode Fuzzy Hash: 0384a762e5ee169b6ea82315db6529a8ab6f115fe3f8fb0287964d5c7a1830fb
Instruction Fuzzy Hash: 3ED165746082019FCB04DF25C494A6ABBF5FF8A318F04885EF8899B361CB71EC45CB92

Function 00532104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0053210F
UnloadUserProfile.USERENV(?,?), ref: 0053211B
CloseHandle.KERNEL32(?), ref: 00532124
CloseHandle.KERNEL32(?), ref: 0053212C
GetProcessHeap.KERNEL32(00000000,?), ref: 00532135
HeapFree.KERNEL32(00000000), ref: 0053213C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 405444eccca1ce7fbbb5dc7900d2f419456d9b09ddb6b98afeea92c7e59af394
Instruction ID: 768e22b4d323aa722b47a2d4f64c7f27cb2250fb6539db98073b1ed07f3b27bb
Opcode Fuzzy Hash: 405444eccca1ce7fbbb5dc7900d2f419456d9b09ddb6b98afeea92c7e59af394
Instruction Fuzzy Hash: 9AE0ED76A04141BBDB011FA9ED0C905BF39FF6D3227104A20F22583170CBB35464EB61

Function 0053CD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D4154: _wcslen.LIBCMT ref: 004D4159

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0053CEAE
_wcslen.LIBCMT ref: 0053CEF5
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0053CF5C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0053CF8A

Strings

0, xrefs: 0053CE6F

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 21449f5eb66d3a0975b17ec36fd3afc9199821e789773fef4e8c92de96bd8a67
Instruction ID: 43bfd9bca029e49d8396d0512cd801af684f13378dbfdae924aca9dbf7761580
Opcode Fuzzy Hash: 21449f5eb66d3a0975b17ec36fd3afc9199821e789773fef4e8c92de96bd8a67
Instruction Fuzzy Hash: 2E51EF716043009FD715DF28C885B6BBFE9BF99318F040A2EF995E72A0DB74C9449B52

Function 005646DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00564794
IsMenu.USER32(?), ref: 005647A9
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005647F1
DrawMenuBar.USER32 ref: 00564804

Strings

0, xrefs: 005646E8

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 97e496909397019baa08cca1e65d658047b7c3b4e6edb3f2ce9214067750a1c8
Instruction ID: 6055425235dda777b02afefec46dea2dbec6d3ff5195e81f93ce4b905b1be452
Opcode Fuzzy Hash: 97e496909397019baa08cca1e65d658047b7c3b4e6edb3f2ce9214067750a1c8
Instruction Fuzzy Hash: 30415775A00249EFDB20CFA4D884EAABBB9FF0A314F044129E905A7350C770ED54DF60

Function 00532672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 00534536: GetClassNameW.USER32(?,?,000000FF), ref: 00534559

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005326F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00532709
SendMessageW.USER32(?,00000189,?,00000000), ref: 00532739

Part of subcall function 004D84B7: _wcslen.LIBCMT ref: 004D84CA

Strings

ComboBox, xrefs: 00532680
ListBox, xrefs: 005326B5

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 00569b1cbbc4f35f864beee656490c7480875e01c9d5de7ddbdd86eeb80f7811
Instruction ID: 5fedc5635133e9b679c739992865010c84e48e7427470b2f72a2688762e2480b
Opcode Fuzzy Hash: 00569b1cbbc4f35f864beee656490c7480875e01c9d5de7ddbdd86eeb80f7811
Instruction Fuzzy Hash: 3F213571A00108BFDB14ABA4DC8ADFEBBB9FF81354F10851EF411A32E1DB78490A9660

Function 004D6332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004D637F,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D633E
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004D6350
FreeLibrary.KERNEL32(00000000,?,?,004D637F,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D6362

Strings

Wow64DisableWow64FsRedirection, xrefs: 004D634A
kernel32.dll, xrefs: 004D6336

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ca754ed97a819adc81ca0c2f0d9632d6f39442385f5b6192ad63f56f13629bed
Instruction ID: 8e91527f0db207ba77c3a09e299c3c5d3d1095fa7cebe3137d06a6b188e6ebcd
Opcode Fuzzy Hash: ca754ed97a819adc81ca0c2f0d9632d6f39442385f5b6192ad63f56f13629bed
Instruction Fuzzy Hash: 6CE08632B01B2117D21117596C18A5B6628AF92B1270A0017FD00D3300DFF8CC05C4B4

Function 004D62FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,005154C3,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D6304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004D6316
FreeLibrary.KERNEL32(00000000,?,?,005154C3,?,?,004D60AA,?,00000001,?,?,00000000), ref: 004D6329

Strings

Wow64RevertWow64FsRedirection, xrefs: 004D6310
kernel32.dll, xrefs: 004D62FD

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: affee0e3a2f9b30301587bb9292997010d517b3227785ad26df8e6fc859651b9
Instruction ID: 58167ff18b3c8caa45c7ebceb4ea088f5b66cccd5dd3f175a7818efc5be4edf1
Opcode Fuzzy Hash: affee0e3a2f9b30301587bb9292997010d517b3227785ad26df8e6fc859651b9
Instruction Fuzzy Hash: FDD01235B5262197D6222729AC28D8F7E24EE8BB1134A0417FC00A732CCFF8CD05D5B4

Function 0055ACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0055AD86
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0055AD94
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0055ADC7
CloseHandle.KERNEL32(?), ref: 0055AF9C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 27bb93433ab282603db8a6c21144bdc1046eb9d6c582e4e263b18b7019ea898f
Instruction ID: 225938678079f60e57995c1bedfc0cc5b6b28082d6600bef307a9293a324e9a3
Opcode Fuzzy Hash: 27bb93433ab282603db8a6c21144bdc1046eb9d6c582e4e263b18b7019ea898f
Instruction Fuzzy Hash: C6A1E1B16003019FD720EF25C8A6B2ABBE1AF54714F14891EF959DB392DB74EC04CB86

