Edit tour

Windows Analysis Report
Quote for new order 2025.exe

Overview

General Information

Sample name:	Quote for new order 2025.exe
Analysis ID:	1586086
MD5:	11de9d1bb135adb354e26bdad47037c9
SHA1:	5fbeaf0df88266d5562da5c5f28ccd80e08f349b
SHA256:	9285b4abeb09d675bc06b47444261c1f0034613d08b44b69c99c8ef63b1cfa72
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected WebBrowserPassView password recovery tool

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Quote for new order 2025.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\Quote for new order 2025.exe" MD5: 11DE9D1BB135ADB354E26BDAD47037C9)

cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 1824 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2968 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 3352 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2836 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 3412 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 2580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SIHClient.exe (PID: 1072 cmdline: C:\Windows\System32\sihclient.exe /cv IWSmGHPapE6Xqjlm9aeVHA.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

cmd.exe (PID: 2788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 5908 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7260 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7312 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7500 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7740 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7868 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7936 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 8160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 3128 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7300 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 6832 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 6560 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 4284 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 5692 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7836 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Quote for new order 2025.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\Quote for new order 2025.exe" MD5: 11DE9D1BB135ADB354E26BDAD47037C9)

cmd.exe (PID: 6092 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7208 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7376 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7432 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7552 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7600 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7852 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 8092 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 8144 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7208 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7316 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7424 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 5320 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 2132 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 5664 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7652 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7884 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7844 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Quote for new order 2025.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\Quote for new order 2025.exe" MD5: 11DE9D1BB135ADB354E26BDAD47037C9)

cmd.exe (PID: 7644 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7748 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8004 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 8064 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 5248 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7228 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 5620 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 1256 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7504 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 2216 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 7900 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7636 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

cmd.exe (PID: 5380 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrom.exe (PID: 7860 cmdline: .\Chrom.exe /stext .\output.txt MD5: 2024EA60DA870A221DB260482117258B)

Conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Quote for new order 2025.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\Chrom.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000001E.00000000.1579686626.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001E.00000002.1599466398.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000025.00000000.1615833580.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000021.00000002.1606641123.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000046.00000000.1737799206.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002E.00000002.1684804547.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000037.00000000.1683971895.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002A.00000002.1646011725.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002B.00000000.1623496604.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001B.00000000.1551405817.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000003A.00000000.1689929788.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000043.00000000.1726423761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000037.00000002.1717565382.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000003D.00000002.1740210568.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000031.00000000.1655213594.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002B.00000002.1653815547.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000021.00000000.1585659984.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000003A.00000002.1724156964.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000040.00000000.1720355262.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000034.00000002.1694168665.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000025.00000002.1645795920.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002E.00000000.1650711952.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002A.00000000.1623117839.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000003D.00000000.1700043133.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000040.00000002.1755666445.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000049.00000000.1762667228.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000034.00000000.1663396522.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000031.00000002.1686021450.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001B.00000002.1565953689.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Quote for new order 2025.exe PID: 6992	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 1824	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 3352	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 3412	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 5908	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7208	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7312	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7432	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7500	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7600	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7740	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7748	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Chrom.exe PID: 7852	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 48 entries

Unpacked PEs

Source	Rule	Description	Author
30.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
70.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
43.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
33.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
64.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.Quote for new order 2025.exe.14a5ec.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
27.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
67.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
9.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
61.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
49.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
46.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
58.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
55.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
52.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
64.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
19.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
46.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
24.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
52.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
27.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.Quote for new order 2025.exe.14a5ec.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
42.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
42.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
9.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
55.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
73.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
30.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
37.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
61.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
19.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
43.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
33.2.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
37.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
58.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
24.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
49.0.Chrom.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.Quote for new order 2025.exe.130000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\Quote for new order 2025.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Quote for new order 2025.exe, ProcessId: 6992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Application

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Quote for new order 2025.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\Chrom.exe

ReversingLabs: Detection: 80%

Multi AV Scanner detection for submitted file

Source: Quote for new order 2025.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for sample

Source: Quote for new order 2025.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_00407687 GetProcAddress,FreeLibrary,CryptUnprotectData,CryptUnprotectData,

6_2_00407687

Source: Quote for new order 2025.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \obj\Debug\FoxmaiI.pdb source: Quote for new order 2025.exe
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Quote for new order 2025.exe, Chrom.exe.1.dr

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_0040B477 FindFirstFileW,FindNextFileW,

6_2_0040B477

Source: Joe Sandbox View

IP Address: 162.159.36.2 162.159.36.2

Source: Quote for new order 2025.exe, Chrom.exe.1.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Quote for new order 2025.exe, Chrom.exe.1.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Chrom.exe, 00000006.00000003.1434897070.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1473063755.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1499939409.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: em32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Chrom.exe, 00000006.00000003.1434897070.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1473063755.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1499939409.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: em32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Chrom.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: Chrom.exe, 00000006.00000002.1435247749.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000009.00000002.1473381469.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000013.00000002.1547463386.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000018.00000002.1558352764.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000002.1565712233.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000002.1599193724.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000021.00000002.1606439660.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000025.00000002.1645092641.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000002A.00000002.1645329877.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000002B.00000002.1650898186.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000002E.00000002.1683969911.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000031.00000002.1685488969.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000034.00000002.1693315741.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000037.00000002.1717009414.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000003A.00000002.1723520876.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000003D.00000002.1739236065.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000040.00000002.1754633013.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Quote for new order 2025.exe, Chrom.exe.1.dr	String found in binary or memory: http://www.nirsoft.net/
Source: Chrom.exe, 0000000F.00000002.1500802089.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.netP?
Source: Chrom.exe, 00000006.00000003.1434897070.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429254345.00000000021EF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429064478.00000000021EB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429207156.00000000021EC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429064478.0000000002131000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1473063755.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463963063.000000000224F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463640205.0000000002191000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463640205.000000000224B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463910296.000000000224C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492462889.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492175588.0000000000961000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492301782.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1499939409.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492175588.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523555361.00000000023DF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523027913.00000000023DB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1546842764.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523027913.0000000002321000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523178613.00000000023DC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000003.1545987300.000000000214B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: Chrom.exe, 00000006.00000003.1429254345.00000000021EF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429064478.00000000021EB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429207156.00000000021EC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463963063.000000000224F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463640205.000000000224B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463910296.000000000224C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492462889.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492301782.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492175588.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523555361.00000000023DF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523027913.00000000023DB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523178613.00000000023DC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000003.1545987300.000000000214B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000003.1546648555.000000000214C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000003.1546759207.000000000214F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000003.1553765918.00000000022AF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000003.1553699018.00000000022AC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000003.1553419599.00000000022AB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000003.1581216725.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000003.1581581313.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000003.1581386396.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Chrom.exe, 00000006.00000003.1429254345.00000000021EF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429064478.00000000021EB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000006.00000003.1429207156.00000000021EC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463963063.000000000224F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463640205.000000000224B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000003.1463910296.000000000224C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492462889.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492301782.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000003.1492175588.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523555361.00000000023DF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523027913.00000000023DB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000003.1523178613.00000000023DC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000003.1545987300.000000000214B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000003.1546648555.000000000214C000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000003.1546759207.000000000214F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000003.1553765918.00000000022AF000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000003.1553699018.00000000022AC000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000003.1553419599.00000000022AB000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000003.1581216725.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000003.1581581313.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000003.1581386396.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Chrom.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Chrom.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_0041138D OpenClipboard,GetLastError,DeleteFileW,

6_2_0041138D

Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,		6_2_00409E39
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,		6_2_00409EA1

Source: Conhost.exe	Process created: 52
Source: cmd.exe	Process created: 64

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quote for new order 2025.exe

Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP30A9.tmp			Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPC46E.tmp			Jump to behavior

Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044A030	6_2_0044A030
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0040612B	6_2_0040612B
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0043E13D	6_2_0043E13D
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044B188	6_2_0044B188
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00442273	6_2_00442273
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044D380	6_2_0044D380
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044A5F0	6_2_0044A5F0
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_004125F6	6_2_004125F6
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_004065BF	6_2_004065BF
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_004086CB	6_2_004086CB
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_004066BC	6_2_004066BC
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044D760	6_2_0044D760
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00405A40	6_2_00405A40
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00449A40	6_2_00449A40
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00405AB1	6_2_00405AB1
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00405B22	6_2_00405B22
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044ABC0	6_2_0044ABC0
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00405BB3	6_2_00405BB3
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00417C60	6_2_00417C60
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044CC70	6_2_0044CC70
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00418CC9	6_2_00418CC9
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044CDFB	6_2_0044CDFB
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044CDA0	6_2_0044CDA0
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044AE20	6_2_0044AE20
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00415E3E	6_2_00415E3E
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00437F3B	6_2_00437F3B

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\Chrom.exe 53043BD27F47DBBE3E5AC691D8A586AB56A33F734356BE9B8E49C7E975241A56

Source: C:\Users\user\Desktop\Chrom.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Users\user\Desktop\Chrom.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Users\user\Desktop\Chrom.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Users\user\Desktop\Chrom.exe	Code function: String function: 00418555 appears 34 times

Source: Quote for new order 2025.exe

Binary or memory string: OriginalFilenameFoxmaiI.exe4 vs Quote for new order 2025.exe

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@554/15@0/3

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_0041A225

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_0041A6AF

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_00415799 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

6_2_00415799

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_00416A46 FindResourceW,SizeofResource,LoadResource,LockResource,

6_2_00416A46

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

File created: C:\Users\user\Desktop\Chrom.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3900:120:WilError_03
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03

Source: C:\Users\user\Desktop\Chrom.exe

File created: C:\Users\user\AppData\Local\Temp\chpDEA1.tmp

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "

Source: Quote for new order 2025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quote for new order 2025.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Quote for new order 2025.exe, 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Chrom.exe, Chrom.exe, 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Quote for new order 2025.exe, 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Chrom.exe, Chrom.exe, 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Quote for new order 2025.exe, 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Chrom.exe, 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Quote for new order 2025.exe, 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Chrom.exe, Chrom.exe, 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Quote for new order 2025.exe, 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Chrom.exe, Chrom.exe, 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Quote for new order 2025.exe, 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Chrom.exe, Chrom.exe, 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Chrom.exe, 00000006.00000002.1435816127.0000000002150000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000009.00000002.1474064974.00000000021B0000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000000F.00000002.1501665991.0000000000980000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000013.00000002.1549298427.0000000002340000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000018.00000002.1559585546.00000000020B0000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000002.1570684050.0000000002210000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000002.1600555554.0000000000980000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000021.00000002.1607434388.00000000022F0000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 00000025.00000002.1653399889.00000000020B0000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000002A.00000002.1654030038.00000000021A0000.00000004.00000020.00020000.00000000.sdmp, Chrom.exe, 0000002B.00000003.1646360256.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Quote for new order 2025.exe, 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Chrom.exe, Chrom.exe, 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Chrom.exe, 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Quote for new order 2025.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\Quote for new order 2025.exe "C:\Users\user\Desktop\Quote for new order 2025.exe"
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv IWSmGHPapE6Xqjlm9aeVHA.0.2
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: unknown	Process created: C:\Users\user\Desktop\Quote for new order 2025.exe "C:\Users\user\Desktop\Quote for new order 2025.exe"
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: unknown	Process created: C:\Users\user\Desktop\Quote for new order 2025.exe "C:\Users\user\Desktop\Quote for new order 2025.exe"
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Chrom.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Chrom.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Chrom.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv IWSmGHPapE6Xqjlm9aeVHA.0.2	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: msftedit.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.globalization.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: globinputhost.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dcomp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: msftedit.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.globalization.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: globinputhost.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dcomp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Chrom.exe	Section loaded: windows.storage.dll

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Chrom.exe

File opened: C:\Users\user\Desktop\Chrom.cfg

Jump to behavior

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

File opened: C:\Windows\SysWOW64\MsftEdit.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quote for new order 2025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quote for new order 2025.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quote for new order 2025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \obj\Debug\FoxmaiI.pdb source: Quote for new order 2025.exe
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Quote for new order 2025.exe, Chrom.exe.1.dr

Source: Quote for new order 2025.exe

Static PE information: 0xBB5322FD [Sat Aug 3 20:37:17 2069 UTC]

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

6_2_004053E1

Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_00446B75 push ecx; ret	6_2_00446B85
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044DDB0 push eax; ret	6_2_0044DDC4
Source: C:\Users\user\Desktop\Chrom.exe	Code function: 6_2_0044DDB0 push eax; ret	6_2_0044DDEC

Source: Quote for new order 2025.exe

Static PE information: section name: .text entropy: 6.87952860455371

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

File created: C:\Users\user\Desktop\Chrom.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Application			Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Application			Jump to behavior

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Chrom.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 22C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 22F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 25D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 27D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 47D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: AF0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 24D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Memory allocated: 22F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Window / User API: threadDelayed 3832	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Window / User API: threadDelayed 6003	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Window / User API: threadDelayed 2686
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Window / User API: threadDelayed 7153
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Window / User API: threadDelayed 2927
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Window / User API: threadDelayed 6895

Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -199780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97413s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97308s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97163s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99665s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -99083s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98961s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98846s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98716s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98601s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98486s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98346s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98211s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -98091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97974s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97855s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97740s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97556s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97441s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 6588	Thread sleep time: -97091s >= -30000s	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 748	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 6564	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep count: 39 > 30
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7244	Thread sleep count: 2686 > 30
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99884s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7244	Thread sleep count: 7153 > 30
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99768s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99652s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99530s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99412s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99286s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99148s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99032s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98917s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98684s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98569s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98445s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98329s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98214s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98098s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97967s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97838s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97509s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97403s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97289s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97173s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97051s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -96935s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -96819s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99885s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99770s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99649s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99544s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99430s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99315s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99190s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -99070s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98950s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98831s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98711s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98599s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98443s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98310s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98163s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -98055s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97940s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97820s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97701s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97580s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97460s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97353s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97228s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7232	Thread sleep time: -97115s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep count: 34 > 30
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7792	Thread sleep count: 2927 > 30
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -199768s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7792	Thread sleep count: 6895 > 30
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99761s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99645s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99530s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99414s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99182s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99081s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98943s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98825s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98711s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98595s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98458s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98326s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98210s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97978s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97701s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97438s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97321s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97219s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97104s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -96988s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -96857s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99769s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99635s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99507s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99405s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99295s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99175s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -99035s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98755s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98632s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98486s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98161s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -98035s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97894s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97754s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97615s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97494s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97372s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97256s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97139s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -97022s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -96908s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -96770s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -96639s >= -30000s
Source: C:\Users\user\Desktop\Quote for new order 2025.exe TID: 7784	Thread sleep time: -96522s >= -30000s

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_0040B477 FindFirstFileW,FindNextFileW,

6_2_0040B477

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_0041A8D8 memset,GetSystemInfo,

6_2_0041A8D8

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99668	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97874	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97544	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97413	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97308	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97163	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99779	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99665	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99435	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99207	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99083	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98961	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98846	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98716	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98601	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98486	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98346	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98211	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98091	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97974	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97855	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97740	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97556	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97441	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97311	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97201	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97091	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99884
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99768
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99652
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99530
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99412
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99286
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99148
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99032
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98917
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98797
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98684
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98569
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98445
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98329
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98214
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98098
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97967
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97838
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97509
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97403
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97289
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97173
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97051
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96935
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96819
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99885
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99770
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99649
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99544
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99430
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99315
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99190
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99070
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98950
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98831
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98711
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98599
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98443
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98310
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98163
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98055
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97940
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97820
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97701
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97580
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97460
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97353
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97228
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97115
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99884
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99761
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99645
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99530
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99414
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99313
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99182
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99081
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98943
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98825
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98711
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98595
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98458
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98326
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98210
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98094
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97978
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97701
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97547
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97438
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97321
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97219
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97104
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96988
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96857
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99769
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99635
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99507
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99405
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99295
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99175
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 99035
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98875
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98755
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98632
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98486
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98161
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 98035
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97894
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97754
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97615
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97494
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97372
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97256
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97139
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 97022
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96908
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96770
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96639
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Thread delayed: delay time: 96522

Source: chpDEA1.tmp.43.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: chpDEA1.tmp.43.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: chpDEA1.tmp.43.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: SIHClient.exe, 00000010.00000003.1544773401.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1535563280.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1529069946.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1541055256.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1545905755.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1546649768.0000026243084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chpDEA1.tmp.43.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: chpDEA1.tmp.43.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: chpDEA1.tmp.43.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: chpDEA1.tmp.43.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: SIHClient.exe, 00000010.00000003.1533748375.0000026243037000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chpDEA1.tmp.43.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: chpDEA1.tmp.43.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: chpDEA1.tmp.43.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: chpDEA1.tmp.43.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: chpDEA1.tmp.43.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: chpDEA1.tmp.43.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: chpDEA1.tmp.43.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: chpDEA1.tmp.43.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: chpDEA1.tmp.43.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: chpDEA1.tmp.43.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: chpDEA1.tmp.43.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: chpDEA1.tmp.43.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: chpDEA1.tmp.43.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: chpDEA1.tmp.43.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: chpDEA1.tmp.43.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: chpDEA1.tmp.43.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: SIHClient.exe, 00000010.00000003.1544773401.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1535563280.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1529069946.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1541055256.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1545905755.0000026243084000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.1546649768.0000026243084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw\
Source: chpDEA1.tmp.43.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

6_2_004053E1

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv IWSmGHPapE6Xqjlm9aeVHA.0.2	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Chrom.exe .\Chrom.exe /stext .\output.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Users\user\Desktop\Quote for new order 2025.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Users\user\Desktop\Quote for new order 2025.exe VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Users\user\Desktop\Quote for new order 2025.exe VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Quote for new order 2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_0041A773 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

6_2_0041A773

Source: C:\Users\user\Desktop\Chrom.exe

Code function: 6_2_004192F2 GetVersionExW,

6_2_004192F2

Source: C:\Users\user\Desktop\Quote for new order 2025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Chrom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\Chrom.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\Desktop\Chrom.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\Chrom.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Users\user\Desktop\Chrom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\Chrom.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Quote for new order 2025.exe, type: SAMPLE
Source: Yara match	File source: 30.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 70.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Quote for new order 2025.exe.14a5ec.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 67.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 61.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 58.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Quote for new order 2025.exe.14a5ec.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 73.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 61.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 58.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.0.Chrom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Quote for new order 2025.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000000.1579686626.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1599466398.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1615833580.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1606641123.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000000.1737799206.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.1684804547.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000000.1683971895.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1646011725.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.1623496604.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1551405817.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000003A.00000000.1689929788.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.1726423761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.1717565382.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000003D.00000002.1740210568.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.1655213594.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.1653815547.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.1585659984.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000003A.00000002.1724156964.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000000.1720355262.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.1694168665.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1645795920.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.1650711952.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.1623117839.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000003D.00000000.1700043133.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.1755666445.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000049.00000000.1762667228.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000000.1663396522.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.1686021450.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1565953689.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quote for new order 2025.exe PID: 6992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 1824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 3352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 3412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrom.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Desktop\Chrom.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	36 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Quote for new order 2025.exe	61%	ReversingLabs	Win32.PUA.PassShow
Quote for new order 2025.exe	100%	Avira	TR/Spy.Gen
Quote for new order 2025.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\Chrom.exe	81%	ReversingLabs	Win32.PUA.PassView

Source	Detection	Scanner	Label	Link
http://www.nirsoft.netP?	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/accounts/servicelogin	Chrom.exe	false		high
https://login.yahoo.com/config/login	Chrom.exe	false		high
http://www.nirsoft.net	Chrom.exe, 00000006.00000002.1435247749.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000009.00000002.1473381469.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000013.00000002.1547463386.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000018.00000002.1558352764.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000001B.00000002.1565712233.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000001E.00000002.1599193724.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000021.00000002.1606439660.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000025.00000002.1645092641.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000002A.00000002.1645329877.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000002B.00000002.1650898186.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000002E.00000002.1683969911.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000031.00000002.1685488969.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000034.00000002.1693315741.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000037.00000002.1717009414.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000003A.00000002.1723520876.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 0000003D.00000002.1739236065.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Chrom.exe, 00000040.00000002.1754633013.0000000000193000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.nirsoft.net/	Quote for new order 2025.exe, Chrom.exe.1.dr	false		high
http://www.nirsoft.netP?	Chrom.exe, 0000000F.00000002.1500802089.0000000000193000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.149.20.212	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.36.2	unknown	United States	13335	CLOUDFLARENETUS	false
77.245.158.126	unknown	Turkey	42868	NIOBEBILISIMHIZMETLERITR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586086
Start date and time:	2025-01-08 17:43:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	228
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quote for new order 2025.exe
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@554/15@0/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 80 Number of non-executed functions: 185
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: Quote for new order 2025.exe

Simulations

Behavior and APIs

Time	Type	Description
11:44:33	API Interceptor	9526822x Sleep call for process: Quote for new order 2025.exe modified
11:44:45	API Interceptor	2x Sleep call for process: SIHClient.exe modified
16:44:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Application C:\Users\user\Desktop\Quote for new order 2025.exe
16:44:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Application C:\Users\user\Desktop\Quote for new order 2025.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.36.2	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	fK4N7E6bFV.exe	Get hash	malicious	Remcos	Browse
	ALVARA-072.msi	Get hash	malicious	AteraAgent	Browse
	LisectAVT_2403002B_14.dll	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002C_101.dll	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002C_101.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe	Get hash	malicious	Unknown	Browse
	EGQqjPn5p3.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	j1FDxfhkS3.exe	Get hash	malicious	Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	http://wfs.SATSGroup.co/login.php?id=bmZlcmRpbmFuZG9Ad2ZzLmFlcm8=	Get hash	malicious	Unknown	Browse	13.67.68.90
	https://url.uk.m.mimecastprotect.com/s/jiGQCnr5DH7GvmPu9fVSJcV9l?domain=wfs.satsgroup.co	Get hash	malicious	Unknown	Browse	13.67.68.90
	Your Google Account has been deleted due to Terms of Service violations.eml	Get hash	malicious	Unknown	Browse	52.109.28.47
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	13.107.246.61
	https://connect.intuit.com/portal/app/CommerceNetwork/view/scs-v1-01f29c80fd42416b93c1e1b116eb15aeb0bd36fe1ddc4e298589676767f7a30254c18947c53d4f9a9d199271c071ab8c?locale=EN_US	Get hash	malicious	Unknown	Browse	52.141.217.134
	malw.hta	Get hash	malicious	Branchlock Obfuscator	Browse	52.109.76.240
	mail (4).eml	Get hash	malicious	Unknown	Browse	104.47.11.92
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	40.99.150.82
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.5.80
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	13.107.253.44
CLOUDFLARENETUS	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.112.1
	Play_VM-NowAccountingAudiowav011.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://vq6btbhdpo.nutignaera.shop/?email=YWxlamFuZHJvLmdhcnJpZG9Ac2VhYm9hcmRtYXJpbmUuY29t	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	EZZGTmJj4O.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://tintin.klipdesak.shop/rinko.png	Get hash	malicious	Unknown	Browse	104.21.112.1
	https://my.remarkable.com/	Get hash	malicious	Unknown	Browse	104.19.153.19
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
NIOBEBILISIMHIZMETLERITR	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	77.245.159.14
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	77.245.159.14
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	77.245.159.14
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	77.245.159.27
	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	77.245.159.9
	PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	77.245.148.65
	Contract_Agreement_Wednesday September 2024.pdf	Get hash	malicious	Unknown	Browse	77.245.159.9
	Contract_Agreement_Tuesday September 2024.pdf	Get hash	malicious	Unknown	Browse	77.245.159.9
	https://bahrioglunakliyat.com.tr/wp-admin/admin-ajax.php	Get hash	malicious	Unknown	Browse	77.245.159.21
	SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe	Get hash	malicious	Snake Keylogger	Browse	77.245.159.7

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\Chrom.exe	#U0417#U0430#U043f#U0440#U043e#U0441 #U041a#U041f.docx.scr	Get hash	malicious	Unknown	Browse
	curriculum_vitae-copie.vbs	Get hash	malicious	Xmrig	Browse
	curriculum_vitae-copie_(1).vbs	Get hash	malicious	Xmrig	Browse
	curriculum_vitae-copie.vbs	Get hash	malicious	Xmrig	Browse
	UDO_Device_Enrolment.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Downloads\01-08-2025 11-44-34.jpg

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	112990
Entropy (8bit):	7.859934202024067
Encrypted:	false
SSDEEP:	3072:1Wsb/XCFraasSogggiPB5JL3wbCRd1zFP0rerxusSA/MGQgUxVXjzn7:QsbfCAB56CRdbPseUXA/9QgqVXjzn7
MD5:	11172F0083C78EBF8CCAC78209E0FE07
SHA1:	68A25BD49777251DB694B6A69B48F7B985757012
SHA-256:	702C3228DE7BD97A08C40EFEA4FE477FE3445F0629D9ED51B0BA82625DBCFF03
SHA-512:	884D951A73342DCB1308805E678706422650B11C436777CBAE8596A5F87C98AAA4C9FE3B23CBCE4A941795C9AAF4487C5D5F6E8BD7EC956EA559759BDC006329
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\Public\Downloads\01-08-2025 11-44-46.jpg

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	106161
Entropy (8bit):	7.811244242196498
Encrypted:	false
SSDEEP:	3072:MAbzW9aUKQGfmLlGRDeaKeKeNjIFF7KevgjxSMMK9toxhQUl:MeznZvYaKeKeNjS7KevgtzL9thA
MD5:	D4864B57E00140147F1E2535574BCA91
SHA1:	E8FD6DAAFDEE2E5AF881F3567D6FF53EFEDCFEA9
SHA-256:	011DBC20117043B8204FD46D385F64A9EC9F8763AD5305D6642A2EBB906B0A84
SHA-512:	8685DDF7552BC3B9FF56BDFF206192484FFD69CC784D407BE6E8890EFB7BDBFB9EEDC6F8396FF8B7DC83F5114F963F200B20C5BA4EAC646ABD4660686886616A
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\Public\Downloads\01-08-2025 11-44-54.jpg

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	104519
Entropy (8bit):	7.8077925465986935
Encrypted:	false
SSDEEP:	3072:MAbHdf333333d3vifyaNDKjLLyjYAvo0vdGGTjJsHi99j:Mep33333316fyuDKjLLyjLo0voGTdsUJ
MD5:	562AD6EBB8AEA102DAB2E90FC13E97F2
SHA1:	3417B74A275624CB40650CA84244A040A1BECE42
SHA-256:	BF403F458A93909AC8A38B3C528105ED28CC7E92F344027B2D37F713355E9BC0
SHA-512:	D1A6E4F09421808C8EC7D0706F46D8BCE681BE748094340654721474E2F67266636616A466DE31215229179E2A82D124F85F468ED8771DD24D108666B525E8AC
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\Public\Downloads\01-08-2025 12-27-19.jpg

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	108498
Entropy (8bit):	7.834174514510483
Encrypted:	false
SSDEEP:	1536:CVpGbvmQLWqgQmoC53at7bdx5vT9n7AjlA431CB+Y11s0vd0oURxXLeq5GOax/mM:MAbzWqgf3at7G71kvo0vd0dXLeqQOip
MD5:	F308289E3EE5E6BA44A7DDBDDA072A79
SHA1:	B00E46CF57B539A3BF7649B01F6FA044E2CDEE01
SHA-256:	26CC13CC79B46878B0B48202E3F9C0E481FCB8FF9F9BAF8A55EF2FEAF3C8C16A
SHA-512:	D6A4074568667FBC6A43085F9FD9CD8F2981C1FC53B6D6A54138305D5257384F88A506A71E2A66B7FFC4F33ABCA7B923FE701E89834D880DEDD8D2AD6025FD34
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\Public\Downloads\01-08-2025 12-27-27.jpg

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	105028
Entropy (8bit):	7.810557260087749
Encrypted:	false
SSDEEP:	3072:MAbzW9aUKQINV+o1p8+nnn8nxYiCdX0C8D+B4BBmfMR31VXdE:MeznjT8+nnn8nxjwF6+mzmfMLVXdE
MD5:	A8CBBF5ACFDD25A08BCEA97018427AF4
SHA1:	8A97A1D8AA05FCDB48F483D494A6DF1FABD9177E
SHA-256:	3E39D77F8C9D1808F770D94DF3BCFC121529DC65FD5FC288F89706C961B0177E
SHA-512:	21C2BCF73A8633885DAA9FA7F833275A4897B096510A9BE0F3B16BC1683623FB256149F8DEA352E79667C165CD0D1D7664D5B8B37DE94963EF7B8C4238789B4F
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\Public\Downloads\01-08-2025 12-27-35.jpg

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	99212
Entropy (8bit):	7.800607007358502
Encrypted:	false
SSDEEP:	3072:MAbHdf333333d3vifyaNDKjLLyjYAvo0vdGh+0DDDVjL:Mep33333316fyuDKjLLyjLo0voh1DDDJ
MD5:	963F71CDD063A2D85DF636693EB805DF
SHA1:	76D55C8568E0838FE8553C625AE58BA2425A0613
SHA-256:	28D85E2AAE0370F95B6ACCB982A1431F7DC132E59A7E50C51DB4987B3E28033E
SHA-512:	F145A719F710056956C456FF4F8F6AF613C3BBDD221C50B045AEE141C52EE9CBC253B494C4EA530029E40C2E0C083D5690530D7B4851CE55B89A4EFEF1E5A335
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\user\AppData\Local\Temp\chpDEA1.tmp

Download File

Process:	C:\Users\user\Desktop\Chrom.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\Chrom.exe

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	402944
Entropy (8bit):	6.666814366272581
Encrypted:	false
SSDEEP:	6144:QNV8uoDRSdm3v93UFlssFHgkU9KvKUXr/BAO9N/oXrsAteTQokizYu:eSDRSm3vrugB9KvKk9RO8k3u
MD5:	2024EA60DA870A221DB260482117258B
SHA1:	716554DC580A82CC17A1035ADD302C0766590964
SHA-256:	53043BD27F47DBBE3E5AC691D8A586AB56A33F734356BE9B8E49C7E975241A56
SHA-512:	FFCD4436B80169BA18DB5B7C818C5DA71661798963C0A5F5FBAC99A6974A7729D38871E52BC36C766824DD54F2C8FA5711415EC45799DB65C11293D8B829693B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\Desktop\Chrom.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 81%
Joe Sandbox View:	Filename: #U0417#U0430#U043f#U0440#U043e#U0441 #U041a#U041f.docx.scr, Detection: malicious, Browse Filename: curriculum_vitae-copie.vbs, Detection: malicious, Browse Filename: curriculum_vitae-copie_(1).vbs, Detection: malicious, Browse Filename: curriculum_vitae-copie.vbs, Detection: malicious, Browse Filename: UDO_Device_Enrolment.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................9.......9............... ......................;.......;.......;......Rich............PE..L....hy`.....................P......,i............@..................................................................................@..................................................................................p............................text............................... ..`.rdata..............................@..@.data..............................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\output.txt

Download File

Process:	C:\Users\user\Desktop\Chrom.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\windown.bat

Download File

Process:	C:\Users\user\Desktop\Quote for new order 2025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	33
Entropy (8bit):	3.8013774524295485
Encrypted:	false
SSDEEP:	3:FnGwOts:ods
MD5:	AB9CCDFF55A9BE4B55EC1560B01447B5
SHA1:	DBF1A7C20E78B1156BA5A1F4F9F45757582D7542
SHA-256:	2B90B9D067A6EA1795075872E83A75DDC2B69A59F51D004DFF13ED97693AF18B
SHA-512:	5966B3B8E2F20699DFBD9CC7B26B2450BE4313CE264A43342D975420662C8614B3F0EA0230ABB63CAF2BC003921CCF168EA4C6BD09A8B9179DA62B71549C569D
Malicious:	false
Preview:	.\Chrom.exe /stext .\output.txt..

C:\Windows\Logs\SIH\SIH.20250108.114443.109.1.etl

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.1528669395457696
Encrypted:	false
SSDEEP:	96:FjdIi80mz64wkf+HwxsrF7xYYM2C9IcykZfvYcbI6SClcCEDJL/whTAx:Fj40mz9tfms27azLahev7bP9BEDJUTAx
MD5:	70B2871FEC8F9C9E1CAD16633F5949BA
SHA1:	CE41094E4EF7033850E7B4ECA6606834C3A558CB
SHA-256:	57F8DF54BE8372D8E45A30173C2D08E74BB3ADD7ECE637C51EF6625CE48802B2
SHA-512:	78C62CAB71EB6D1EA1BB8B0E3D659A4E27B795B5B348F8D25437D1B062548A466600D323A7F0D100984224322C0CF347E49FC59CCB6C2EF5C3E70CD1176F8E32
Malicious:	false
Preview:	....P...P.......................................P...!...........................,...0...O..Y....................eJ......:1..a..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................X.Pl...........L.(..a..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.0.8...1.1.4.4.4.3...1.0.9...1...e.t.l.......P.P.,...0...O..Y....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP30A9.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	17126
Entropy (8bit):	7.3117215578334935
Encrypted:	false
SSDEEP:	192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
MD5:	1B6460EE0273E97C251F7A67F49ACDB4
SHA1:	4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
SHA-256:	3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
SHA-512:	3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
Malicious:	false
Preview:	MSCF............D................\|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM.........z.;......t.<.o..\|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A....H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	24490
Entropy (8bit):	7.629144636744632
Encrypted:	false
SSDEEP:	384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
MD5:	ACD24F781C0C8F48A0BD86A0E9F2A154
SHA1:	93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
SHA-256:	5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
SHA-512:	7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
Malicious:	false
Preview:	MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.\|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G...`-=.w....m..2y.....o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.\|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPC46E.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	19826
Entropy (8bit):	7.454351722487538
Encrypted:	false
SSDEEP:	384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
MD5:	455385A0D5098033A4C17F7B85593E6A
SHA1:	E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
SHA-256:	2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
SHA-512:	104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
Malicious:	false
Preview:	MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f\|..g.7..6..].7B..O..#d..]Ls.k..Le...2...&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,......1.:-....K.......M..;....(,.W.V(^_.....9.,`\|...9...>..R...2\|.\|5.r....n.y>wwU..5...0.J....H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	30005
Entropy (8bit):	7.7369400192915085
Encrypted:	false
SSDEEP:	768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
MD5:	4D7FE667BCB647FE9F2DA6FC8B95BDAE
SHA1:	B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
SHA-256:	BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
SHA-512:	DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
Malicious:	false
Preview:	MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.\|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.\|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N....5.R...,+...u.~VO...R-......H7..9........].K....]....tS~.LSi....T....3+........k......i.J.y...,.Y\|.N.t.LX.....zu..8......S7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.993617871655389
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.69% Win32 Executable (generic) a (10002005/4) 49.65% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	Quote for new order 2025.exe
File size:	543'744 bytes
MD5:	11de9d1bb135adb354e26bdad47037c9
SHA1:	5fbeaf0df88266d5562da5c5f28ccd80e08f349b
SHA256:	9285b4abeb09d675bc06b47444261c1f0034613d08b44b69c99c8ef63b1cfa72
SHA512:	06c81c0bd9a7fad58c35cc608deb8e9c9cd1adebff271df9f4be1038cac104a9521dbb13bb0e4941795400c47bb35476ac9596928daf57d677270958e9a7731b
SSDEEP:	12288:rIsTP2PSDRSm3vrugB9KvKk9RO8k3hTP2:tTuPS53v6gByKk9ROHhTu
TLSH:	B7C4BF02F3D18036E5AB013207BA6772DEF6BE201635D6670BC51A89AE715D1EB3E743
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."S..........."...P.................. ........@.. ....................................`................................