Function 0055C328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 0055D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0055C00D,?,?), ref: 0055D314
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D350
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D3C7
Part of subcall function 0055D2F7: _wcslen.LIBCMT ref: 0055D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0055C404
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0055C45F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0055C4C2
RegCloseKey.ADVAPI32(?,?), ref: 0055C505
RegCloseKey.ADVAPI32(00000000), ref: 0055C512

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: db7e182c4c90d814da8c3a6928a7d8c61ef32e7d263327f22bd9ed963b51416c
Instruction ID: 4a23a35f76be390abf8c3a9e8f78e36a5f3a9317d3c696c52976b57c94505a80
Opcode Fuzzy Hash: db7e182c4c90d814da8c3a6928a7d8c61ef32e7d263327f22bd9ed963b51416c
Instruction Fuzzy Hash: 9B615F31208241EFD714DF54C4A4E2ABBE5FF84309F14899EF4958B292DB35ED49CB91

Function 0053EC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0053E60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0053D6E2,?), ref: 0053E629

Part of subcall function 0053E60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0053D6E2,?), ref: 0053E642

Part of subcall function 0053E9C5: GetFileAttributesW.KERNELBASE(?,0053D755), ref: 0053E9C6

lstrcmpiW.KERNEL32(?,?), ref: 0053EC9F
MoveFileW.KERNEL32(?,?), ref: 0053ECD8
_wcslen.LIBCMT ref: 0053EE17
_wcslen.LIBCMT ref: 0053EE2F
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0053EE7C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c26854d5ac9cb20b3b9547b2140ceb63e9cfffb32c671d7a05150c81303e6d5d
Instruction ID: 9bb946de282c1d8e4d002cb06a44065418f22bc6bd459a47d57f0ebe10562eb2
Opcode Fuzzy Hash: c26854d5ac9cb20b3b9547b2140ceb63e9cfffb32c671d7a05150c81303e6d5d
Instruction Fuzzy Hash: 8C5165B24083899BC724EB64D8859DF77ECBF84314F00092FF68593191EF74A688876A

Function 005023E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00502453
_free.LIBCMT ref: 00502473

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 39caef53fb1789228c98401363cc1b368e228e5da327740a0d5974f55e21d5cd
Instruction ID: 9b79344f3e420ef47abb60621474431773f87f089d463b91009e4cab796b2c34
Opcode Fuzzy Hash: 39caef53fb1789228c98401363cc1b368e228e5da327740a0d5974f55e21d5cd
Instruction Fuzzy Hash: 0A41E432A002049FCB20DF78C989A6EBBF5FF89314F1545A9E515EB291D631ED01DB41

Function 005441CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00544225
TranslateAcceleratorW.USER32(?,00000000,?), ref: 0054427C
TranslateMessage.USER32(?), ref: 005442A5
DispatchMessageW.USER32(?), ref: 005442AF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005442C0

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4fdb5d7423104635ac82ce851643a25fec9b054beec180989bbe99a417b56fd1
Instruction ID: a0ade8a2f3d271e1f3af7bf2be3dbf238846569b038ae1cecb5ad0698440f053
Opcode Fuzzy Hash: 4fdb5d7423104635ac82ce851643a25fec9b054beec180989bbe99a417b56fd1
Instruction Fuzzy Hash: 933198749843429FEB24CB689809BF77FE8FB2670DF04496DE56282190D7E49489DF21

Function 00532191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005321A5
PostMessageW.USER32(00000001,00000201,00000001), ref: 00532251
Sleep.KERNEL32(00000000,?,?,?), ref: 00532259
PostMessageW.USER32(00000001,00000202,00000000), ref: 0053226A
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00532272

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 850de1c1896bc09a05b3805cdbfed716d3289f880bb9237bb6668f32b36fb8a7
Instruction ID: c6557b91bf5ce62b6e7b60717829296a357705c999d19ccf3f1669bbc043c863
Opcode Fuzzy Hash: 850de1c1896bc09a05b3805cdbfed716d3289f880bb9237bb6668f32b36fb8a7
Instruction Fuzzy Hash: 4131B175A00619EFDB04CFA8CD89ADE3FB5FB14315F104625FA25AB2D0C7B0A954DBA0

Function 00566065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005660A4
SendMessageW.USER32(?,00001074,?,00000001), ref: 005660FC
_wcslen.LIBCMT ref: 0056610E
_wcslen.LIBCMT ref: 00566119
SendMessageW.USER32(?,00001002,00000000,?), ref: 00566175

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 16af0fa964da36e0bb4bf08a7a939321e183225e9a9402ec57b7af3a731f2247
Instruction ID: 84bb195c9630d6cfc78f5c6daa769f764b223d71a949de790634c888c929b102
Opcode Fuzzy Hash: 16af0fa964da36e0bb4bf08a7a939321e183225e9a9402ec57b7af3a731f2247
Instruction Fuzzy Hash: AC219375900208ABDF109FA5CC88AEE7FB8FB45724F104616FA25DB2C0DB748685CF61

Function 0053089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005307D1,80070057,?,?,?,00530BEE), ref: 005308BB
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005307D1,80070057,?,?), ref: 005308D6
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005307D1,80070057,?,?), ref: 005308E4
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005307D1,80070057,?), ref: 005308F4
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005307D1,80070057,?,?), ref: 00530900

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7ffac841060eb4540304e725e2895cf516fe49e8988ba3c74ab7ea3123e93ea0
Instruction ID: e8ef85eb3667ab34e889ec4cdeef95aba6a3f603c54766d35e709cefee814d90
Opcode Fuzzy Hash: 7ffac841060eb4540304e725e2895cf516fe49e8988ba3c74ab7ea3123e93ea0
Instruction Fuzzy Hash: 52017C72B00318ABDB104F69DC08BAA7FBDFB98751F104524F905D3251D7B0DD00ABA0

Function 00540BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00540A39,?,00543C56,?,00000001,00513ACE,?), ref: 00540BE0
CloseHandle.KERNEL32(?,?,?,?,00540A39,?,00543C56,?,00000001,00513ACE,?), ref: 00540BED
CloseHandle.KERNEL32(?,?,?,?,00540A39,?,00543C56,?,00000001,00513ACE,?), ref: 00540BFA
CloseHandle.KERNEL32(?,?,?,?,00540A39,?,00543C56,?,00000001,00513ACE,?), ref: 00540C07
CloseHandle.KERNEL32(?,?,?,?,00540A39,?,00543C56,?,00000001,00513ACE,?), ref: 00540C14
CloseHandle.KERNEL32(?,?,?,?,00540A39,?,00543C56,?,00000001,00513ACE,?), ref: 00540C21