File Icon


Icon Hash:	71716ccc9e15152b

Static PE Info

General

Entrypoint:	0x47ccde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBB5322FD [Sat Aug 3 20:37:17 2069 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7cc8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x98d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7cbf0	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7ace4	0x7ae00	6403e7681c4382fd760e67f120021b85	False	0.6112168584689726	data	6.87952860455371	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x98d8	0x9a00	505e1cfe1d7e64c9606199aa8ae2319d	False	0.9738484172077922	data	7.938275905610368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	ceabe85b151fe5a9bee0f5306c78aaa1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x7e0c8	0x94c4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9944858733326332
RT_GROUP_ICON	0x8759c	0x14	data	1.1
RT_VERSION	0x875c0	0x314	data	0.4352791878172589

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	1
Start time:	11:44:32
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Quote for new order 2025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote for new order 2025.exe"
Imagebase:	0x130000
File size:	543'744 bytes
MD5 hash:	11DE9D1BB135ADB354E26BDAD47037C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000000.1404548599.0000000000132000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:44:33
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:44:33
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:44:33
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.1416271513.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\Desktop\Chrom.exe, Author: Joe Security
Antivirus matches:	Detection: 81%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:44:38
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 3372, Parent PID: 2968

General

Target ID:	8
Start time:	11:44:38
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:44:38
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.1473623530.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000000.1460200494.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:44:41
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 3900, Parent PID: 2836

General

Target ID:	14
Start time:	11:44:41
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:44:41
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000000.1491008994.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.1501173441.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:44:43
Start date:	08/01/2025
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv IWSmGHPapE6Xqjlm9aeVHA.0.2
Imagebase:	0x7ff6656c0000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:44:44
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5384, Parent PID: 2788

General

Target ID:	18
Start time:	11:44:44
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:44:44
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.1521588949.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000002.1547704057.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:44:44
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Quote for new order 2025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote for new order 2025.exe"
Imagebase:	0x480000
File size:	543'744 bytes
MD5 hash:	11DE9D1BB135ADB354E26BDAD47037C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	11:44:45
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5332, Parent PID: 6092

General

Target ID:	23
Start time:	11:44:45
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:44:45
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000002.1558595179.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000000.1537206761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:44:47
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7268, Parent PID: 7260

General

Target ID:	26
Start time:	11:44:47
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:44:47
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000000.1551405817.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.1565953689.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:44:50
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7384, Parent PID: 7376

General

Target ID:	29
Start time:	11:44:50
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:44:50
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001E.00000000.1579686626.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001E.00000002.1599466398.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:44:50
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7456, Parent PID: 7448

General

Target ID:	32
Start time:	11:44:50
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:44:50
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.1606641123.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000000.1585659984.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:44:53
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Quote for new order 2025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quote for new order 2025.exe"
Imagebase:	0xf0000
File size:	543'744 bytes
MD5 hash:	11DE9D1BB135ADB354E26BDAD47037C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	11:44:53
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7564, Parent PID: 7552

General

Target ID:	36
Start time:	11:44:53
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:44:53
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000000.1615833580.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000002.1645795920.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:44:53
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7652, Parent PID: 6992

General

Target ID:	39
Start time:	11:44:53
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7664, Parent PID: 7644

General

Target ID:	40
Start time:	11:44:54
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:44:54
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:44:54
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000002A.00000002.1646011725.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000002A.00000000.1623117839.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:44:54
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000002B.00000000.1623496604.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000002B.00000002.1653815547.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	11:44:56
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7808, Parent PID: 7800

General

Target ID:	45
Start time:	11:44:56
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:44:57
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000002E.00000002.1684804547.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000002E.00000000.1650711952.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:44:57
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7892, Parent PID: 7868

General

Target ID:	48
Start time:	11:44:57
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	11:44:57
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000031.00000000.1655213594.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000031.00000002.1686021450.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	11:44:58
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8012, Parent PID: 8004

General

Target ID:	51
Start time:	11:44:58
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	11:44:58
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000034.00000002.1694168665.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000034.00000000.1663396522.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	11:45:00
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8100, Parent PID: 8092

General

Target ID:	54
Start time:	11:45:00
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	11:45:00
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000037.00000000.1683971895.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000037.00000002.1717565382.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	11:45:01
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8168, Parent PID: 8160

General

Target ID:	57
Start time:	11:45:01
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	11:45:01
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000003A.00000000.1689929788.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000003A.00000002.1724156964.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	11:45:02
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0x7ff6fab70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5256, Parent PID: 5248

General

Target ID:	60
Start time:	11:45:02
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	11:45:02
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000003D.00000002.1740210568.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000003D.00000000.1700043133.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	11:45:04
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7200, Parent PID: 7208

General

Target ID:	63
Start time:	11:45:04
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	11:45:04
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000040.00000000.1720355262.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000040.00000002.1755666445.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	11:45:04
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7292, Parent PID: 7300

General

Target ID:	66
Start time:	11:45:04
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	11:45:04
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000043.00000000.1726423761.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	11:45:05
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7392, Parent PID: 5620

General

Target ID:	69
Start time:	11:45:05
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	11:45:05
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000046.00000000.1737799206.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	11:45:08
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7380, Parent PID: 7424

General

Target ID:	72
Start time:	11:45:08
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	11:45:08
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000049.00000000.1762667228.000000000044F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	11:45:09
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	11:45:09
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	11:45:09
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	11:45:12
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	11:45:12
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	11:45:12
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	11:45:12
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	11:45:12
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	11:45:12
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	11:45:13
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	11:45:13
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	11:45:13
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	11:45:15
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	11:45:15
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	11:45:15
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	11:45:15
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	11:45:15
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	11:45:16
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	11:45:17
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	11:45:17
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	11:45:17
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	11:45:19
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	11:45:19
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	11:45:19
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Chrom.exe
Wow64 process (32bit):	true
Commandline:	.\Chrom.exe /stext .\output.txt
Imagebase:	0x400000
File size:	402'944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	11:45:19
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\windown.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	11:45:19
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	129
Start time:	11:45:26
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	153
Start time:	11:45:30
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	215
Start time:	11:45:43
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	257
Start time:	11:45:53
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	287
Start time:	11:45:58
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	305
Start time:	11:46:02
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	317
Start time:	11:46:05
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	329
Start time:	11:46:07
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	335
Start time:	11:46:08
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	353
Start time:	11:46:12
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	365
Start time:	11:46:14
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	371
Start time:	11:46:15
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	402
Start time:	11:46:22
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	426
Start time:	11:46:26
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	450
Start time:	11:46:32
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	474
Start time:	11:46:36
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	486
Start time:	11:46:38
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	528
Start time:	11:46:47
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	534
Start time:	11:46:47
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	547
Start time:	11:46:50
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	575
Start time:	11:46:57
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	610
Start time:	11:47:04
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	657
Start time:	11:47:12
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	669
Start time:	11:47:15
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	675
Start time:	11:47:16
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	687
Start time:	11:47:19
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	699
Start time:	11:47:20
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	723
Start time:	11:47:26
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	729
Start time:	11:47:27
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	747
Start time:	11:47:30
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	801
Start time:	11:47:38
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	807
Start time:	11:47:41
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	825
Start time:	11:47:43
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	837
Start time:	11:47:46
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	849
Start time:	11:47:49
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	861
Start time:	11:47:50
Start date:	08/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	1852
Total number of Limit Nodes:	51

Executed Functions

Function 00415799 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142
processlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408D81: free.MSVCRT ref: 00408D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 004157B7
memset.MSVCRT ref: 004157CC
Process32FirstW.KERNEL32(00000000,?), ref: 004157E8
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 0041582D
memset.MSVCRT ref: 00415854
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00415889
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004158A3
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004158F5
free.MSVCRT ref: 0041590E
Process32NextW.KERNEL32(00000000,0000022C), ref: 00415957
CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00415967

Strings

QueryFullProcessImageNameW, xrefs: 00415893
kernel32.dll, xrefs: 00415884

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 1344430650-1740548384
Opcode ID: 6e73d59367b69d0d0be5dcf68efd57544415f5f941da5b83940bd7f87101e519
Instruction ID: 5ea73396ca473a1f837e0a83f3483b5d1fff5a6958d458d66b17e1ba5df2901d
Opcode Fuzzy Hash: 6e73d59367b69d0d0be5dcf68efd57544415f5f941da5b83940bd7f87101e519
Instruction Fuzzy Hash: 4B5179B2800218EBDB10EF55CC84ADEB7B9AF95304F1141ABE518E3251D7755E84CF69

Function 0041A6AF Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 0041A5D7: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0041A603
Part of subcall function 0041A5D7: malloc.MSVCRT ref: 0041A60E
Part of subcall function 0041A5D7: free.MSVCRT ref: 0041A61E

Part of subcall function 004192F2: GetVersionExW.KERNEL32(?), ref: 00419315

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 0041A729
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 0041A751
free.MSVCRT ref: 0041A75A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 2fc49b45259d659c88a61f00e55ea1ae81ff3f089ebddaf00de521a8b5a49264
Instruction ID: 68c13852fb7afd5d8e0c76ce401d57be7323acd7ffb7733afae93f72ee07f9cd
Opcode Fuzzy Hash: 2fc49b45259d659c88a61f00e55ea1ae81ff3f089ebddaf00de521a8b5a49264
Instruction Fuzzy Hash: F1216576802218AEEB12ABA4CD44DEF77BCEF05304F1404A7E551D7181E6788FD587A6

Function 00407687 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(-000000FB,00000000,-000000FB,00000000,00000000,-000000FB,-000000FB), ref: 004076FC

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(0045EC00,00000000), ref: 004076B7
FreeLibrary.KERNEL32(00000000,00000141,?,-000000FB,?,004016C4,?,00000000,00000000,?), ref: 004076DA

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
String ID:
API String ID: 767404330-0
Opcode ID: 832906d8a5cb12c8bb733d11a894d9ba26b44f5734ad55cd07f5800a04fa7da7
Instruction ID: d423364176a6c8dd7e4ff5da1a82baf2de462266435030bf45fa2c9e15a2548a
Opcode Fuzzy Hash: 832906d8a5cb12c8bb733d11a894d9ba26b44f5734ad55cd07f5800a04fa7da7
Instruction Fuzzy Hash: 6C018471504A01DED6215F55CC4581BFAE9EB90750B208C3FF0D6E21A0D775AC40DB29

Function 0040B477 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,00000000,00414A22,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040B48D
FindNextFileW.KERNELBASE(?,?,?,00000000,00414A22,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040B4A9

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 25427dac3f5a35f7db7d55267f62273ad0c88017264c5fb9230d8676d76f7256
Instruction ID: 0f501c6d627a291db363f91b892f93565970ce46203e449eca58727f5cb945cd
Opcode Fuzzy Hash: 25427dac3f5a35f7db7d55267f62273ad0c88017264c5fb9230d8676d76f7256
Instruction Fuzzy Hash: F9F06276501A119BC721DB74DC459D773D8DB85320B25063EF56AE33C1EF3CAA098768

Function 0041A8D8 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041A8E3
GetSystemInfo.KERNELBASE(004735C0,?,00000000,004453C0,?,?,?,?,?,?,?,?), ref: 0041A8EC

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: a69cf0a51d705e93120e938875cfc719a6a5558cfc76ca9bbae332f7c4943f52
Instruction ID: 008e5f0b5c38a1f1cab39b63f665e63cad528b58ea392fd89bbd5874da5d37fe
Opcode Fuzzy Hash: a69cf0a51d705e93120e938875cfc719a6a5558cfc76ca9bbae332f7c4943f52
Instruction Fuzzy Hash: 95E09271A066206BE3117B726C06BDF26D4AF42349F05043BFD0996243E72C8A85829E

Function 00413F68 Relevance: 48.1, APIs: 25, Strings: 2, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00413FEF
wcsrchr.MSVCRT ref: 00414007
memset.MSVCRT ref: 0041413A
memset.MSVCRT ref: 00414152

Part of subcall function 0040CC16: _wcslwr.MSVCRT ref: 0040CCC5
Part of subcall function 0040CC16: wcslen.MSVCRT ref: 0040CCDA

Part of subcall function 0040B8EC: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040B925
Part of subcall function 0040B8EC: wcslen.MSVCRT ref: 0040B942
Part of subcall function 0040B8EC: wcsncmp.MSVCRT ref: 0040B974
Part of subcall function 0040B8EC: memset.MSVCRT ref: 0040B9CD
Part of subcall function 0040B8EC: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040B9EE

Part of subcall function 0041607F: GetProcAddress.KERNEL32(?,00000000), ref: 004160B2

memset.MSVCRT ref: 0041416A
memset.MSVCRT ref: 00414182
memset.MSVCRT ref: 004142F8
memset.MSVCRT ref: 00414310
memset.MSVCRT ref: 0041439B
memset.MSVCRT ref: 00414448
memset.MSVCRT ref: 00414460
memset.MSVCRT ref: 004144DA
_wcsicmp.MSVCRT ref: 00414820

Part of subcall function 004010A6: CopyFileW.KERNEL32(?,?,00000000,?,?), ref: 004011E4
Part of subcall function 004010A6: memset.MSVCRT ref: 00401208
Part of subcall function 004010A6: DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401499

memset.MSVCRT ref: 00414590

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

memset.MSVCRT ref: 0041461C
memset.MSVCRT ref: 00414634
memset.MSVCRT ref: 0041464C
memset.MSVCRT ref: 00414765
memset.MSVCRT ref: 0041477D
memset.MSVCRT ref: 004144F2

Part of subcall function 004010A6: memset.MSVCRT ref: 004010D3
Part of subcall function 004010A6: wcsrchr.MSVCRT ref: 004010EF
Part of subcall function 004010A6: memset.MSVCRT ref: 0040110D
Part of subcall function 004010A6: memset.MSVCRT ref: 004011AC
Part of subcall function 004010A6: CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 004011C3

Part of subcall function 0040B3FA: wcscmp.MSVCRT ref: 0040B419
Part of subcall function 0040B3FA: wcscmp.MSVCRT ref: 0040B42A

memset.MSVCRT ref: 004143B3

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 0041479A
*.*, xrefs: 0041499A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$Filewcslen$wcscmpwcsrchr$AddressAttributesCopyCreateCredDeleteEnumerateFolderPathProcSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
String ID: *.*$Apple Computer\Preferences\keychain.plist
API String ID: 241508006-3798722523
Opcode ID: b227ea8de1fefab8d68ff4433db62ad9ea1528c89fddca809f1fa64c36be4a22
Instruction ID: 160b922070d72b691ae3132d21ec35459ff4d79c06758521881ebd4265f3e304
Opcode Fuzzy Hash: b227ea8de1fefab8d68ff4433db62ad9ea1528c89fddca809f1fa64c36be4a22
Instruction Fuzzy Hash: 785276B2900219ABDB10EB51CD46EDFB77CAF45344F0501BBF508A6192EB385E948B9E

Function 004122BA Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004053E1: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405400
Part of subcall function 004053E1: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00405412
Part of subcall function 004053E1: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405426
Part of subcall function 004053E1: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00405451

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 004122E6
GetModuleHandleW.KERNEL32(00000000,00416ACC,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 004122FF
EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 00412306

Strings

/deleteregkey, xrefs: 00412380
, xrefs: 0041231A
/savelangfile, xrefs: 00412352

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: a23a53bd30f639ab6e593c7dcdfa98b0c8a8014cf9dc6c45a60d320dd2194cd3
Instruction ID: 2178966f4a80c8fc13f983811a773bf45d976ad6511b0e23f4840dc4cb99dd1b
Opcode Fuzzy Hash: a23a53bd30f639ab6e593c7dcdfa98b0c8a8014cf9dc6c45a60d320dd2194cd3
Instruction Fuzzy Hash: 01519D71508345ABC720AFA2CD4899F77A8FF85348F40083EFA45E2151DB79D8558B6A