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 39b39354dfe29232c13f47999c0d5a4544344f022adb0737f7e9f7f8bca817a0
Instruction ID: 6efae21e887ee3130cb248265271f9503050bd6f9433c70f5bed0f4faba36b82
Opcode Fuzzy Hash: 39b39354dfe29232c13f47999c0d5a4544344f022adb0737f7e9f7f8bca817a0
Instruction Fuzzy Hash: F301E271800B15CFC730AF66D880846FBF5FF503093209A3ED29242971C7B1A888DF80

Function 005364D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005364E7
GetWindowTextW.USER32(00000000,?,00000100), ref: 005364FE
MessageBeep.USER32(00000000), ref: 00536516
KillTimer.USER32(?,0000040A), ref: 00536532
EndDialog.USER32(?,00000001), ref: 0053654C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e8bd28a2c27b22fcdda788b2a013887734637f4bfdf34f1e47aa064ffc2dac5c
Instruction ID: 3e8bc34d1a37c7c4da99da022382af3c7fe3db8f825dac0a6a443e033d8f6ec7
Opcode Fuzzy Hash: e8bd28a2c27b22fcdda788b2a013887734637f4bfdf34f1e47aa064ffc2dac5c
Instruction Fuzzy Hash: 2C018630A40704ABEB205B18DD4EB967B78FB20705F40496DF687620E1DBF4AA58DB60

Function 00502630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0050264E

Part of subcall function 00502D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0050DB71,005A1DC4,00000000,005A1DC4,00000000,?,0050DB98,005A1DC4,00000007,005A1DC4,?,0050DF95,005A1DC4), ref: 00502D6E
Part of subcall function 00502D58: GetLastError.KERNEL32(005A1DC4,?,0050DB71,005A1DC4,00000000,005A1DC4,00000000,?,0050DB98,005A1DC4,00000007,005A1DC4,?,0050DF95,005A1DC4,005A1DC4), ref: 00502D80

_free.LIBCMT ref: 00502660
_free.LIBCMT ref: 00502673
_free.LIBCMT ref: 00502684
_free.LIBCMT ref: 00502695

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 349246000ce8f29294510109ea6bffb6bde79faff5e1a2f78bcfa6d3f68a3255
Instruction ID: 01f0ce0abbedf1defea70e81d4951e828121133e8a3f89dad83f4e11c6bcbbed
Opcode Fuzzy Hash: 349246000ce8f29294510109ea6bffb6bde79faff5e1a2f78bcfa6d3f68a3255
Instruction Fuzzy Hash: 32F017758115618FCB01AF68AC0A94C3FA4BB76751B01020BF414922F5CB710D5BBEA8

Function 00556B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 004F05D2: EnterCriticalSection.KERNEL32(005A170C,?,00000000,?,004DD1DA,005A3540,00000001,00000000,?,?,0054EF39,?,?,00000000,00000001,?), ref: 004F05DD
Part of subcall function 004F05D2: LeaveCriticalSection.KERNEL32(005A170C,?,004DD1DA,005A3540,00000001,00000000,?,?,0054EF39,?,?,00000000,00000001,?,00000001,005A2430), ref: 004F061A

Part of subcall function 004F0433: __onexit.LIBCMT ref: 004F0439

__Init_thread_footer.LIBCMT ref: 00556B95

Part of subcall function 004F0588: EnterCriticalSection.KERNEL32(005A170C,00000000,?,004DD208,005A3540,005127E9,00000001,00000000,?,?,0054EF39,?,?,00000000,00000001,?), ref: 004F0592
Part of subcall function 004F0588: LeaveCriticalSection.KERNEL32(005A170C,?,004DD208,005A3540,005127E9,00000001,00000000,?,?,0054EF39,?,?,00000000,00000001,?,00000001), ref: 004F05C5

Part of subcall function 00543EF6: LoadStringW.USER32(00000066,?,00000FFF,0056DCEC), ref: 00543F3E
Part of subcall function 00543EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 00543F64

Strings

x3Z, xrefs: 00556C97
x3Z, xrefs: 00556CB0
x3Z, xrefs: 00556CCC

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x3Z$x3Z$x3Z
API String ID: 1072379062-323976283
Opcode ID: c3ef7252dd58eeae9846f440dfe78ddb533ee5ba739b5e0fde704a319a847b27
Instruction ID: e73a2acc2d394a2f0bf17272af06d4f15366d716db52cd471d9420725ac44f3b
Opcode Fuzzy Hash: c3ef7252dd58eeae9846f440dfe78ddb533ee5ba739b5e0fde704a319a847b27
Instruction Fuzzy Hash: 39C19E75A00149AFCB14DF98C8A1DBEBBB9FF58305F50842AF9059B291DB74ED48CB90

Function 004DCF30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004DD203

Strings

D5Z, xrefs: 004DCF7F
D5Z, xrefs: 004DD1EA
D5Z, xrefs: 004DCF78

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Init_thread_footer
String ID: D5Z$D5Z$D5Z
API String ID: 1385522511-4270867086
Opcode ID: 30d0a6b86ac651dbcf6da001ee41d25858aa98f3955bd0e4f3a28476a74ae5f7
Instruction ID: c0185625fe63fbfabfc80bf574dc475923eb0be92836aa0bf784c309f67b9382
Opcode Fuzzy Hash: 30d0a6b86ac651dbcf6da001ee41d25858aa98f3955bd0e4f3a28476a74ae5f7
Instruction Fuzzy Hash: E8911775E00206DFCB14CF59C4A06AABBF2FF59314F24816FE9459B340D739AA82DB94

Function 00532FA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0053BCDF: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00532A60,?,?,00000034,00000800,?,00000034), ref: 0053BD09

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00532FF0

Part of subcall function 0053BCAA: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00532A8F,?,?,00000800,?,00001073,00000000,?,?), ref: 0053BCD4