Function 004010A6 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 387
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010D3

Part of subcall function 0040A22F: wcscpy.MSVCRT ref: 0040A234
Part of subcall function 0040A22F: wcsrchr.MSVCRT ref: 0040A23C

wcsrchr.MSVCRT ref: 004010EF
memset.MSVCRT ref: 0040110D
memset.MSVCRT ref: 004011AC
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 004011C3
CopyFileW.KERNEL32(?,?,00000000,?,?), ref: 004011E4
CloseHandle.KERNELBASE(00000000,?,?), ref: 004011EF
memset.MSVCRT ref: 00401208
memset.MSVCRT ref: 0040127E
memcmp.MSVCRT(?,v10,00000003), ref: 00401373

Part of subcall function 00407687: GetProcAddress.KERNEL32(0045EC00,00000000), ref: 004076B7
Part of subcall function 00407687: FreeLibrary.KERNEL32(00000000,00000141,?,-000000FB,?,004016C4,?,00000000,00000000,?), ref: 004076DA
Part of subcall function 00407687: CryptUnprotectData.CRYPT32(-000000FB,00000000,-000000FB,00000000,00000000,-000000FB,-000000FB), ref: 004076FC

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401499
memset.MSVCRT ref: 00401507
memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040151A
LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00401541

Strings

chp, xrefs: 004011CE
v10, xrefs: 0040136B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
String ID: chp$v10
API String ID: 1297422669-2783969131
Opcode ID: 47d6175e8d0e33c0659d7d46783e5b788e40facdbff0a1b5b4667f91ce8afc02
Instruction ID: f518f8cdbbaa5cc0a15761cad5a7de08cb03170c242fb237df98171784d43b0b
Opcode Fuzzy Hash: 47d6175e8d0e33c0659d7d46783e5b788e40facdbff0a1b5b4667f91ce8afc02
Instruction Fuzzy Hash: 26D18472D00218AFEB10EB95DC81EEE77B8AF04314F1144BAF515F7292DA785F848B99

Function 0040C009 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004083CC: _wcsicmp.MSVCRT ref: 004083FD

Part of subcall function 004086CB: memset.MSVCRT ref: 004087C7

free.MSVCRT ref: 0040C1F8

Part of subcall function 0040BAAE: _wcsicmp.MSVCRT ref: 0040BAC7

memset.MSVCRT ref: 0040C0DE

Part of subcall function 0040B04F: wcslen.MSVCRT ref: 0040B062
Part of subcall function 0040B04F: memcpy.MSVCRT(?,?,00000000,00000000,0040D237,00000000,?,?), ref: 0040B081

wcschr.MSVCRT ref: 0040C116
memcpy.MSVCRT(?,-00000121,00000008,0044F4CC,00000000,00000000,76F92EE0), ref: 0040C14A
memcpy.MSVCRT(?,-00000121,00000008,0044F4CC,00000000,00000000,76F92EE0), ref: 0040C165
memcpy.MSVCRT(?,-00000220,00000008,0044F4CC,00000000,00000000,76F92EE0), ref: 0040C180
memcpy.MSVCRT(?,-00000220,00000008,0044F4CC,00000000,00000000,76F92EE0), ref: 0040C19B

Strings

ModifiedTime, xrefs: 0040C0AE
EntryID, xrefs: 0040C0C8
Url, xrefs: 0040C0BB
, xrefs: 0040C03B
ExpiryTime, xrefs: 0040C094
AccessedTime, xrefs: 0040C0A1
AccessCount, xrefs: 0040C07A
CreationTime, xrefs: 0040C087

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: 76d4ef1edd0dd59ac6c56e1808c3e4ae1bc2ed7639c56b04a999e4706e5744af
Instruction ID: 832bc5c0d001ab4c3975677652535c3cfd3fcf8644338d95e37f76bfb8271b51
Opcode Fuzzy Hash: 76d4ef1edd0dd59ac6c56e1808c3e4ae1bc2ed7639c56b04a999e4706e5744af
Instruction Fuzzy Hash: D2514071E003099BDB10DFA5DD86ADEB7B8AF40704F15453BA504BB2D2EB7899058F58

Function 0041599C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 004159BC
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004159C8
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004159D4
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004159E0
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004159EC

Strings

GetModuleFileNameExW, xrefs: 004159CA
EnumProcesses, xrefs: 004159D6
GetModuleInformation, xrefs: 004159E2
EnumProcessModules, xrefs: 004159BE
psapi.dll, xrefs: 004159A2
GetModuleBaseNameW, xrefs: 004159B2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2941347001-70141382
Opcode ID: 8d8171eaa7233f23c424eae13fe9b2c2f689341781acc4346e714e5fd4705eee
Instruction ID: 12a6a4dc47c8e0d72b77561104e235da68e0514af3b1e08ca0077668fc786df3
Opcode Fuzzy Hash: 8d8171eaa7233f23c424eae13fe9b2c2f689341781acc4346e714e5fd4705eee
Instruction Fuzzy Hash: 11F012B4840B00AACB306F759818B1ABEE0EF98701B218C2EE8C093651DBB9A044CF49

Function 0044692C Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,0044F4C0,00000070), ref: 0044693B
__set_app_type.MSVCRT ref: 0044699A
__p__fmode.MSVCRT ref: 004469AF
__p__commode.MSVCRT ref: 004469BD
__setusermatherr.MSVCRT ref: 004469E9
_initterm.MSVCRT ref: 004469FF
__wgetmainargs.KERNELBASE ref: 00446A22
_initterm.MSVCRT ref: 00446A35
GetStartupInfoW.KERNEL32(?), ref: 00446A92
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446AB8
exit.KERNELBASE ref: 00446ACF
_cexit.MSVCRT ref: 00446AD5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: bed64be1af292bd851980aaafa98510c34be8557dbabbe7686d3cd671069d409
Instruction ID: bb7a70230f37617634207b9b7a32dcb89b9454a8d8bf9e63e77bc0a4be8b0e92
Opcode Fuzzy Hash: bed64be1af292bd851980aaafa98510c34be8557dbabbe7686d3cd671069d409
Instruction Fuzzy Hash: CA519FB1D00714EAEB209F64D848AAE7BF0EB0A715F21813BE451E7291D7788885CB5A

Function 0040C722 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C746

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 0040C34B: memset.MSVCRT ref: 0040C36D
Part of subcall function 0040C34B: memset.MSVCRT ref: 0040C387

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040700C), ref: 0040B5FE

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C7BB
wcschr.MSVCRT ref: 0040C7D2
wcschr.MSVCRT ref: 0040C7F2
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C817
GetLastError.KERNEL32 ref: 0040C821
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C84D
FindCloseUrlCache.WININET(?), ref: 0040C85E

Strings

visited:, xrefs: 0040C7B6

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 2470578098-1702587658
Opcode ID: d051b6bee11d765b52f56e7531097d9158d55cb802cc7655925d0cc4dd98efa9
Instruction ID: 636e8e32e5b1bb4d98569f2fcce6fed8f1b817539a9b6f5200b068eacb01c51d
Opcode Fuzzy Hash: d051b6bee11d765b52f56e7531097d9158d55cb802cc7655925d0cc4dd98efa9
Instruction Fuzzy Hash: 90419776D00219EBDB10EF95CC85AAFBB78EF45714F10017AE904F7281D738AA45CBA9

Function 0040BED3 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004083CC: _wcsicmp.MSVCRT ref: 004083FD

memset.MSVCRT ref: 0040BF1B

Part of subcall function 004086CB: memset.MSVCRT ref: 004087C7

free.MSVCRT ref: 0040BFE9

Part of subcall function 0040BAAE: _wcsicmp.MSVCRT ref: 0040BAC7

Part of subcall function 0040B109: wcslen.MSVCRT ref: 0040B118
Part of subcall function 0040B109: _memicmp.MSVCRT ref: 0040B146

_snwprintf.MSVCRT ref: 0040BFB5

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF75

Strings

, xrefs: 0040BF36
Name, xrefs: 0040BF67
ContainerId, xrefs: 0040BF5A
Containers, xrefs: 0040BEF3
Container_%I64d, xrefs: 0040BFA4

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 5e9c95ea9fb4ba36ec00ad875e059724b31988f2f0f15efd1b386a9bf08e56a8
Instruction ID: afe11abc20e36003db74d94c549cded038fcd9f42a86337aeda0c7f756a0cb8d
Opcode Fuzzy Hash: 5e9c95ea9fb4ba36ec00ad875e059724b31988f2f0f15efd1b386a9bf08e56a8
Instruction Fuzzy Hash: 72317671D0021A6ADF10EFA5CD459DEB7B8EF04344F11007BA518B7181DB38AE858F99

Function 0040154C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D0D4: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040118B,?,?,?,?,000003FF), ref: 0040D0F2
Part of subcall function 0040D0D4: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040D146

Part of subcall function 0040D19E: _wcsicmp.MSVCRT ref: 0040D1D8

memset.MSVCRT ref: 00401629
memset.MSVCRT ref: 00401640
WideCharToMultiByte.KERNEL32(00000000,00000000,0044F4CC,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040118B,?,?), ref: 0040165C
memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040118B,?,?,?,?,000003FF), ref: 0040168A
memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040118B), ref: 004016DF
LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040118B), ref: 004016F1

Strings

, xrefs: 004016CD

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
String ID:
API String ID: 115830560-3916222277
Opcode ID: af66d6d532b4a529225be6658073baeaa4897cb95b1b204350b638149536f083
Instruction ID: 6182344d234d3d85177f64ddd9228ac02bc8ade9e8908f776b6b681188bf9119
Opcode Fuzzy Hash: af66d6d532b4a529225be6658073baeaa4897cb95b1b204350b638149536f083
Instruction Fuzzy Hash: 1941E5B2D002196BDB10EBA5CC45ADFB7ADAF44304F05097BB509F7192DA389E48CB59

Function 00411FB2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00411FE9
??2@YAPAXI@Z.MSVCRT(00002A8C), ref: 0041201F
??2@YAPAXI@Z.MSVCRT(00000350), ref: 0041205D
GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 004120CF
LoadIconW.USER32(00000000,00000065), ref: 004120D8
wcscpy.MSVCRT ref: 004120ED

Strings

=E, xrefs: 00411FDF

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@$HandleIconLoadModulememsetwcscpy
String ID: =E
API String ID: 2791114272-2289002813
Opcode ID: 6717c7504d51a5bbc073fb69a6a2eb538a62dbd8f8af7227683567ac2f89e9c8
Instruction ID: aad15f6d1b3b0a24ca9589720555a1dcf89de37177915705ae93bfa8ddf3393c
Opcode Fuzzy Hash: 6717c7504d51a5bbc073fb69a6a2eb538a62dbd8f8af7227683567ac2f89e9c8
Instruction Fuzzy Hash: 26316BB19013498FDB30EF668C896CABBE8EF49314F10452FE90CCB241EBB946558B59

Function 0040CC16 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B7D1: free.MSVCRT ref: 0040B7D4
Part of subcall function 0040B7D1: free.MSVCRT ref: 0040B7DC

Part of subcall function 0040B02A: free.MSVCRT ref: 0040B031

Part of subcall function 0040C722: memset.MSVCRT ref: 0040C746
Part of subcall function 0040C722: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C7BB
Part of subcall function 0040C722: wcschr.MSVCRT ref: 0040C7D2
Part of subcall function 0040C722: wcschr.MSVCRT ref: 0040C7F2
Part of subcall function 0040C722: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C817
Part of subcall function 0040C722: GetLastError.KERNEL32 ref: 0040C821

Part of subcall function 0040C871: memset.MSVCRT ref: 0040C8E7
Part of subcall function 0040C871: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C915
Part of subcall function 0040C871: _wcsupr.MSVCRT ref: 0040C92F
Part of subcall function 0040C871: memset.MSVCRT ref: 0040C97E
Part of subcall function 0040C871: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C9A9

_wcslwr.MSVCRT ref: 0040CCC5

Part of subcall function 0040CAE2: wcslen.MSVCRT ref: 0040CB0D
Part of subcall function 0040CAE2: memset.MSVCRT ref: 0040CB6D

wcslen.MSVCRT ref: 0040CCDA

Strings

https://www.google.com/accounts/servicelogin, xrefs: 0040CC58
/, xrefs: 0040CCF1
https://login.yahoo.com/config/login, xrefs: 0040CC72
http://www.facebook.com/, xrefs: 0040CC65
/, xrefs: 0040CCE6

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 2936932814-4196376884
Opcode ID: 482f6134f7daacc017189fcee8ab3649d22c01fd56a7a6b5197cc4e451d6cae4
Instruction ID: eace9bc4984dd9296d8cbd5f4ce7f45cb0460178c22a9edad4fb6917611d5c96
Opcode Fuzzy Hash: 482f6134f7daacc017189fcee8ab3649d22c01fd56a7a6b5197cc4e451d6cae4
Instruction Fuzzy Hash: 03217571600214A6CF10BF5ADC8589E7B68EF44344B20417BF804B7182D778DE85DA99

Function 0040AE2A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040AE4A
GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
wcscpy.MSVCRT ref: 0040AE7A
wcscat.MSVCRT ref: 0040AE90
LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
LoadLibraryW.KERNEL32(?), ref: 0040AEAA

Strings

C:\Windows\system32, xrefs: 0040AE52, 0040AE5A, 0040AE66, 0040AE78

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: C:\Windows\system32
API String ID: 669240632-2896066436
Opcode ID: 8a6edf88a0c2374f88dd8367b006526617f4906d0ebb873f97f1b08593d0deb6
Instruction ID: 7b2e6449704ba0194f95f82772fbf49f9cd5c89e16ce75b46b49e10d3cb4640d
Opcode Fuzzy Hash: 8a6edf88a0c2374f88dd8367b006526617f4906d0ebb873f97f1b08593d0deb6
Instruction Fuzzy Hash: 65F0A471D41324A6EF107B61DC06B8B3B68AB00754F0144B2B908B3192EB78AE988FD9

Function 0040B8EC Relevance: 12.2, APIs: 8, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 004075FC
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 00407610
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 00407623
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 00407637
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 0040764B

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040B925
wcslen.MSVCRT ref: 0040B942
wcsncmp.MSVCRT ref: 0040B974
memset.MSVCRT ref: 0040B9CD
memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040B9EE
_wcsnicmp.MSVCRT ref: 0040BA38
wcschr.MSVCRT ref: 0040BA60
LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BA84

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID:
API String ID: 697348961-0
Opcode ID: 93ecba6a689d5c320bdaef842fb6c50b4f1763f90038faa5d7af11543cd44ae8
Instruction ID: fabfe86e697632e3a113e667da81389391c5e61e9c799e2ba2b38c502135d7e8
Opcode Fuzzy Hash: 93ecba6a689d5c320bdaef842fb6c50b4f1763f90038faa5d7af11543cd44ae8
Instruction Fuzzy Hash: 37510AB1E002099FDF20DFA5C8859AEBBF8EF48304F10452AE919F7251E735A945CF69

Function 0041303D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00413060
memset.MSVCRT ref: 00413075
memset.MSVCRT ref: 0041308A
memset.MSVCRT ref: 0041309F
memset.MSVCRT ref: 004130B4

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 004134F0: memset.MSVCRT ref: 00413513
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413577
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413588
Part of subcall function 004134F0: memset.MSVCRT ref: 004135A1
Part of subcall function 004134F0: memset.MSVCRT ref: 004135B6
Part of subcall function 004134F0: _snwprintf.MSVCRT ref: 004135D0
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 004135E3

memset.MSVCRT ref: 0041317B

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT(?,?,000000FF,?,00446651,00000000,?,?,?,00000000,?), ref: 00409FA2

Strings

Waterfox\Profiles, xrefs: 004130E1, 004130FC
Waterfox, xrefs: 00413114

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Waterfox$Waterfox\Profiles
API String ID: 4039892925-11920434
Opcode ID: d5c71e77324afc4b5cc82ea4ce8339bfbd05d02e97acfa20c2f281ec6797be4d
Instruction ID: 961380efd413e994d860ccb56e6665ca3f7b28eb71c2195a5a659fa08900d420
Opcode Fuzzy Hash: d5c71e77324afc4b5cc82ea4ce8339bfbd05d02e97acfa20c2f281ec6797be4d
Instruction Fuzzy Hash: C74144B294121CAADB20EB56CC81FCF777CAF85314F1144A7B508F2141EA745B88CF6A

Function 004131CE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004131F1
memset.MSVCRT ref: 00413206
memset.MSVCRT ref: 0041321B
memset.MSVCRT ref: 00413230
memset.MSVCRT ref: 00413245

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 004134F0: memset.MSVCRT ref: 00413513
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413577
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413588
Part of subcall function 004134F0: memset.MSVCRT ref: 004135A1
Part of subcall function 004134F0: memset.MSVCRT ref: 004135B6
Part of subcall function 004134F0: _snwprintf.MSVCRT ref: 004135D0
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 004135E3

memset.MSVCRT ref: 0041330C

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT(?,?,000000FF,?,00446651,00000000,?,?,?,00000000,?), ref: 00409FA2