Part of subcall function 0053BC06: GetWindowThreadProcessId.USER32(?,?), ref: 0053BC31
Part of subcall function 0053BC06: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00532A24,00000034,?,?,00001004,00000000,00000000), ref: 0053BC41
Part of subcall function 0053BC06: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00532A24,00000034,?,?,00001004,00000000,00000000), ref: 0053BC57

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0053305D
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005330AA

Strings

@, xrefs: 005330C2

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0073d157d976f46736c029684997d827976329f7efdfef5e02b42b73f391cf51
Instruction ID: 7baf60f75af8bd005d5e957be9f4b6b4327a5e02058017393a6f9ad997c270a5
Opcode Fuzzy Hash: 0073d157d976f46736c029684997d827976329f7efdfef5e02b42b73f391cf51
Instruction Fuzzy Hash: 89414C76A0021DAFDB25DFA4CD85ADEBBB8FB45700F004099FA45B7180DA716E89CB61

Function 0053CA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0053CAC6
DeleteMenu.USER32(?,00000007,00000000), ref: 0053CB0C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005A2990,01805AA8), ref: 0053CB55

Strings

0, xrefs: 0053CA9F

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 32dcfb2ac60ff8ac221837bb71f84f71488613d7a1197c9c00738ccf35e68191
Instruction ID: 208bbf3932e61ec90820ce4530b25bf7ab2e80caa318066d986ea9f372a6929a
Opcode Fuzzy Hash: 32dcfb2ac60ff8ac221837bb71f84f71488613d7a1197c9c00738ccf35e68191
Instruction Fuzzy Hash: 1B41BD306053429FD720DF28C856B1ABFE4BF94324F044A1EF9A5A7291DB71E804CBA2

Function 00564D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0056DCD0,00000000,?,?,?,?), ref: 00564E09
GetWindowLongW.USER32 ref: 00564E26
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00564E36

Strings

SysTreeView32, xrefs: 00564DDB

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 27c751960f9fa2cfdb704c0d966c35d40dd26cd4998d53121c049217f95a152c
Instruction ID: fd7399a589224c31f0a96e0a517c0b89ab06ce4497297be9d51301b5e961a76a
Opcode Fuzzy Hash: 27c751960f9fa2cfdb704c0d966c35d40dd26cd4998d53121c049217f95a152c
Instruction Fuzzy Hash: 3D318B31600205AFDF218E78CC45BEA7BA9FB18334F204719F875932E0DB75AC509B60

Function 00564817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0056489F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005648B3
SendMessageW.USER32(?,00001002,00000000,?), ref: 005648D7

Strings

SysMonthCal32, xrefs: 0056486A

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 71f67f9eb2a06ba199f958976dfd1c8049ac47cfd187641941bd7f1a0e4aff7e
Instruction ID: 57e1121453014f176b5e71e7219839a96061ca069ea869c65e3dc99228c02714
Opcode Fuzzy Hash: 71f67f9eb2a06ba199f958976dfd1c8049ac47cfd187641941bd7f1a0e4aff7e
Instruction Fuzzy Hash: A0217F32600219AFDF158F94CC46FEA3BB9FF88724F150214FA15AB190D6B5A8559BA0

Function 00564FB2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00565064
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00565072
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00565079

Strings

msctls_updown32, xrefs: 00564FE3

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: eaa06f0915c2312f88fa919fc369dd4ef9330e1dc03c72d4dcc09002f307b0ea
Instruction ID: 6b34b5b4f23b8d68ab132859916c3512ba1e081c61f4113b94c738d12bdc8136
Opcode Fuzzy Hash: eaa06f0915c2312f88fa919fc369dd4ef9330e1dc03c72d4dcc09002f307b0ea
Instruction Fuzzy Hash: 53217CB5600209AFDB11DF68CC85DBB3BADFF5A3A4F000559F9009B361DA71EC559BA0

Function 00564116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0056419F
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005641AF
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005641D5

Strings

Listbox, xrefs: 0056416E

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 28becd39e01b6ef9f4ee5c0a48754b1ecdb01b7dbf94f6901af235b6aba2b67c
Instruction ID: 253e8609b09078ab6c9809039d0aba170d1d90235d09959812d4a535832ac945
Opcode Fuzzy Hash: 28becd39e01b6ef9f4ee5c0a48754b1ecdb01b7dbf94f6901af235b6aba2b67c
Instruction Fuzzy Hash: 80219272610218BBEF218F54DC85FBB3B6EFF9A754F108115F9149B190C6719C92DBA0

Function 00564B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00564BAE
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00564BC3
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00564BD0

Strings

msctls_trackbar32, xrefs: 00564B85

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 52300faa6b7db1aec2fdb0dbec2fd62ab985dc9a961104ad407aa506c6b03673
Instruction ID: 73c28c0f33c86365741ae1c9fcb0e58e64e84e146a072cdb0e79ab862e1f2ba0
Opcode Fuzzy Hash: 52300faa6b7db1aec2fdb0dbec2fd62ab985dc9a961104ad407aa506c6b03673
Instruction Fuzzy Hash: C911E031240208BEEF215E69CC06FAB7BA8FF85B64F114519FA55E30A0D671D861DB24

Function 005661E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00566220
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0056624D
DrawMenuBar.USER32(?), ref: 0056625C

Strings

0, xrefs: 005661EE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2ecea1fdf7bcec674b98e794067931b7ff494763dba62ebb2024fee6ff9c660d
Instruction ID: 72ac6d55f19c06a12bd5022a502111a80b6005113483488d28e4b3aa289195cb
Opcode Fuzzy Hash: 2ecea1fdf7bcec674b98e794067931b7ff494763dba62ebb2024fee6ff9c660d
Instruction Fuzzy Hash: 4501A975A00208AFDB209F56CC88BAA7FB4FF84314F04809AF84AD7151DB708A94EF21

Function 0053090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e070822469113f4eb7b2fea855c6956a50ae355d852e8e080630b86a2d0a5549
Instruction ID: 6af265b7c18db425cfa912b98f7f1ca2bb3366fe518c543716e83498d1084d8d
Opcode Fuzzy Hash: e070822469113f4eb7b2fea855c6956a50ae355d852e8e080630b86a2d0a5549
Instruction Fuzzy Hash: B7C15C75A0021AEFDB14CF94C8A4AAEBBB5FF88704F109598E505EB291D731ED81DB90

Function 00504210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0050429B
__alldvrm.LIBCMT ref: 0050449C
__alldvrm.LIBCMT ref: 005044BE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
Instruction ID: a59b1afd3a5569b4a6cbdf57a6505e9d5bfbca189c522e6b21df90ef395ca0b3
Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
Instruction Fuzzy Hash: D6A125B6A007869FEB25CE58C8917AEBFA4FF55310F18456DEA859B2C1C3389D81CB50

Function 00530CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00570BD4,?), ref: 00530E80
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00570BD4,?), ref: 00530E98
CLSIDFromProgID.OLE32(?,?,00000000,0056DCE0,000000FF,?,00000000,00000800,00000000,?,00570BD4,?), ref: 00530EBD
_memcmp.LIBVCRUNTIME ref: 00530EDE

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: ed90e8b500316a9adce7168531fbe84d0b5d0fdcc64e5e17e1e64ad143313f25
Instruction ID: eb6324a58714b49a0a446a66e11cbcaeecf0df1deda957dea8d61a3325307e83
Opcode Fuzzy Hash: ed90e8b500316a9adce7168531fbe84d0b5d0fdcc64e5e17e1e64ad143313f25
Instruction Fuzzy Hash: 52811F71A00209EFCB04DFD4C994DEEBBB9FF89315F104559E506AB250DB71AE05DB60

Function 0055AFDB Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0055B00B
Process32FirstW.KERNEL32(00000000,?), ref: 0055B019

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Process32NextW.KERNEL32(00000000,?), ref: 0055B0FB
CloseHandle.KERNEL32(00000000), ref: 0055B10A

Part of subcall function 004EE2E5: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00514D4D,?), ref: 004EE30F

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bf1c68cb22b9e322466db9dc88e0964dbe7f59b4b4439b646a8a53f93d9324af
Instruction ID: 3d596fe92bdac7479482e5a4f01c9b6b1d5e52f0b17db2b8e0fe60c34aab6475
Opcode Fuzzy Hash: bf1c68cb22b9e322466db9dc88e0964dbe7f59b4b4439b646a8a53f93d9324af
Instruction Fuzzy Hash: 1C516CB15083009FD310EF25C89AA6BBBE8FF98714F00491EF985D72A1EB74D904CB96

Function 00552433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0055245A
WSAGetLastError.WSOCK32 ref: 00552468
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005524E7
WSAGetLastError.WSOCK32 ref: 005524F1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b7cca377be1098d3564a5359854db7496937f5d01a45c3a033fb4a36bd49069a
Instruction ID: 16bc11689df8ecc76c73628a38af8db34169601dde70f97056dbc631e5e0d659
Opcode Fuzzy Hash: b7cca377be1098d3564a5359854db7496937f5d01a45c3a033fb4a36bd49069a
Instruction Fuzzy Hash: 8741E574600200AFE720AF25C8A6F293BE5AB15708F54C44EF91A8F3D2D776ED41CB90

Function 00566BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00566C41
ScreenToClient.USER32(?,?), ref: 00566C74
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00566CE1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 11ff0f4a72315f1d58514d84642d36de20135cf730ac33b012c4f51a53b8f1f2
Instruction ID: 94401f6accdf40362479d4e45e8c73226ab304f2670b32fdc30eba0457f5bcfd
Opcode Fuzzy Hash: 11ff0f4a72315f1d58514d84642d36de20135cf730ac33b012c4f51a53b8f1f2
Instruction Fuzzy Hash: F0516D70A00609EFDF10CF68C981AAE7BB6FF55360F108259F8659B2A0D730ED81DB90

Function 00546033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005460DD
GetLastError.KERNEL32(?,00000000), ref: 00546103
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00546128
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00546154

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 97d4d9b04cfd35ed5ff03c749c271d60e4e048510e9c55a878c7432e6f8d1f88
Instruction ID: a9e5a467c01e9b94b94ef77b2cb7a4cffd0d7cfdbe07f7345de1a885f05b0564
Opcode Fuzzy Hash: 97d4d9b04cfd35ed5ff03c749c271d60e4e048510e9c55a878c7432e6f8d1f88
Instruction Fuzzy Hash: 48413C39600610DFCB10EF15C464A5EBBE2EF59718B15848AE84A9B362CB34FC01CF95

Function 00562039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0056204A

Part of subcall function 005342CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005342E6
Part of subcall function 005342CC: GetCurrentThreadId.KERNEL32 ref: 005342ED
Part of subcall function 005342CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00532E43), ref: 005342F4

GetCaretPos.USER32(?), ref: 0056205E
ClientToScreen.USER32(00000000,?), ref: 005620AB
GetForegroundWindow.USER32 ref: 005620B1

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: cd80d2c30c1b09472fbeab113657897057c64fa6486804ce13200ba9772b1a53
Instruction ID: cb62f9b5a551238df726a2490ac3038cfb1790abf41536d92f3115871a401dfc
Opcode Fuzzy Hash: cd80d2c30c1b09472fbeab113657897057c64fa6486804ce13200ba9772b1a53
Instruction Fuzzy Hash: 5A314571E00109AFCB04DFAAC8858AEBBF8FF58314B50446EE415E7311DA75EE05CBA0

Function 0053E7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004D4154: _wcslen.LIBCMT ref: 004D4159

_wcslen.LIBCMT ref: 0053E7F7
_wcslen.LIBCMT ref: 0053E80E
_wcslen.LIBCMT ref: 0053E839
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0053E844

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: f89e7eda3c82e2cee2438f2166835738af29dce89e3e1b53f0b5e30dd2f6ae7d
Instruction ID: d2398cccc90a82e2f0900b487bb1543e4bd3a9f2616502ed1d97a1b526ecb845
Opcode Fuzzy Hash: f89e7eda3c82e2cee2438f2166835738af29dce89e3e1b53f0b5e30dd2f6ae7d
Instruction Fuzzy Hash: FB21A871D00218AFCB119FA9C982BBEBBF4FF85354F154059E904BB281DA749D4187B5