Strings

Mozilla\SeaMonkey, xrefs: 004132A5
Mozilla\SeaMonkey\Profiles, xrefs: 00413272, 0041328D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 4039892925-2068335096
Opcode ID: a6f98496c2212be6f2916d1f1e48eedc26af0efe673e4bd53c3bd508ed4be210
Instruction ID: 891e70054f67f373fcd1da7e6bb8e88c65c93f586ac1dbd30abc510520fb583d
Opcode Fuzzy Hash: a6f98496c2212be6f2916d1f1e48eedc26af0efe673e4bd53c3bd508ed4be210
Instruction Fuzzy Hash: AF4142B294121CAADB20EB56CC81FCF777CAF85314F1144ABB509F2142EA745B84CF6A

Function 0041335F Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413382
memset.MSVCRT ref: 00413397
memset.MSVCRT ref: 004133AC
memset.MSVCRT ref: 004133C1
memset.MSVCRT ref: 004133D6

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 004134F0: memset.MSVCRT ref: 00413513
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413577
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413588
Part of subcall function 004134F0: memset.MSVCRT ref: 004135A1
Part of subcall function 004134F0: memset.MSVCRT ref: 004135B6
Part of subcall function 004134F0: _snwprintf.MSVCRT ref: 004135D0
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 004135E3

memset.MSVCRT ref: 0041349D

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT(?,?,000000FF,?,00446651,00000000,?,?,?,00000000,?), ref: 00409FA2

Strings

Mozilla\Firefox, xrefs: 00413436
Mozilla\Firefox\Profiles, xrefs: 00413403, 0041341E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 4039892925-3369679110
Opcode ID: 7ee771b16487d39b61153e4239614bb8b6a0fcb54c4a807fbe838d5fcbd2a04a
Instruction ID: b1b9f3cced5a7470729646768e957e6b9d6e833cd164865aec5624d5e78815e5
Opcode Fuzzy Hash: 7ee771b16487d39b61153e4239614bb8b6a0fcb54c4a807fbe838d5fcbd2a04a
Instruction Fuzzy Hash: BF4134B294121CAADB20EB56DC81FCF777CAF85314F1144ABB508F2142E6795B84CF6A

Function 004167D1 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,00000000), ref: 004167FF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416810
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416821
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416832
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416843
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416854
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416865

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 2941347001-0
Opcode ID: 6c7181999001807cf19655f7a5c886da2927c02d6c206d7826a88d8cf07677d3
Instruction ID: 405c2e4babdb8952247d8a080dcda94cd63fb6e5d2decb1bec32cb30ddcbd491
Opcode Fuzzy Hash: 6c7181999001807cf19655f7a5c886da2927c02d6c206d7826a88d8cf07677d3
Instruction Fuzzy Hash: 911124B0504744AEF6207F72DD0BE277AA5EF41B14F11483EF0965A8E1DB7AA8608F24

Function 0041A2D6 Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBE6346,00000003,00000000,?,?,00000000), ref: 0041A3AE
CreateFileA.KERNEL32(?,-7FBE6346,00000003,00000000,00419C3A,00419C3A,00000000), ref: 0041A3C6
GetLastError.KERNEL32 ref: 0041A3D5
free.MSVCRT ref: 0041A3E2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: 3837423018413e79f1a8055628a625645689c72852c8b795b1528378839c1df6
Instruction ID: c70e6a76c9c0c16949b2d84360e4fde80b94c386b4f0d6e6335da104fa2cc62f
Opcode Fuzzy Hash: 3837423018413e79f1a8055628a625645689c72852c8b795b1528378839c1df6
Instruction Fuzzy Hash: DE4135B15093059FE720DF25DC4178BBBE4EF84324F14892EF8A482291D378D9A88B97

Function 00412F8E Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412FAA
memset.MSVCRT ref: 00412FBF

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00409CD8: wcslen.MSVCRT ref: 00409CD9
Part of subcall function 00409CD8: wcscat.MSVCRT ref: 00409CF1

wcscat.MSVCRT ref: 00412FE8

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

wcscat.MSVCRT ref: 00413011

Strings

Mozilla\Profiles, xrefs: 00412FE2
Mozilla\Firefox\Profiles, xrefs: 0041300B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: ba6c0ebe88ac952b5c194dcd9fe97a1dc60b886a3a66e04ae42cc6cfcfc4ce36
Instruction ID: 422148556ace2f77c93d77bf435b4c82adbc6076694dfca18b1a60226733ba9e
Opcode Fuzzy Hash: ba6c0ebe88ac952b5c194dcd9fe97a1dc60b886a3a66e04ae42cc6cfcfc4ce36
Instruction Fuzzy Hash: 0801C2B2A4132C65DB207B228C86ECB732C9F45758F0144BBB504E7143D9788DC88AA9

Function 00403C78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00408D81: free.MSVCRT ref: 00408D88

Part of subcall function 00413F68: memset.MSVCRT ref: 00413FEF
Part of subcall function 00413F68: wcsrchr.MSVCRT ref: 00414007

memset.MSVCRT ref: 00403D7B
memcpy.MSVCRT(?,00000000,00001E38), ref: 00403D94
wcscmp.MSVCRT ref: 00403DC0
_wcsicmp.MSVCRT ref: 00403DFD

Strings

, xrefs: 00403CA3

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
String ID:
API String ID: 2758756878-3916222277
Opcode ID: 86d052ae708fb1be17ff2d385b546714b6cc9c000aacad6c9d693117b8ff7004
Instruction ID: 3324fc85694a20c99f30ee3fab2bb6b3f261583d23399c464f958340e94e5838
Opcode Fuzzy Hash: 86d052ae708fb1be17ff2d385b546714b6cc9c000aacad6c9d693117b8ff7004
Instruction Fuzzy Hash: 6D415C716083858ED730DF25C845A8FB7E8EFC6314F504D2FE48893681DB7899498B57

Function 00416B94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AE7: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00416B0A

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE
memset.MSVCRT ref: 00416BED
RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2A9: GetVersionExW.KERNEL32(0045E340,0000001A,00416BB5,?,00000000), ref: 0040A2C3

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00416C08, 00416C18

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 71295984-2036018995
Opcode ID: 8c20b169bd282f672307cfd0e33e5ead9d42bdd278c07b69ec96e2cf80f58d4a
Instruction ID: cef4cdc2aa1c6a3535febfa580eefb1bb336ec347ee4d762a3996ce24f9a1629
Opcode Fuzzy Hash: 8c20b169bd282f672307cfd0e33e5ead9d42bdd278c07b69ec96e2cf80f58d4a
Instruction Fuzzy Hash: 16110B31901224AADB24B35D9C4D9EF736CDB01308F6204ABE805A2152E628EEC586DE

Function 00416312 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0041632C
_snwprintf.MSVCRT ref: 00416351
WritePrivateProfileStringW.KERNEL32(?,?,?,004552B8), ref: 0041636F
GetPrivateProfileStringW.KERNEL32(?,?,004136D7,?,00000000,004552B8), ref: 00416387

Strings

"%s", xrefs: 00416340

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 3aaa40ebdc19578b97ff3075b960e6db10c6f9077613310ec93345511b7ae3b9
Instruction ID: 6e1343c4dc7dbf7023b058b03300c33d8cf364170467c751c5f20a7e8d9ce334
Opcode Fuzzy Hash: 3aaa40ebdc19578b97ff3075b960e6db10c6f9077613310ec93345511b7ae3b9
Instruction Fuzzy Hash: 3A018B3240421EBBEF219F40DC05FEA3B6AFF05304F048065BD24901A1D33AC565DB99

Function 004156F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004158EF,?,?,?,00000000,?,00000000,?), ref: 00415702
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041571C
GetProcessTimes.KERNELBASE(00000000,?,00000000,?,?,?,004158EF,?,?,?,00000000,?,00000000,?), ref: 0041573F

Strings

kernel32.dll, xrefs: 004156FD
GetProcessTimes, xrefs: 0041570C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: cc6b767486beea88798ecaabffb4101cb485a2642c9037223f23588e5dcb7f65
Instruction ID: a8c3bf7ddc1ca0b25540cafbdac30c397c85bf92067745488bba3609cc165c05
Opcode Fuzzy Hash: cc6b767486beea88798ecaabffb4101cb485a2642c9037223f23588e5dcb7f65
Instruction Fuzzy Hash: 4DF01C75140708EFDB019FA4FD06BA63BA4EB48342F044075B91CD2562D776C9A8DF5A

Function 00445E0F Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000048,00452BA0,0000002C,000003FF,?,?,00000000,?,00401230), ref: 00445EC0

Strings

BINARY, xrefs: 00445F29, 00445F2E, 00445F3A, 00445F46, 00445F6B
RTRIM, xrefs: 00445F52
no such vfs: %s, xrefs: 00445F0A
NOCASE, xrefs: 00445F83

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$no such vfs: %s
API String ID: 3510742995-3177411277
Opcode ID: 1165683c971d253af972ad931778c34b410deae4bfcb81e51aa8cc138b68385f
Instruction ID: 74b0bd9825c19e6685264d1484a235018c45777622f8ba0ce628bc876c866ef4
Opcode Fuzzy Hash: 1165683c971d253af972ad931778c34b410deae4bfcb81e51aa8cc138b68385f
Instruction Fuzzy Hash: 03710A71604701BFE710AF16CCC1EA6B7A8BB05318F15452FF41897383DB79E8958BAA

Function 00409A0C Relevance: 7.7, APIs: 6, Instructions: 191COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409A2F

Part of subcall function 0040ACA5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040121D,?,?,?,?,?,?,?), ref: 0040ACBE

Part of subcall function 00404F45: memset.MSVCRT ref: 00404F65

memset.MSVCRT ref: 00409A82
memset.MSVCRT ref: 00409A9A
memset.MSVCRT ref: 00409AB2
memset.MSVCRT ref: 00409ACA
memset.MSVCRT ref: 00409AE2

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
String ID:
API String ID: 2911713577-0
Opcode ID: b2a1f19d586bb9d584c5167c27d38584a59658dc22e7c63e49521902dc34c3a0
Instruction ID: 17c299170da2f5c18cd71e263501a174130e3f539370559341ef3f42c2fa300c
Opcode Fuzzy Hash: b2a1f19d586bb9d584c5167c27d38584a59658dc22e7c63e49521902dc34c3a0
Instruction Fuzzy Hash: 725189B290121CBEEB50FB51DC42EDF776CEF04314F0100BAB908B6182EA759F949BA5

Function 004210FD Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,?,00000004,00000007,?), ref: 0042115A
memcmp.MSVCRT(?,SQLite format 3,00000010,00000007,?), ref: 00421185
memcmp.MSVCRT(?,@ ,00000003,?,00000007,?), ref: 004211F1

Strings

SQLite format 3, xrefs: 00421178
@ , xrefs: 004211EB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 82336c06f0688cb1bc2bd00ffa355ff92def4b65560ebcaa84e75a6edbebfb2e
Instruction ID: 8a8e30af19285e6602da34aa628d26869ae88a683b6dca71fc9513d498463ada
Opcode Fuzzy Hash: 82336c06f0688cb1bc2bd00ffa355ff92def4b65560ebcaa84e75a6edbebfb2e
Instruction Fuzzy Hash: A451F271A00225DBDB10DFA9D8817AAB7F4EF64314F55019BE804EB256D778EE01CBA8

Function 00410C23 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00410C44
qsort.MSVCRT ref: 00410CEE

Strings

/nosort, xrefs: 00410CA4
/sort, xrefs: 00410C3F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: c07a100eaa3c38faba3df5a66cb89ab60920950fe83399008d8303a833aca2b3
Instruction ID: 144d33eed54290a6f9744a9a5dbcb7717411fe56fc34cf4e9986f4238599fcc7
Opcode Fuzzy Hash: c07a100eaa3c38faba3df5a66cb89ab60920950fe83399008d8303a833aca2b3
Instruction Fuzzy Hash: F221F8707006019FE318AB36C981E96B3A9FF95314B11026FE4259B291DBB5BCD18BDD

Function 0040C34B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C36D
memset.MSVCRT ref: 0040C387

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Strings

Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040C3CD
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040C3A5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2887208581-2114579845
Opcode ID: 394c4c75fa7beffb2d5a2aa385abc5dc66d0e768d5be117711317e139cb40491
Instruction ID: 3131e6838cf381c5c62b3ff9a3a8967ade7f88a79be8704d85ddc64b4c2fe5ff
Opcode Fuzzy Hash: 394c4c75fa7beffb2d5a2aa385abc5dc66d0e768d5be117711317e139cb40491
Instruction Fuzzy Hash: A51137B2D8021CA6EB10E761DC86FDB77ACAB14308F1105B7BD04F51C3E6B89ED84699

Function 0043C798 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043C7DB
memset.MSVCRT ref: 0043CB84

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043C86A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: b3be54a25f95d4426186d96762bdc05463f7e7b5d4954b2f9a60bb8f93d58d58
Instruction ID: d119b0dec74e9b19e5a25435855cd8d11ca1b6cc1a1ec524576f73f373bec87f
Opcode Fuzzy Hash: b3be54a25f95d4426186d96762bdc05463f7e7b5d4954b2f9a60bb8f93d58d58
Instruction Fuzzy Hash: 05827A71A00218AFDF25DF69C881AAE7BB1FF08318F14511AFD15A7292D77AEC41CB94

Function 0040D540 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D57A
??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D598
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D5B6
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D5D4

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 9e807e9980987f70bb2a73660c85433d145fa0dd07df9d2969b3cf11719032c3
Instruction ID: 0e0a047154a33720e6f2f45df11e84489cdf12d838f6504bc1093cfb551ce4d4
Opcode Fuzzy Hash: 9e807e9980987f70bb2a73660c85433d145fa0dd07df9d2969b3cf11719032c3
Instruction Fuzzy Hash: F70171B26023005EFB5EDB3AED07B2D66A0EB48311F04453EE602CD1F6EEB5D6408B08

Function 0041691E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 004167FF
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416810
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416821
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416832
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416843
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416854
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416865

memcmp.MSVCRT(?,00452BCC,00000010,?,00000000,?), ref: 004169BD

Strings

8, xrefs: 0041698A
$, xrefs: 00416998

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$memcmp
String ID: $$8
API String ID: 2808797137-435121686
Opcode ID: c8c4ce928d5e3aac457400f17cb603f47478cc1e293077f961af05addd09d54a
Instruction ID: d6b0cb39fe6b11ebd3f8115ad541cfda54a2ea99a1e62a8371d336f42745e82c
Opcode Fuzzy Hash: c8c4ce928d5e3aac457400f17cb603f47478cc1e293077f961af05addd09d54a
Instruction Fuzzy Hash: CB3183B1A00219AFCF10DF95CD80AEEB7B8BF48354F11455AE811B3241D778ED848F65

Function 0040C210 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BD7C: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040BDF1
Part of subcall function 0040BD7C: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040BE10
Part of subcall function 0040BD7C: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040BE1D
Part of subcall function 0040BD7C: GetFileSize.KERNEL32(?,00000000), ref: 0040BE32
Part of subcall function 0040BD7C: CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040BE5C
Part of subcall function 0040BD7C: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040BE71
Part of subcall function 0040BD7C: WriteFile.KERNEL32(00000000,00000000,00000104,0040C401,00000000), ref: 0040BE8C
Part of subcall function 0040BD7C: UnmapViewOfFile.KERNEL32(00000000), ref: 0040BE93
Part of subcall function 0040BD7C: CloseHandle.KERNEL32(?), ref: 0040BE9C

CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040C401,000000FF,?,00000104,00000000), ref: 0040C2E0

Part of subcall function 0040C009: memset.MSVCRT ref: 0040C0DE
Part of subcall function 0040C009: wcschr.MSVCRT ref: 0040C116
Part of subcall function 0040C009: memcpy.MSVCRT(?,-00000121,00000008,0044F4CC,00000000,00000000,76F92EE0), ref: 0040C14A

DeleteFileW.KERNEL32(?,?,0040C401,000000FF,?,00000104,00000000), ref: 0040C301
CloseHandle.KERNEL32(000000FF,?,0040C401,000000FF,?,00000104,00000000), ref: 0040C328

Part of subcall function 0040BED3: memset.MSVCRT ref: 0040BF1B
Part of subcall function 0040BED3: _snwprintf.MSVCRT ref: 0040BFB5
Part of subcall function 0040BED3: free.MSVCRT ref: 0040BFE9

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID:
API String ID: 1979745280-0
Opcode ID: b5aaa30312d5fcc67f85845942f74e89b96bccb2180b41cf2d59821ccef51685
Instruction ID: 93ccc22cef0f4177ecd56315f2e6d26b449d926f0b5ad61dc23816b56d629bd5
Opcode Fuzzy Hash: b5aaa30312d5fcc67f85845942f74e89b96bccb2180b41cf2d59821ccef51685
Instruction Fuzzy Hash: D13106B1C00628DBCF60DBA5CC856CEF7B8EF54314F2042ABA518B31A1DB756E958F58