Function 00538184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0053960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00538199,?,000000FF,?,00538FE3,00000000,?,0000001C,?,?), ref: 0053961B
Part of subcall function 0053960C: lstrcpyW.KERNEL32(00000000,?,?,00538199,?,000000FF,?,00538FE3,00000000,?,0000001C,?,?,00000000), ref: 00539641
Part of subcall function 0053960C: lstrcmpiW.KERNEL32(00000000,?,00538199,?,000000FF,?,00538FE3,00000000,?,0000001C,?,?), ref: 00539672

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00538FE3,00000000,?,0000001C,?,?,00000000), ref: 005381B2
lstrcpyW.KERNEL32(00000000,?,?,00538FE3,00000000,?,0000001C,?,?,00000000), ref: 005381D8
lstrcmpiW.KERNEL32(00000002,cdecl,?,00538FE3,00000000,?,0000001C,?,?,00000000), ref: 00538213

Strings

cdecl, xrefs: 0053820A

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2670e83002e37287896108bb94da985f5aa98a8862b2c68e1cad414a438c0fbc
Instruction ID: 69e0c38aeac6f3917b483c12720ba35fd8dc623a5da4f55049f0cda841490f84
Opcode Fuzzy Hash: 2670e83002e37287896108bb94da985f5aa98a8862b2c68e1cad414a438c0fbc
Instruction Fuzzy Hash: D311D67A200306ABCB155F79D849A7A7BA5FF99350F50402AF906C7250EFB19811D761

Function 00568621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0056866A
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00568689
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005686A1
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0054C10A,00000000), ref: 005686CA

Part of subcall function 004D2441: GetWindowLongW.USER32(00000000,000000EB), ref: 004D2452

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: f78c7253d78f86145c47b074092ad9bff07b17451029a4dd9125575d680affce
Instruction ID: af2121ecd65fdb693eb8dbe6a7a18a027beff8f86db3b40bc84aee055b95e0ba
Opcode Fuzzy Hash: f78c7253d78f86145c47b074092ad9bff07b17451029a4dd9125575d680affce
Instruction Fuzzy Hash: 18119D32600225AFCB108F2DCC08A6A3BA5FB65364F118724F939DB2E0DB708955DB50

Function 00502099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba14539c970992658f70fd6e97cd0199388c7ff2629970a1208b4fc6a7b37aba
Instruction ID: 3f1aa3e86c3e73ad43757e183b40239746358b2c7a16e93e6b32c97457fe3c46
Opcode Fuzzy Hash: ba14539c970992658f70fd6e97cd0199388c7ff2629970a1208b4fc6a7b37aba
Instruction Fuzzy Hash: 7F01DFB26092163EE62126786CCDF2F6F1DEF923B8F340729F620A11D1EAB08C409570

Function 005322B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005322D7
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005322E9
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005322FF
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0053231A

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bb3cc13eb8386787fac8c61b75da662d899c6b925459a56581af303f688513c7
Instruction ID: ed7c2f98ff2627f2f18f60f5175c33cd6507fcb5a960bb5a180c29de7019fc6a
Opcode Fuzzy Hash: bb3cc13eb8386787fac8c61b75da662d899c6b925459a56581af303f688513c7
Instruction Fuzzy Hash: 4A11093AD00219FFEF119BA5CD85F9DBBB8FB08750F200491EA01B7290D6716E10DB94

Function 0056A852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004D2441: GetWindowLongW.USER32(00000000,000000EB), ref: 004D2452

GetClientRect.USER32(?,?), ref: 0056A890
GetCursorPos.USER32(?), ref: 0056A89A
ScreenToClient.USER32(?,?), ref: 0056A8A5
DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 0056A8D9

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 891493514ece2b7b13aeb24bc4035ad390e000e85e31d9843a928d1faf42d2e4
Instruction ID: 7dbe8b0913fc593e6db0ec34a9e1bbd4514f906ab25f6896a645ae2100ffb4e7
Opcode Fuzzy Hash: 891493514ece2b7b13aeb24bc4035ad390e000e85e31d9843a928d1faf42d2e4
Instruction Fuzzy Hash: 26113671A0011AEFEF14DF98D8899EE7BB8FB45300F004855F912E3150D770AA86DFA2

Function 0053EA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0053EA29
MessageBoxW.USER32(?,?,?,?), ref: 0053EA5C
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0053EA72
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0053EA79

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 399f141f16ab55b5aed44198a30ee14666e0f1b61be2cc674181254a1fde0b1d
Instruction ID: b7d45d858edd778b42b915d95d426b763ba28e34d7cfa4c60997cf16f51fed0e
Opcode Fuzzy Hash: 399f141f16ab55b5aed44198a30ee14666e0f1b61be2cc674181254a1fde0b1d
Instruction Fuzzy Hash: 7411CC76D00258BFCB119BAC9C0A99B7FADBB57310F044556F425E32D0D6B5CD089771

Function 00568773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00568792
ScreenToClient.USER32(?,?), ref: 005687AA
ScreenToClient.USER32(?,?), ref: 005687CE
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005687E9

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 264c8c138f224e03aed5ca946b1be6d6323e011f5df2adc79c06184af2ba74f5
Instruction ID: 8fdc789f6f2b2c5b6363fbe5bc33cf5e6356368e796f1e872d1c5d7b9ab67e18
Opcode Fuzzy Hash: 264c8c138f224e03aed5ca946b1be6d6323e011f5df2adc79c06184af2ba74f5
Instruction Fuzzy Hash: 521144B9D00209EFDB41CF98D8849EEBBF5FB18310F104166E915E3210D775AA54DF50

Function 004D2150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004D216C
SetTextColor.GDI32(?,?), ref: 004D2176
SetBkMode.GDI32(?,00000001), ref: 004D2189
GetStockObject.GDI32(00000005), ref: 004D2191