Function 00412DB7 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00412F8E: memset.MSVCRT ref: 00412FAA
Part of subcall function 00412F8E: memset.MSVCRT ref: 00412FBF
Part of subcall function 00412F8E: wcscat.MSVCRT ref: 00412FE8
Part of subcall function 00412F8E: wcscat.MSVCRT ref: 00413011

memset.MSVCRT ref: 00412DF6

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF75

Strings

history.dat, xrefs: 00412DFF
places.sqlite, xrefs: 00412E3F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
String ID: history.dat$places.sqlite
API String ID: 2641622041-467022611
Opcode ID: 08c1b444eb520b35a7a7d5c0fb7f8aeaa4787e0a4d64b0aa0e69da993d74c1dc
Instruction ID: 0913544ad1c32b840834749151f10e29a01f1c6a2781536613fb288058adf295
Opcode Fuzzy Hash: 08c1b444eb520b35a7a7d5c0fb7f8aeaa4787e0a4d64b0aa0e69da993d74c1dc
Instruction Fuzzy Hash: BE115E72940219A6CB10FA66CD46ACE77BC9F40354F1101B6A914F61C2EB3CAF95CAA9

Function 00419544 Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004194C7: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 004194E8
Part of subcall function 004194C7: GetLastError.KERNEL32 ref: 004194F9
Part of subcall function 004194C7: GetLastError.KERNEL32 ref: 004194FF

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00419574
GetLastError.KERNEL32 ref: 0041957E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 2f4b618ee86a0e133fb5120afe2878c9d32770f55e3633c820ca502eedbfd477
Instruction ID: 11002ccd72b8a74f474208f9e9940f6dfa3330b5e17921820ced85d813cc92d2
Opcode Fuzzy Hash: 2f4b618ee86a0e133fb5120afe2878c9d32770f55e3633c820ca502eedbfd477
Instruction Fuzzy Hash: E401AD33208208BFEB119FA5DC41BEA3B6DEB45360F100432F908E6240D325ED9487ED

Function 0040C681 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

*.*, xrefs: 0040C6AC
index.dat, xrefs: 0040C6E5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: *.*$index.dat
API String ID: 1974802433-2863569691
Opcode ID: 0124a788923a264a0f71dca03e4d7c55c72886d07455ff904c63946b470e1fd6
Instruction ID: b35fd175f81657b3a82865a2fc917a928efaf22c6e287d3be843c0a7ee8e476f
Opcode Fuzzy Hash: 0124a788923a264a0f71dca03e4d7c55c72886d07455ff904c63946b470e1fd6
Instruction Fuzzy Hash: 41015671801568D5DB20E761DC426DE73BC9F04314F5056B7A819F21D2E7389F858F9D

Function 004194C7 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 004194E8
GetLastError.KERNEL32 ref: 004194F9
GetLastError.KERNEL32 ref: 004194FF

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 1fa7c2f3d529686f49671a40cca17831ab9a59f419c89db5340c4276b833b879
Instruction ID: 1998d2df4d7dc22cf6efa6b8a4ec31ccf4d22c2bb1f0502cb4b25adc0a96311e
Opcode Fuzzy Hash: 1fa7c2f3d529686f49671a40cca17831ab9a59f419c89db5340c4276b833b879
Instruction Fuzzy Hash: 63F03072514115FBCB019F74DC109AA7AE9EB05360B144736F822E6294E730ED419A94

Function 0040A5EB Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00412D6B,00000000,?,00000000,?,00000000), ref: 0040A603
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A617
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00414002), ref: 0040A620

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 59ad0a99eb535f7e7912cc29790ae94c4f7a44c8f5267afefbc4dab143821918
Instruction ID: 54e7b0a2fac03467780574bc71659ffc5b237acda61c65fae5605327c05023f7
Opcode Fuzzy Hash: 59ad0a99eb535f7e7912cc29790ae94c4f7a44c8f5267afefbc4dab143821918
Instruction Fuzzy Hash: ADE04F3A200290BBE2311B26EC0CF4B2E79DBCBB21F150539B955E21E086204919C768

Function 00409FB3 Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00409FCF
memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FE7
free.MSVCRT ref: 00409FF0

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: 9398946df9da7633900af1d4d8dee9f6475252f93bc7d5b1a1eb9b1b3952e123
Instruction ID: 3fa6d8dc34f6a2d7cc02f22bfce68f49e3ca57b08464e0138f2fbe8277461859
Opcode Fuzzy Hash: 9398946df9da7633900af1d4d8dee9f6475252f93bc7d5b1a1eb9b1b3952e123
Instruction Fuzzy Hash: B3F082B26052269FD708AF75A98185BB39DEF55364B12483FF404E7282DB389C50C7A9

Function 00415974 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0041599C: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 004159BC
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004159C8
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004159D4
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004159E0
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004159EC

K32GetModuleFileNameExW.KERNEL32(00000000,00000000,lXA,00000104,0041586C,00000000,?), ref: 00415993

Strings

lXA, xrefs: 00415989

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$FileModuleName
String ID: lXA
API String ID: 3859505661-3442822412
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: fee6c053b5955f725308cf381fe1744ee842b03cbd95df917c5b16bd142f82aa
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: B4D0C9B2225711EBE621EA748C01BDBA7D46B84720F009C1AB191D6190D764D854565A

Function 0043917D Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 0043933D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 347c7d52295fca87da1952afce0e5b6021f3aeca802f68c2e00cb623804d0f30
Instruction ID: 8f6596d4f93993bca5fedc02ea909bb24cc5f22f60e220bd561afb4714264618
Opcode Fuzzy Hash: 347c7d52295fca87da1952afce0e5b6021f3aeca802f68c2e00cb623804d0f30
Instruction Fuzzy Hash: 3781AD716083029BDB10EF16D881A6F77E0AF89358F14092FF89497291D7B8DD45CB9A

Function 00420E2A Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00420ED8

Strings

BINARY, xrefs: 00420E36

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: eefff64c68fcfae7df257ab519cb6f43ae1f51918e0179a617aa68835078d1f8
Instruction ID: 26b79014cfc78d58b95db9363976e6c90bc85ae6725c162ac4ac0b56dde6da67
Opcode Fuzzy Hash: eefff64c68fcfae7df257ab519cb6f43ae1f51918e0179a617aa68835078d1f8
Instruction Fuzzy Hash: 4151AD71A043259FDB21CF28E581BAB7BE4AF08350F55446AF849DB342E778D980CBA5

Function 004121DB Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00412228

Strings

/stext, xrefs: 00412223

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: faacc565551467a7f9fecfe8be6c9a25ffd216349f1a930335e294746595b54b
Instruction ID: 2d0fa8a023af8a82833a79c8a9a2b375c4b98090195f1c385c961b9dc0378c10
Opcode Fuzzy Hash: faacc565551467a7f9fecfe8be6c9a25ffd216349f1a930335e294746595b54b
Instruction Fuzzy Hash: C0218830B00605AFD704EF66C981BDDF7B9FF94304F10016AA419E7342DBB9AD618B99

Function 00413E30 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413E53

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Part of subcall function 004010A6: memset.MSVCRT ref: 004010D3
Part of subcall function 004010A6: wcsrchr.MSVCRT ref: 004010EF
Part of subcall function 004010A6: memset.MSVCRT ref: 0040110D
Part of subcall function 004010A6: memset.MSVCRT ref: 004011AC
Part of subcall function 004010A6: CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 004011C3

Strings

FA, xrefs: 00413E30

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
String ID: FA
API String ID: 1828521557-1137249561
Opcode ID: dbe4fe885372198836d1553c0ade92ba4046f6e660ffa4c2721431e6b8765f59
Instruction ID: 1b9fe372a81af7ef4fcc301b0704f8a61b654f984bb2216e8f14dd72d3cafccc
Opcode Fuzzy Hash: dbe4fe885372198836d1553c0ade92ba4046f6e660ffa4c2721431e6b8765f59
Instruction Fuzzy Hash: CB11ACB194021D79EB20F761DC4AFDB776CDF50314F04047BB518A51C2E6B89AD44669

Function 0040D0D4 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040118B,?,?,?,?,000003FF), ref: 0040D0F2

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040700C), ref: 0040B5FE

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Part of subcall function 0040B170: MultiByteToWideChar.KERNEL32(0040D143,00000000,000000FF,?,00000000,00000000,?,00000000,?,0040D143,?,000000FF,0000FDE9), ref: 0040B189
Part of subcall function 0040B170: MultiByteToWideChar.KERNEL32(0040D143,00000000,000000FF,?,00000000,00000000,?,0040D143,?,000000FF,0000FDE9), ref: 0040B1AE

CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040D146

Part of subcall function 0040B671: ??3@YAXPAX@Z.MSVCRT(00000000,0040B5FD,00000000,0040700C), ref: 0040B678

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
String ID:
API String ID: 2445788494-0
Opcode ID: b3434e175287108bd8d00d51b0c6cbae2b7fb7d9485ba0b8fd75dd7f0a2e64a6
Instruction ID: 8c387e03d8c3aade5b41685a2e02256394b39ebaaf0903d076e01eb80a76af23
Opcode Fuzzy Hash: b3434e175287108bd8d00d51b0c6cbae2b7fb7d9485ba0b8fd75dd7f0a2e64a6
Instruction Fuzzy Hash: 99115635804208FEDB00AF69DC45C9A7FB4EF45364715C27AF914AB291D7349A09CBA9

Function 0041725A Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00417269

Strings

failed to allocate %u bytes of memory, xrefs: 00417283

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 48d3b0d99305b5713d050b9a7aed3c2df143f476be273c6a02e7235a5e54717b
Instruction ID: 7af341f115bc0a609711c5f8cf1e2214d5d118070d6e99c1fc297229056b61f8
Opcode Fuzzy Hash: 48d3b0d99305b5713d050b9a7aed3c2df143f476be273c6a02e7235a5e54717b
Instruction Fuzzy Hash: AFE026B7F09B2263C200961AEC0568277F09FC132571A813BF95CD3280C638DC5B83AA

Function 0041DB92 Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041DD36
memcmp.MSVCRT(0000006B,?,00000010,?,?,?,?,?,?,?,?,0042110C,00000007,?), ref: 0041DD48

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 1d55d7fb62e4bfc7d9f251faebd1bd6dd92cbbfd5fee9d1820b3c6a6745402c4
Instruction ID: 94185df667f8708a14b2030ade84f1c931118ff06ce27a9f792afb950defdc79
Opcode Fuzzy Hash: 1d55d7fb62e4bfc7d9f251faebd1bd6dd92cbbfd5fee9d1820b3c6a6745402c4
Instruction Fuzzy Hash: CA616BF1E00205EBDB10EFA599C0AEEB7B4AF05308F14447BE50597241E779AEC4DB89

Function 00410042 Relevance: 2.6, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040E814: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,0041079D,?), ref: 0040E835
Part of subcall function 0040E814: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,0041079D,?), ref: 0040E8FC

GetStdHandle.KERNEL32(000000F5,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 00410077
CloseHandle.KERNELBASE(00000000,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 0041019B

Part of subcall function 00409C9B: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,00410072,00000000,?,004122A5,00000000,00000000,?,00000000,00000000), ref: 00409CAD

Part of subcall function 00409CFB: GetLastError.KERNEL32(00000000,?,004101B0,00000000,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 00409D0F
Part of subcall function 00409CFB: _snwprintf.MSVCRT ref: 00409D3C
Part of subcall function 00409CFB: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409D55

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
String ID:
API String ID: 1381354015-0
Opcode ID: c352156c60bf5e8969b3410faff8cba1e1f857f4dc2c43362582496339407a16
Instruction ID: 773294f2793927884dd3d35b59f4cb20d409429543e063566a68095ef13c6261
Opcode Fuzzy Hash: c352156c60bf5e8969b3410faff8cba1e1f857f4dc2c43362582496339407a16
Instruction Fuzzy Hash: 10417F31A00200FFCB219F69C885A9E77F6AF49714F21416FF446A7291CBBD9EC0DA59

Function 0041ABBA Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041ACAC
memset.MSVCRT ref: 0041ACC3

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 6ce8b2131ce9372664b1d15d844f834fead9c6edd7870f4bc3c7a3887a307618
Instruction ID: 7f252ec0ecd0e4e1d26eed16bae986827b7410e8c21c6190f3b3a6ca151e3a40
Opcode Fuzzy Hash: 6ce8b2131ce9372664b1d15d844f834fead9c6edd7870f4bc3c7a3887a307618
Instruction Fuzzy Hash: 72419D72605206EFCB309F64C9848AAB7F5FB143147108A2FE546C7650E738EDE5CB9A

Function 0041950E Relevance: 2.5, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00419527
CloseHandle.KERNELBASE(0CC483FF,00000000,00000000,0045EBC0,00419B7B,00000008,00000000,00000000,?,00419D38,?,00000000), ref: 00419530

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 1f38ef6d4e421f8b70049e49d582ab06bd968fb49a388c5a1d937bf22f5392b0
Instruction ID: 10c3462ac1369c784e1afd36df35bd7f7ff6f222b97f55253c388b4ed129ec9c
Opcode Fuzzy Hash: 1f38ef6d4e421f8b70049e49d582ab06bd968fb49a388c5a1d937bf22f5392b0
Instruction Fuzzy Hash: 34E0C23B104216AEC6105BB9ECA099773DAEF9A2387544236F661E61A0C7759C828624

Function 0040B7D1 Relevance: 2.5, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040B7D4
free.MSVCRT ref: 0040B7DC

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5e97efbfa32821b985a34f27a6b6b563597b1101e70238cb4ba8b6ea1fd80981
Instruction ID: 5f0fdca9fe4acc2ecb8b3169f70f33f7bd062bec4b77ce871c218ba77f1467d2
Opcode Fuzzy Hash: 5e97efbfa32821b985a34f27a6b6b563597b1101e70238cb4ba8b6ea1fd80981
Instruction Fuzzy Hash: 16D048B0805B108ED7B0EF3AD801602BBF0EF08311320CE2EA0AAC2A60EB35A1049F04

Function 0040B6DB Relevance: 2.5, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040B6E0
free.MSVCRT ref: 0040B6EB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e3160f7f7b4f3a3b3e99d5da5c4b723c4a23d67d1fdc75ac0b833b277fe980da
Instruction ID: 6fce99da17ec00b62a04151b561d02dd041de02e5c721560a1704fbb50a3ac82
Opcode Fuzzy Hash: e3160f7f7b4f3a3b3e99d5da5c4b723c4a23d67d1fdc75ac0b833b277fe980da
Instruction Fuzzy Hash: EBB0126106A11C49E314331178024141312C70332B372443FE000108E35F1E504413AF

Function 00412D29 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00412DB7: memset.MSVCRT ref: 00412DF6

Part of subcall function 0040A5EB: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00412D6B,00000000,?,00000000,?,00000000), ref: 0040A603
Part of subcall function 0040A5EB: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A617
Part of subcall function 0040A5EB: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00414002), ref: 0040A620

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00412D75

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 2154303073-0
Opcode ID: 661eaf95a0eb430a0c353e7e574569b8050dd2ae37d277ca5a708745728aa288
Instruction ID: da844e677e512885dbb2ef8f3ceebb0df353419e1ec893dedc4f3fc5669ae239
Opcode Fuzzy Hash: 661eaf95a0eb430a0c353e7e574569b8050dd2ae37d277ca5a708745728aa288
Instruction Fuzzy Hash: AE113072C00219ABCF01EBA5D9815DEB7B9EF84314F20046BE901F3240D6789F55CB95

Function 0041607F Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00416068: FreeLibrary.KERNELBASE(?,0041608B,00000000,00413FA7,?,?,?,?,?,00403CF9,?), ref: 00416074

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(?,00000000), ref: 004160B2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID:
API String ID: 3150196962-0
Opcode ID: 2f6c92ede0ba8efca6cedf9ecbf51a8f1e943e388610fa79aeb44d06da783af3
Instruction ID: 5e44a2a6fa684cac6ecb61c9cf4a65bdaa199533b8bbc7fef38ccb5d0a7984e6
Opcode Fuzzy Hash: 2f6c92ede0ba8efca6cedf9ecbf51a8f1e943e388610fa79aeb44d06da783af3
Instruction Fuzzy Hash: D7F0C2711447125AE630AB7ABC02BE726988F04324F12862FF022E54D0DFACE8C48A68

Function 00416435 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 0041645C

Part of subcall function 004162C5: memset.MSVCRT ref: 004162E4
Part of subcall function 004162C5: _itow.MSVCRT ref: 004162FB
Part of subcall function 004162C5: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0041630A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 53a8f7cb008b32df1684ca7605b3377537bbc048e0cddac440998cdd1c1e842b
Instruction ID: 2e5c155c25daeb658e204211e68cd4b3eb4ccd1c406d73be233cdb1e8b0034fb
Opcode Fuzzy Hash: 53a8f7cb008b32df1684ca7605b3377537bbc048e0cddac440998cdd1c1e842b
Instruction Fuzzy Hash: 7AE0BD32000209EBCF126F80EC01AAA3BA6FF04354F248469FA5814121D33299B0AB88

Function 00407AE2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00407AB8,?,?,00000000,00000000,00000000,00408135,00000000,00000000,?,00000000,00407AB8), ref: 00407AFE

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 6248e0e1ab85731b74595c2f926436b00fccac0aee2fdd6da58cf3d4fee283eb
Instruction ID: 95a85ac8c1a6a3d36e5b55df11ef6633e17d41a7181f6212dfb71d7477b24dd9
Opcode Fuzzy Hash: 6248e0e1ab85731b74595c2f926436b00fccac0aee2fdd6da58cf3d4fee283eb
Instruction Fuzzy Hash: 9CE0EC76100100FFE6615B45DC05F57BBB9EBD4710F14882DB59596164C6326852CB25

Function 0041686C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,00413D28,?,?,?,00403D00,?), ref: 0041687D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 55b2502085225770d96769d1b8c5d2309b5ab18a600f8ce0c91d15f552d81266
Instruction ID: 4e210ffbaa2561246213c2b34439051142da87cffede57808e984b83c24c6bff
Opcode Fuzzy Hash: 55b2502085225770d96769d1b8c5d2309b5ab18a600f8ce0c91d15f552d81266
Instruction Fuzzy Hash: 61E0F6B5901B009FC3308F1BE944417FBF8BEE46113108E6FA4AAC2A21C3B4A5898F94

Function 00415776 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,0041421F,00000000,000001F7,00000000), ref: 0041577D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9cfdbd8db36c6f3a9f02cb46b7a4724c96a864d80a31ec4237d8aa9250ca55a1
Instruction ID: ddb578787b485028a6fb96a9d92d5f44c017102101ddf1ac3dc5e6ba6d02f24a
Opcode Fuzzy Hash: 9cfdbd8db36c6f3a9f02cb46b7a4724c96a864d80a31ec4237d8aa9250ca55a1
Instruction Fuzzy Hash: 4CD0C932800522EFDB10AF26ED457C67378AF60351B150229AC10B34D1CB38BDAB8A98

Function 0040A8CD Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,004100B1,00000000,00454884,00000002,?,004122A5,00000000,00000000,?), ref: 0040A8E4

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6416124c9ca8dda125adc466156433dbc3d8b3aff9fc78592fc4ee70d7722975
Instruction ID: e2b393c147c70288cfc451d322548076449ae967400f97464a64d4acce64fec1
Opcode Fuzzy Hash: 6416124c9ca8dda125adc466156433dbc3d8b3aff9fc78592fc4ee70d7722975
Instruction Fuzzy Hash: 79D0C93511020DFBDF01CF80DC06FDD7BBDEB04359F108064BA1495060D7B59A18AB64

Function 0040A8AE Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6863c831fb060764c36d2ef328c66928a6423640fe431ba3a7638441719afc10
Instruction ID: de572b7337c3604c2e63dc95c070a23ff96247b4c3126b3268b21a980102b21a
Opcode Fuzzy Hash: 6863c831fb060764c36d2ef328c66928a6423640fe431ba3a7638441719afc10
Instruction Fuzzy Hash: D6D0C97501020DFBDF01CF80DD06FDD7B7DEB05359F508064BA0095060C7759A14AB54

Function 00409C82 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d7201b6ac2b644285d7a2778af57a6827c0a8e81cd3c62d8215e375c257f2314
Instruction ID: cecd821801891233278d9e4f0cdd5aea3aed6bf5cf84d435cc8cf5239d0f839c
Opcode Fuzzy Hash: d7201b6ac2b644285d7a2778af57a6827c0a8e81cd3c62d8215e375c257f2314
Instruction Fuzzy Hash: 7FC092B0240200BEFE224B10EC15F36669CD780701F2004247E00E40E0C1604E188524

Function 00409C9B Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,00410072,00000000,?,004122A5,00000000,00000000,?,00000000,00000000), ref: 00409CAD

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 680376a1705957ae3a1bbded056498c64766bd9d2b751ddd79e3da9690a8832c
Instruction ID: adc684fa4d176c709e0b5a021f9c2e2f242b30b566e97c1e18dbffa254e16f52
Opcode Fuzzy Hash: 680376a1705957ae3a1bbded056498c64766bd9d2b751ddd79e3da9690a8832c
Instruction Fuzzy Hash: 56C012F02503007EFF304B10AC0AF37769DD7C0701F1044307E00E40E1C2A14C488524

Function 0040B671 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00000000,0040B5FD,00000000,0040700C), ref: 0040B678

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 8026c71734dfa41369215d123a13b243002bdb1e268899024844832d7108e649
Instruction ID: d23f394f445174d82bf5c374610f4e11a096298af16890c94d1ac581a8101d62
Opcode Fuzzy Hash: 8026c71734dfa41369215d123a13b243002bdb1e268899024844832d7108e649
Instruction Fuzzy Hash: 56C09BB15117014BFB305E15C40471273D49F60727F354D1DA8D2914C1D77CD440865D

Function 00416068 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,0041608B,00000000,00413FA7,?,?,?,?,?,00403CF9,?), ref: 00416074

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e9866dcb680b9a0d0965807e9c09656def5765bcc3968a07479bcdd52cf4d20d
Instruction ID: c4f7802c24e59161306af1403d88e20ea41b7baad8a9019303b140db1e88e420
Opcode Fuzzy Hash: e9866dcb680b9a0d0965807e9c09656def5765bcc3968a07479bcdd52cf4d20d
Instruction Fuzzy Hash: ADC04C351107018FE7218B62C949753B7E4AB00316F40C818949685850D77CE854CE18

Function 0044E188 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000), ref: 0044E199

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 600d0468050d6c0c974190016e207e925c0ab4fd49a9922a22aac3e50904c676
Instruction ID: ca87bd2022555555e1e71ab19cfd3b78776a4971098d47f20d95beb5d2123f01
Opcode Fuzzy Hash: 600d0468050d6c0c974190016e207e925c0ab4fd49a9922a22aac3e50904c676
Instruction Fuzzy Hash: CCC04C355503008FF7168F22ED4E76A32B4B700357F414D74D40085062EB78C514CA1C

Function 0040B4E4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,0040B447,?,00000000,004149BF,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040B4EE

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7b6ab146b4268e51a5c44590b0b181f0b71ff05a35f264cb6b2d58c8236388a4
Instruction ID: 4ebaaad3abebb35ea561999068b04e119c5bd0073050e994cd3dd7ff13ec2e23
Opcode Fuzzy Hash: 7b6ab146b4268e51a5c44590b0b181f0b71ff05a35f264cb6b2d58c8236388a4
Instruction Fuzzy Hash: E6C048341109028AE2285B38985942A76A0AA4A3303B40F6CA0F6920F0EB3899868A08

Function 0040A157 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 45ec320b698d0105a77b428ef27c265de4d5060260cc72b868003af4cb6e54e0
Instruction ID: 81611b1af33cf8bffabafaac40f523e309f93145d8b60d33e97b966a2711c68d
Opcode Fuzzy Hash: 45ec320b698d0105a77b428ef27c265de4d5060260cc72b868003af4cb6e54e0
Instruction Fuzzy Hash: 93B012792104009BCB080734DE4504E35505F49631760073CB033C00F0DB20CC64BA00

Function 00416466 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00416C27,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,004148A8,?,?,00000000), ref: 00416479

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fdd4ee8420ff38d50ee0fd67c97a440200559db92fa8313b56074c36fcf39447
Instruction ID: 83906f0e37f9444889d0528ca96d09476c9ae61f439c3988bf04068afc79b07d
Opcode Fuzzy Hash: fdd4ee8420ff38d50ee0fd67c97a440200559db92fa8313b56074c36fcf39447
Instruction Fuzzy Hash: 01C09B39544301BFDF114F40FE05F0ABB61ABC4B05F004414B344240B282714414EB17

Function 0041DDA9 Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2eaefd0b4e924761a318baa880c6f1d4900ead5ccf9d44654d0fd569ba43051
Instruction ID: 44a613232f5d856dc5ac7483348cac20a1fabfd44cd96dfcc582b64180e5c4d2
Opcode Fuzzy Hash: d2eaefd0b4e924761a318baa880c6f1d4900ead5ccf9d44654d0fd569ba43051
Instruction Fuzzy Hash: 16319CB1A01B05EFDF24AF15D8417DA73A0BB21356F15412BF8149B241D738ADE0CBDA

Function 004080FB Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040700C), ref: 0040B5FE

Part of subcall function 00407AE2: SetFilePointerEx.KERNELBASE(00407AB8,?,?,00000000,00000000,00000000,00408135,00000000,00000000,?,00000000,00407AB8), ref: 00407AFE

memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,00407AB8), ref: 0040817E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@FilePointermemcpy
String ID:
API String ID: 609303285-0
Opcode ID: ea356a746f5db7ec59e3444e8f7e24b9c927ee0921a75d79612c64919ebe6e17
Instruction ID: 9411481ac6af7364e862306388468c261c6d0645f596cac8d8abf60ea354766a
Opcode Fuzzy Hash: ea356a746f5db7ec59e3444e8f7e24b9c927ee0921a75d79612c64919ebe6e17
Instruction Fuzzy Hash: 6811C132900108BBDB00A765C940F9F77ACAF85318F15807EF98577282CB78AE0787AD

Function 004083CC Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004083FD

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 13af99538766b2a182500595b229227d4534b1020d2eec3942169f622147e130
Instruction ID: 355d7b68675bcf71531e109d1974fa15c2d23b2ab6a250ec1a74cd6812f94247
Opcode Fuzzy Hash: 13af99538766b2a182500595b229227d4534b1020d2eec3942169f622147e130
Instruction Fuzzy Hash: 3F115E71600606AFCB14DF65C9C199EB7F8FF44314B10853EE596E3282EB34F9459B68

Function 00407A50 Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00407AD0: CloseHandle.KERNEL32(000000FF,00407A60,00000000,00000000,0040BD9A,?,00000000,00000104,00000000,?,?,?,0040C27F,?,0040C401,000000FF), ref: 00407AD8

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetLastError.KERNEL32(00000000,00000000,0040BD9A,?,00000000,00000104,00000000,?,?,?,0040C27F,?,0040C401,000000FF,?,00000104), ref: 00407ABD

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: b5cb65a831526968e61f3b8b20486ca7c6747027f1051b4f106f0081e9cc041b
Instruction ID: 35cd9f8c1dcfc8a6b291ae52797bf89ab5d951bbdcfd6650bf437470b2e439e1
Opcode Fuzzy Hash: b5cb65a831526968e61f3b8b20486ca7c6747027f1051b4f106f0081e9cc041b
Instruction Fuzzy Hash: 3601D6B1A182019EE3209B30C80579B77D8EF50315F14883FE596E62C1E77CA9808A7F

Function 0040B5F5 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 0040B671: ??3@YAXPAX@Z.MSVCRT(00000000,0040B5FD,00000000,0040700C), ref: 0040B678

??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040700C), ref: 0040B5FE

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 35078aa9528d176a3a2e80a839a21edae065cbdddee7803ec72af34415444393
Instruction ID: 1651319002fec664f26f06c15537a8029accf68742c71f4261269a8637093df6
Opcode Fuzzy Hash: 35078aa9528d176a3a2e80a839a21edae065cbdddee7803ec72af34415444393
Instruction Fuzzy Hash: 1EC02B7281D2104FDB10FF74340145A23D4CE832203014C2FE4C0F3100D6384401039D

Function 0040B02A Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040B031

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7e96c0334e5700b3217717c12c936e5c8bc79841484eb53a37ab721f95e95596
Instruction ID: a4aab80efa05a36e40e003174c8289b0fd75b8aa2e0c69bc48311badf276c503
Opcode Fuzzy Hash: 7e96c0334e5700b3217717c12c936e5c8bc79841484eb53a37ab721f95e95596
Instruction Fuzzy Hash: 3BC002B25117018BE7349E15C449766B3E8EF20B6BF61881D94E591481D7BCD4848A18

Function 00408D81 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00408D88

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8bbca39f266a6f000b4c72b8d7a71c68e8e69029b91d150487a399c13b1e3803
Instruction ID: de1c0baefddc23ff079bab1c2c377a9ae2e5f1a26b18513abd574526421c75a5
Opcode Fuzzy Hash: 8bbca39f266a6f000b4c72b8d7a71c68e8e69029b91d150487a399c13b1e3803
Instruction Fuzzy Hash: 39C002B2551B098FE7209E15C505762B3E8AF1073BF958D1D94D5914C1DB7CD4448E15

Function 0041729B Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041729F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: df981978903576c94245b9e122b1d11dbdca9cb07129e532542aba849d07663a
Instruction ID: 3aa5576ec611755f8cd3c559a3e90b43ca4d179dd92e5c4db0b995cbc1efbf24
Opcode Fuzzy Hash: df981978903576c94245b9e122b1d11dbdca9cb07129e532542aba849d07663a
Instruction Fuzzy Hash: 9C9002C2496519105D0431755C06505120C4852136375075A7032959D1CE1880506129

Non-executed Functions

Function 00409EA1 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00409EAB

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000), ref: 00409EC8
GlobalAlloc.KERNEL32(00002000,00000002), ref: 00409ED9
GlobalLock.KERNEL32(00000000), ref: 00409EE6
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00409EF9
GlobalUnlock.KERNEL32(00000000), ref: 00409F0B
SetClipboardData.USER32(0000000D,00000000), ref: 00409F14
GetLastError.KERNEL32 ref: 00409F1C
CloseHandle.KERNEL32(?), ref: 00409F28
GetLastError.KERNEL32 ref: 00409F33
CloseClipboard.USER32 ref: 00409F3C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 44998ffc891bb225a56e9bb27206520a843834c4280dd8a38d2d5b5fef2c93d6
Instruction ID: f2b573886a777ddc08947e4f1f5a0494481de075c88f5d4f6b384ba28402c1a7
Opcode Fuzzy Hash: 44998ffc891bb225a56e9bb27206520a843834c4280dd8a38d2d5b5fef2c93d6
Instruction Fuzzy Hash: C4112E7A904209FFEB105FA0EC4DA9F7BB8EB45351F104176F902E2292DB748D09CB68

Function 004053E1 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405400
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00405412
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405426
#17.COMCTL32(?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405434
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00405451

Strings

Error: Cannot load the common control classes., xrefs: 0040544B
Error, xrefs: 00405446
comctl32.dll, xrefs: 004053E9
InitCommonControlsEx, xrefs: 0040540C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 5dfb1fab429fbac110f65632f4351b7de0d7d1b2a154ff3275be3e3fb28183c9
Instruction ID: 02647c2cd5375a0cee16ec096afc735ec0ee25a180069e9de50cf8421b07617d
Opcode Fuzzy Hash: 5dfb1fab429fbac110f65632f4351b7de0d7d1b2a154ff3275be3e3fb28183c9
Instruction Fuzzy Hash: D801F4767516106BE7115BB4AC89BBB3A9CDF4674AB400035F502E6290EBBCDD098A6C

Function 00417C60 Relevance: 14.6, APIs: 4, Strings: 4, Instructions: 592COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00417F76
__aullrem.LIBCMT ref: 00417F8C
__aulldvrm.LIBCMT ref: 00417FF0

Strings

(NULL), xrefs: 0041818B
+, xrefs: 00417EEE
%, xrefs: 004180AC
NULL, xrefs: 00418184

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: __aulldvrm$__aullrem
String ID: %$(NULL)$+$NULL
API String ID: 643879872-2336503864
Opcode ID: 2314330283d0af90830fd9dd05ef69e3351843964a0ab050f4a860d65c0f812e
Instruction ID: fa746fabc3090f75201f701bd4a1ff397023a4ccede1be9114d7bf06053fd938
Opcode Fuzzy Hash: 2314330283d0af90830fd9dd05ef69e3351843964a0ab050f4a860d65c0f812e
Instruction Fuzzy Hash: 5432A03150C3868FD711CF28C5807ABBBE0AF99704F18495FE88597352D779C98ACB9A

Function 0041A773 Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 0041A78D
memcpy.MSVCRT(?,?,00000010), ref: 0041A79C
GetCurrentProcessId.KERNEL32 ref: 0041A7AD
memcpy.MSVCRT(?,?,00000004), ref: 0041A7C0
GetTickCount.KERNEL32 ref: 0041A7D4
memcpy.MSVCRT(?,?,00000004), ref: 0041A7E7
QueryPerformanceCounter.KERNEL32(?), ref: 0041A7FD
memcpy.MSVCRT(?,?,00000008), ref: 0041A80D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: e75bf55485dc5d7d8b1ce748ae8fe2053cdeb53d697cd784200e391488fbf47e
Instruction ID: 2cc184040992abe9e4e17126ecdb49144539f0c36084feaac1bb63b25c18b641
Opcode Fuzzy Hash: e75bf55485dc5d7d8b1ce748ae8fe2053cdeb53d697cd784200e391488fbf47e
Instruction Fuzzy Hash: 6E11B9F3D0051867DB00EFA4DC49DDAB7ADEF4A210F464936FA15C7141E634E64887E5

Function 00409E39 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00409E41
wcslen.MSVCRT ref: 00409E4E
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411571,-00000210), ref: 00409E5E
GlobalLock.KERNEL32(00000000), ref: 00409E6B
memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411571,-00000210), ref: 00409E74
GlobalUnlock.KERNEL32(00000000), ref: 00409E7D
SetClipboardData.USER32(0000000D,00000000), ref: 00409E86
CloseClipboard.USER32 ref: 00409E96

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 0164f3b3879468f6eceab2dbe93e6c2e0c32735ab1d54ab091d60a667f6ded84
Instruction ID: ea904b1a76f59721029cddac23a3e6dc12fc942fabe90a21eef7b64a01167f20
Opcode Fuzzy Hash: 0164f3b3879468f6eceab2dbe93e6c2e0c32735ab1d54ab091d60a667f6ded84
Instruction Fuzzy Hash: 90F05B7B500228ABD2202FA5EC4DD5B776CDB86B9AB05013AF909D22529A245C0846B9

Function 0041A225 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0041A22E

Part of subcall function 004192F2: GetVersionExW.KERNEL32(?), ref: 00419315

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 0041A255
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 0041A27E
LocalFree.KERNEL32(?), ref: 0041A299
free.MSVCRT ref: 0041A2C7

Part of subcall function 0041938B: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,004194B6,?), ref: 004193A9
Part of subcall function 0041938B: malloc.MSVCRT ref: 004193B0

Strings

OsError 0x%x (%u), xrefs: 0041A2AB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 2360000266-2664311388
Opcode ID: 66a5431910ad0f0ce767ad32103e4c3a3757044076d62f59ce7878390095469b
Instruction ID: 09a38d3d336ad90078d9ee04c195a6b5e61967dcbffd067f140ccdfba9bcaacc
Opcode Fuzzy Hash: 66a5431910ad0f0ce767ad32103e4c3a3757044076d62f59ce7878390095469b
Instruction Fuzzy Hash: 1211C834901228BFDF11ABA1DC49CEF7F78EF45760B104067F805A2211D7750E95D7A9

Function 00437F3B Relevance: 10.0, APIs: 2, Strings: 4, Instructions: 1036COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00437F7F

Strings

rows inserted, xrefs: 00438A7B
%d values for %d columns, xrefs: 004382CB
table %S has no column named %s, xrefs: 00438399
table %S has %d columns but %d values were supplied, xrefs: 004382AB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset
String ID: %d values for %d columns$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
API String ID: 2221118986-2709362559
Opcode ID: e196ff542e79ea0ee33b804b041fae3ba623fb86be74e735b8beecf342ad2712
Instruction ID: f234b0d555b83615ce865efb455c1035dbfc09a6371c6f448445de2cb7710997
Opcode Fuzzy Hash: e196ff542e79ea0ee33b804b041fae3ba623fb86be74e735b8beecf342ad2712
Instruction Fuzzy Hash: E8926871600209AFDF24DFA9C881BAABBA1FF08314F54501EFD1597392DB79E841CB99

Function 0043E13D Relevance: 6.9, APIs: 2, Strings: 2, Instructions: 874COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043E16A
memset.MSVCRT ref: 0043E250

Strings

rows updated, xrefs: 0043EAA1
no such column: %s, xrefs: 0043E367

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset
String ID: no such column: %s$rows updated
API String ID: 2221118986-885832449
Opcode ID: b665b58fd2758fc562c87746b6d8189043a4edcf54fef41108e0db56c1bd2098
Instruction ID: a12a96e0d48a9ad81b06c3d8ec8fd25e269b764e99ed74a2f515a5da20bd1f3d
Opcode Fuzzy Hash: b665b58fd2758fc562c87746b6d8189043a4edcf54fef41108e0db56c1bd2098
Instruction Fuzzy Hash: B7726A71E01219EFCF20DF96C881AAEBBB1FF48314F14505AE904A7392D739AD51CBA5

Function 00442273 Relevance: 6.6, APIs: 2, Strings: 2, Instructions: 609COMMON

Download Yara Rule

Strings

at most %d tables in a join, xrefs: 00442296
cannot use index: %s, xrefs: 0044282E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID: at most %d tables in a join$cannot use index: %s
API String ID: 0-4015609739
Opcode ID: 6e8d23bb21b34d26f59df55dc46c5c52f7f6a2f78d07655270d72b67abcb8f68
Instruction ID: 351574ca3f30cab856fc9f45035588dcd804f3105b5f9a7b27dc6815f6e02950
Opcode Fuzzy Hash: 6e8d23bb21b34d26f59df55dc46c5c52f7f6a2f78d07655270d72b67abcb8f68
Instruction Fuzzy Hash: DB429D71900248DFEF29DF65C980AAA7BB1FF08314F55825AFC149B251D7B9E881CF88

Function 00416A46 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 00416A53
SizeofResource.KERNEL32(?,00000000), ref: 00416A64
LoadResource.KERNEL32(?,00000000), ref: 00416A74
LockResource.KERNEL32(00000000), ref: 00416A7F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: c89b420d8ff8532ca3e3af3ec0f8793a4f0b21527573ef5156956d1d610aacd0
Instruction ID: 7a854b382b0c92d83852ff6be1e1e59c849c683da3176378bb1a11a70f524225
Opcode Fuzzy Hash: c89b420d8ff8532ca3e3af3ec0f8793a4f0b21527573ef5156956d1d610aacd0
Instruction Fuzzy Hash: D301D632600215ABCB158FA5DC4899BBF9EFF863A0709C03AFC45E6320DB30C984C6D8

Function 0041138D Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A004: GetTempPathW.KERNEL32(00000104,?,?), ref: 0040A01B
Part of subcall function 0040A004: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040A02D
Part of subcall function 0040A004: GetTempFileNameW.KERNEL32(?,004011DE,00000000,?), ref: 0040A044

OpenClipboard.USER32(?), ref: 004113CB
GetLastError.KERNEL32 ref: 004113E0
DeleteFileW.KERNEL32(?), ref: 004113FF

Part of subcall function 00409EA1: EmptyClipboard.USER32 ref: 00409EAB
Part of subcall function 00409EA1: GetFileSize.KERNEL32(00000000,00000000), ref: 00409EC8
Part of subcall function 00409EA1: GlobalAlloc.KERNEL32(00002000,00000002), ref: 00409ED9
Part of subcall function 00409EA1: GlobalLock.KERNEL32(00000000), ref: 00409EE6
Part of subcall function 00409EA1: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00409EF9
Part of subcall function 00409EA1: GlobalUnlock.KERNEL32(00000000), ref: 00409F0B
Part of subcall function 00409EA1: SetClipboardData.USER32(0000000D,00000000), ref: 00409F14
Part of subcall function 00409EA1: CloseHandle.KERNEL32(?), ref: 00409F28
Part of subcall function 00409EA1: CloseClipboard.USER32 ref: 00409F3C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
String ID:
API String ID: 2633007058-0
Opcode ID: 084149697ea11c0032394e00f6ee6a0ca2e9868ca0e0451494483383942c6222
Instruction ID: 67aa2ef175f2399da1d40db2a93dbf2ce4f101bde76a1b907a1a325d03d0d586
Opcode Fuzzy Hash: 084149697ea11c0032394e00f6ee6a0ca2e9868ca0e0451494483383942c6222
Instruction Fuzzy Hash: B3F0F43530030496EB202B72DC4EFDB365DCB80711F00003ABA62961E2EE79EC858568

Function 004086CB Relevance: 2.9, APIs: 2, Instructions: 415COMMON

Download Yara Rule

APIs

Part of subcall function 00408D81: free.MSVCRT ref: 00408D88

memset.MSVCRT ref: 004087C7
free.MSVCRT ref: 004088BE

Part of subcall function 0040821B: memcpy.MSVCRT(}~@,?,?,00408273,?,?,00000000,?,?,?,?,00407E7D,?), ref: 00408237

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$memcpymemset
String ID:
API String ID: 2037443186-0
Opcode ID: 0b53a10944839d98f407f4dd92e74b5ea16c2c2fda14a40c3c602e3fe729c799
Instruction ID: b328af2f34ee1f53a4553d54ec3fa1749fa2e2f0081d5a29227ee96510334404
Opcode Fuzzy Hash: 0b53a10944839d98f407f4dd92e74b5ea16c2c2fda14a40c3c602e3fe729c799
Instruction Fuzzy Hash: 34025E71D002299BDF24DF65C9846EEB7B5BF48314F1440BEE889BB381DB385A81CB58

Function 004066BC Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

dD, xrefs: 004068A9
dD, xrefs: 004066C7, 004068A4

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID: dD$dD
API String ID: 0-863494483
Opcode ID: d5b35e440a2aab411405074ebcee37c44f8f83d727ca2362a1693707b66e4da0
Instruction ID: 3563d9f163bc9503cf3a94ecb85acfdf010a2c5d1a0c635f93ff25f190471eaf
Opcode Fuzzy Hash: d5b35e440a2aab411405074ebcee37c44f8f83d727ca2362a1693707b66e4da0
Instruction Fuzzy Hash: CC81C3319151E58FCB0ACB7D88A01BDFFF4EF9A20075446AED8D2E7386C6744A11CBA1

Function 004065BF Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

8h@, xrefs: 00406644
UUUU, xrefs: 00406618

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID: 8h@$UUUU
API String ID: 0-4196600106
Opcode ID: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
Instruction ID: 0331a78172c4bedd65cc47bdacc1c5afaf3168456479b17d5c27cce71908055a
Opcode Fuzzy Hash: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
Instruction Fuzzy Hash: DA2141323749150BF79CE93D8C4376B62D2DBC8254B18CA3EA696D72C1DD6CD913C285

Function 004192F2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00419315

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 7326f150f62c8e493511fbb22f4dc93557bb1aa2f813e00d2fd5eebd9c0dcf9c
Instruction ID: 31f7a407b4742d582560ea033e5ca5f76b9ceb554be12180941efba1faa7fce5
Opcode Fuzzy Hash: 7326f150f62c8e493511fbb22f4dc93557bb1aa2f813e00d2fd5eebd9c0dcf9c
Instruction Fuzzy Hash: 64E0B67591131CCFEB28DB35DB4B3C67AE4A718B46F4004B5C21AD2192D2789A88CA67

Function 00415E3E Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

UUUU, xrefs: 00415EBF

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 51cf61480d4bbd18aca4ab00b5e1ddc623393ccfbefe27cc79281a1855ac3880
Instruction ID: c6a41dad3dd780944f64823be97af5b0274d7ff87430c56191a99677ac2b7e0a
Opcode Fuzzy Hash: 51cf61480d4bbd18aca4ab00b5e1ddc623393ccfbefe27cc79281a1855ac3880
Instruction Fuzzy Hash: 5251E333B208600BF74CCA6D8C653AD2A9387C9355B1E827DDA97D73C2DDB8D912C284

Function 004125F6 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
Instruction ID: 8e3ad788e2b47047ad7c21b66b362804302468dbbdc0c1ed7242a88a839864d8
Opcode Fuzzy Hash: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
Instruction Fuzzy Hash: FC42D5B7E403299FCB14CFD5C8C0589F7B2BFD8314B1B95958918BB216D2B4BA468BD0

Function 0044AE20 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db0f938f38fdaa4c6c09525d1daffb27575970053de5bd1431cc418ebbb5e8f
Instruction ID: d3e0384fea3fd24c797af0c6e08c44d05453ed3c720bfa3f12366617e3e2843f
Opcode Fuzzy Hash: 1db0f938f38fdaa4c6c09525d1daffb27575970053de5bd1431cc418ebbb5e8f
Instruction Fuzzy Hash: C3027D719246B08EE359CF3F8454852BFE2AF8D21134FC2EADD985F267C2759812CB94

Function 0044CDA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d7c7dc9e6b0a91e03bc5d64b262126c776b2e33fe9347efd22c1dbc1e2d97f
Instruction ID: 3f7dc0decc91a2821cdc9fc04fb797e228a59e783e36a08f722c299b8571faba
Opcode Fuzzy Hash: 31d7c7dc9e6b0a91e03bc5d64b262126c776b2e33fe9347efd22c1dbc1e2d97f
Instruction Fuzzy Hash: E2F1BE75A097448FE355DF2AC89066BF7E2EFC8300F55892CE5C98B356D634E90ACB42

Function 0044CDFB Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee686d5b6e20b7454a2b875978c02cfb68322f9de7c498cf7e3518c25a757c3
Instruction ID: 41fe3479003944616d76f6178f5528cfc1295f713fbb9e86c1d9e17120408817
Opcode Fuzzy Hash: cee686d5b6e20b7454a2b875978c02cfb68322f9de7c498cf7e3518c25a757c3
Instruction Fuzzy Hash: 9BF1BF75A097448FE355DF2AC89066BF7E2EFC8300F56892CE5C987356D634E90ACB42

Function 0044A030 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733b4c09120e027e4c6f8c422a8e3584ecf113e484a654a9b8d77262c8ba684d
Instruction ID: 1abf1ae8b9e642fce274ecdf44ddbd73036961cadfedcbe1118210cd0a50107d
Opcode Fuzzy Hash: 733b4c09120e027e4c6f8c422a8e3584ecf113e484a654a9b8d77262c8ba684d
Instruction Fuzzy Hash: 13F16C329087928FE310CF2ADC8012ABBE3EFCA201F4D85ADD6951B657C635F116CB95

Function 0044A5F0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753a7d8d6822157fa59933e479f548ef3ef89b21003f015dbe4701c6b21d1750
Instruction ID: 261225dfebd9327df034486d6a6f60b312191a66435e77e24efe49f6248d893a
Opcode Fuzzy Hash: 753a7d8d6822157fa59933e479f548ef3ef89b21003f015dbe4701c6b21d1750
Instruction Fuzzy Hash: 20F179329087928FE314CF2AD89112AFBE3EFC9201F4E8669D69507797C634F511CB96

Function 0040612B Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9070390a35bf5a33e574ea3828ce588c4766aefaef39f500c6c1d9ee2c243afe
Instruction ID: 36456db63c6b4156f34c96dc3181ba10cb40ef9f47e2ea293c8f4cd5d61ab986
Opcode Fuzzy Hash: 9070390a35bf5a33e574ea3828ce588c4766aefaef39f500c6c1d9ee2c243afe
Instruction Fuzzy Hash: 8BD101B7E107158BE714CFAAFC8010A77A3AB9D35275B8265CA1467362D274BB13CBC4

Function 00405BB3 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e86e11575c0b3ec423b1b2f262c5a6381364515b500a71f4fe8bb317c228e50
Instruction ID: 2aae9883adae240cbc7db3e42ca82e1b8745150608f333e9731f407ff46de567
Opcode Fuzzy Hash: 3e86e11575c0b3ec423b1b2f262c5a6381364515b500a71f4fe8bb317c228e50
Instruction Fuzzy Hash: DAA1C077BA4B0907E34848EAACC6391B58397D8314F2E423ECB74C73D2E9FC95668154

Function 00418CC9 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
Instruction ID: 001fbc21b05758eb446ec65d5abad4a088ccfa376a217299c8c8ff3d6e2c83af
Opcode Fuzzy Hash: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
Instruction Fuzzy Hash: 4151F4B2A107149BE75CCF2AC8612A9BFE2DFD2301B18857ED1F7C7280CA748542EB14

Function 0044D760 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2e53efea8e07b36ff06da3f2af587bf50ba0680418a3b3dd3e80fc46db079
Instruction ID: c93db78259dce47346779bdaf26616e305005bc5077f05248b7ffdbb2e277418
Opcode Fuzzy Hash: c3d2e53efea8e07b36ff06da3f2af587bf50ba0680418a3b3dd3e80fc46db079
Instruction Fuzzy Hash: C9614AB0A097118FD358CF2AC88066BFBE1FFC8315F448A2EE5E9C3295D678A505CB51

Function 0044ABC0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427d5b22f27c5e9bb4f8a9ede8dba2b5211f51dbcff73afbefa1fdfe33d4f19a
Instruction ID: 2e69081d48c71ac0f4a776e945ac56b967744db1d80257a3b857fc096614e3fd
Opcode Fuzzy Hash: 427d5b22f27c5e9bb4f8a9ede8dba2b5211f51dbcff73afbefa1fdfe33d4f19a
Instruction Fuzzy Hash: AA5126727603124BE318CF28DC503AA7BD3EBC530AF18C63DC641C768AD63EA5124745

Function 0044B188 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a241434b5471f187f00830418abce76f9af2f4be078b109d90c87bc652ba131f
Instruction ID: 4cb6d043370fa2aec689becc13ee9ca1f9a70f6ea897de847e431c68edb08c71
Opcode Fuzzy Hash: a241434b5471f187f00830418abce76f9af2f4be078b109d90c87bc652ba131f
Instruction Fuzzy Hash: A55127729246F08EE395CB3B8450852BFE2AF8D21234FC2D6DDD86B567D2719812CBD4

Function 0044D380 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673bc32cd3733160634d13c6bc9e68d116c07480fdeb0dd23d5a2620398adc07
Instruction ID: 83be4523b4d99518caaa889ece725f10c4e909b521f3472e2ad0842001b24290
Opcode Fuzzy Hash: 673bc32cd3733160634d13c6bc9e68d116c07480fdeb0dd23d5a2620398adc07
Instruction Fuzzy Hash: E051A37170D7905BD70D8B3894506AFFFD19BDE304F498A6DF4CA9B382C9249A08C796

Function 00449A40 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcc3f14783c490649eeba77d7f18e1e0d1b8e0383a26aa5f8dce9da17e0d4f4
Instruction ID: b24927cf4203a7629c33dfb9ab96b5845e99e9d068419b141e9c8a1f4162008a
Opcode Fuzzy Hash: 1dcc3f14783c490649eeba77d7f18e1e0d1b8e0383a26aa5f8dce9da17e0d4f4
Instruction Fuzzy