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: c946c70b8bd9b2b23f5846cf159ca429af67a2e353a056c1b365d8b8e46f6265
Instruction ID: 6f0e615e1d52b1ec4cd1cf79e360657000b731545cfb86f0f7bff5566c225f4a
Opcode Fuzzy Hash: c946c70b8bd9b2b23f5846cf159ca429af67a2e353a056c1b365d8b8e46f6265
Instruction Fuzzy Hash: 06E06531B40240AEDB215B78AC197D97F31AB22335F04C715F6BA551E1C3F14685EB20

Function 0052EBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0052EBD6
GetDC.USER32(00000000), ref: 0052EBE0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0052EC00
ReleaseDC.USER32(?), ref: 0052EC21

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d0c1c5ca8c32808e43d34039d42b01b20dfff287323284ab35d4e0b20f91d90f
Instruction ID: 4802831bb3505e1c92abfd7f0891797080d272c6380f83b050627ef0bf9078f0
Opcode Fuzzy Hash: d0c1c5ca8c32808e43d34039d42b01b20dfff287323284ab35d4e0b20f91d90f
Instruction Fuzzy Hash: BAE01AB4E00201DFCB50AFA5D80CA6DBBB1FB18311F11884AE80AA3350CB788949AF24

Function 0052EBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0052EBEA
GetDC.USER32(00000000), ref: 0052EBF4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0052EC00
ReleaseDC.USER32(?), ref: 0052EC21

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 715250e4135d2717edf5838eddd15fdfd2778b310e77d540136770b71e0049d1
Instruction ID: 72e72fdf17ac591001bf18369e661b8d8792047d40ab40670fe3a6ba1f430b48
Opcode Fuzzy Hash: 715250e4135d2717edf5838eddd15fdfd2778b310e77d540136770b71e0049d1
Instruction Fuzzy Hash: 79E01AB4E00200DFCB50AFA5D80C66DBBB1BB18311F11884AE90AA3350C7789909AF24

Function 004FE60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004FE69D

Strings

pow, xrefs: 004FE675, 004FE692

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f82403e8694d1341e334b0fc51230797eb3d320cb3e38dd23f5e905aa9da498c
Instruction ID: d4fa9f72f9a51a4ee4ba12afcdb0da80b520bb9953c92a7a4e3ed031d98149de
Opcode Fuzzy Hash: f82403e8694d1341e334b0fc51230797eb3d320cb3e38dd23f5e905aa9da498c
Instruction Fuzzy Hash: FF51887090810A86DB117B15D905B7F2FA0BF60742F704D1AE0D5822F9EF388CD6EA4A

Function 004EA86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 004EA896

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 55ddfcd3ebe330a3bfde940f76c41656a68aff3db5c0cf2506262176906296d9
Instruction ID: ce2ecbccf6bde9027b83d716ea058fef2afef80525a6864c4497e6b082edc991
Opcode Fuzzy Hash: 55ddfcd3ebe330a3bfde940f76c41656a68aff3db5c0cf2506262176906296d9
Instruction Fuzzy Hash: FC518570505256CFCF14EF69E0406BA7BA0FF16318F24440AE8919B3D1DB38AC42CBA1

Function 005560A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0055613D
_wcslen.LIBCMT ref: 00556149

Strings

CALLARGARRAY, xrefs: 00556143, 00556148

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 0c7f082097520fea01162b52397289e025262351de5f9456613bc024803cc57b
Instruction ID: e3007c53eac9ff15a9ef00cac29e12236afe089c9fefe44345da1f75bcabd1d1
Opcode Fuzzy Hash: 0c7f082097520fea01162b52397289e025262351de5f9456613bc024803cc57b
Instruction Fuzzy Hash: 4941C271A005099FCB04DFA9C8958BEBFB5FF58325F50405EE806A7352DB749D85CBA0

Function 00564E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00564F7E
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00564F93

Strings

', xrefs: 00564EED

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c3e106a73b08a0fa9cdc937ffab894ebeb611c9c7af4c2ef7c34bad66e821050
Instruction ID: 00fd375563e2276f39303e75c5169ba2817dcf16e23567d73cafbecb8e1c79b8
Opcode Fuzzy Hash: c3e106a73b08a0fa9cdc937ffab894ebeb611c9c7af4c2ef7c34bad66e821050
Instruction Fuzzy Hash: C0313574A0130ADFDB04CFA9C880BEABBB5FF49304F10456AE905AB391D771A981CF90

Function 0056406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004D771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004D7759
Part of subcall function 004D771B: GetStockObject.GDI32(00000011), ref: 004D776D
Part of subcall function 004D771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 004D7777

GetWindowRect.USER32(00000000,?), ref: 005640D9
GetSysColor.USER32(00000012), ref: 005640F3

Strings

static, xrefs: 005640B6

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 622d239a85986095b220990c8c26bfe71504ebd5970154d9a7424ac6df741da3
Instruction ID: d699fb1f56759ac6989508576a89292ca0f4330f94e409f214abaf317e6448e3
Opcode Fuzzy Hash: 622d239a85986095b220990c8c26bfe71504ebd5970154d9a7424ac6df741da3
Instruction Fuzzy Hash: CD11267261020AAFDB00DFA8CC46AFA7BF8FB18314F004929FD55E7250E674E851DB60

Function 0053256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 00534536: GetClassNameW.USER32(?,?,000000FF), ref: 00534559

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005325DC

Strings

ComboBox, xrefs: 0053257B
ListBox, xrefs: 005325A6

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 09764d955f3faac6c52b9a802ec1ba7e350f0dacdccc27a0d24686d65c52c498
Instruction ID: 1b4fd08817128b87b8368af8071ecfebb30d76dab4e37e04a906f7a2fe1a5152
Opcode Fuzzy Hash: 09764d955f3faac6c52b9a802ec1ba7e350f0dacdccc27a0d24686d65c52c498
Instruction Fuzzy Hash: CE01B571A01115EBCB14EBA4CC65DFE7BA5FF55310F040A1AA862973D6EA34990896A0

Function 00532468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 00534536: GetClassNameW.USER32(?,?,000000FF), ref: 00534559

SendMessageW.USER32(?,00000180,00000000,?), ref: 005324D6

Strings

ComboBox, xrefs: 00532475
ListBox, xrefs: 005324A0

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9278ed6ca170a3a7d791dd42ba61976ba57437c47a850eeccfc003721fb657f4
Instruction ID: 36ee46c5a4457205d6abb9085327117957c315e0c4d44aab735c6a79fb29bd5a
Opcode Fuzzy Hash: 9278ed6ca170a3a7d791dd42ba61976ba57437c47a850eeccfc003721fb657f4
Instruction Fuzzy Hash: F301F771A00109ABDF14EBA0D855EFF7BA9FF51300F14001BA40263292DA649E08C6B1

Function 005324EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 00534536: GetClassNameW.USER32(?,?,000000FF), ref: 00534559

SendMessageW.USER32(?,00000182,?,00000000), ref: 00532558

Strings

ComboBox, xrefs: 005324F9
ListBox, xrefs: 00532524

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3cd421dd56b0b3c70a88cb5a39a5c5902ee8fed48c717155f1a09e1fa8ff62d9
Instruction ID: 65c8fc5e055ac01cbfd960b4f4cb02e092ee771dda759b4ece0797a77a4d4cf2
Opcode Fuzzy Hash: 3cd421dd56b0b3c70a88cb5a39a5c5902ee8fed48c717155f1a09e1fa8ff62d9
Instruction Fuzzy Hash: F5012B71A01105A7CF10E7A4C965FFE7BA9FF11700F14001A740277282EB249F0C86B1

Function 005325F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004DB25F: _wcslen.LIBCMT ref: 004DB269

Part of subcall function 00534536: GetClassNameW.USER32(?,?,000000FF), ref: 00534559

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00532663

Strings

ComboBox, xrefs: 00532605
ListBox, xrefs: 00532630

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3318da7cde2cc667c62deaec2a5911b77d6c968fb51da5c06fa784fadbcda277
Instruction ID: 99aeaeda486fc494ee77f60a3232e1c68a731c04080aa6d2303e6302bce41cbb
Opcode Fuzzy Hash: 3318da7cde2cc667c62deaec2a5911b77d6c968fb51da5c06fa784fadbcda277
Instruction Fuzzy Hash: 87F0F471E40219A6DB14E7A48C66FFF7B78FF10710F040A1AB462A32D2DF64580C86A4

Function 00568AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005A4018,005A405C), ref: 00568B1E
CloseHandle.KERNEL32 ref: 00568B30

Strings

\@Z, xrefs: 00568AE9

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \@Z
API String ID: 3712363035-3777034537
Opcode ID: de51584e33cd18f7afaabd752d42841a4e107c0f597fa3cf63ed33c1b5afd912
Instruction ID: c67489c4bbc6a735734d90271beaf5fba93baa105b5138dd92987d803c0271db
Opcode Fuzzy Hash: de51584e33cd18f7afaabd752d42841a4e107c0f597fa3cf63ed33c1b5afd912
Instruction Fuzzy Hash: F8F054B2640304BBF2202BA56C49F773A9CFB56754F010425FB08DA191D6F54C44BAB9

Function 00562C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00562C8B
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00562C9E

Part of subcall function 0053F1A7: Sleep.KERNEL32 ref: 0053F21F

Strings

Shell_TrayWnd, xrefs: 00562C84

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 25af874994ea4f5541123ce2f2133a03b7d0ccce598fb43bb0e198be1314c107
Instruction ID: 6cf9822eac6757ab3140c138e4cc46a7f247259f1f6051e6046bfc7c647c29fe
Opcode Fuzzy Hash: 25af874994ea4f5541123ce2f2133a03b7d0ccce598fb43bb0e198be1314c107
Instruction Fuzzy Hash: 49D0C936B94351A6EA68B774EC0FFD66E64EBA4B10F000816B24AAA1D0C9E06804C664

Function 00562CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00562CCB
PostMessageW.USER32(00000000), ref: 00562CD2

Part of subcall function 0053F1A7: Sleep.KERNEL32 ref: 0053F21F

Strings

Shell_TrayWnd, xrefs: 00562CC4

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 803d842545ffa499aa9d7bc7920aa515133a075b0b103c00d72089a93f71e4e4
Instruction ID: e95dde3fde9cb1054f054f6846157404f8ef957c3cd46eef4d3c30c0f422a94d
Opcode Fuzzy Hash: 803d842545ffa499aa9d7bc7920aa515133a075b0b103c00d72089a93f71e4e4
Instruction Fuzzy Hash: 54D0C936BC53516AFA68B774EC0FFC66A64EBA8B10F400816B246AA1D0C9E06804C668

Function 0050C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0050C233
GetLastError.KERNEL32 ref: 0050C241
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0050C29C

Memory Dump Source

Source File: 00000008.00000002.2254411569.00000000004D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000008.00000002.2254389149.00000000004D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.000000000056D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254470938.0000000000593000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254522521.000000000059D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.2254546054.00000000005A5000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d0000_pjcvfvnncx.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9ae701db7a3aab74e39a2d9b39d008bbb9ee13d5eac99faac5870166b72ba935
Instruction ID: 2c3f553b2e3ed4e45c69472548785d61fd80a3bcbaf008696874c8352064fa55
Opcode Fuzzy Hash: 9ae701db7a3aab74e39a2d9b39d008bbb9ee13d5eac99faac5870166b72ba935
Instruction Fuzzy Hash: C341C33560020BAFDB218FE9C844ABE7FA5BF47310F244669E899AB5E1DB308C01D760

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1wYGO0mAN2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\RarSFX0\bsfwaouaf.ppt

C:\Users\user\AppData\Local\Temp\RarSFX0\csjnimed.pdf

C:\Users\user\AppData\Local\Temp\RarSFX0\dtjhghvbme.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\egagvdxtir.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\fghwgffef.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\fshefj.bmp

C:\Users\user\AppData\Local\Temp\RarSFX0\ftqorsmss.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\fvgmmo.xls

C:\Users\user\AppData\Local\Temp\RarSFX0\fxmmd.xls

C:\Users\user\AppData\Local\Temp\RarSFX0\gjfvqp.xls

C:\Users\user\AppData\Local\Temp\RarSFX0\jdhltah.docx

C:\Users\user\AppData\Local\Temp\RarSFX0\joglr.mp2

Windows Analysis Report
1wYGO0mAN2.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre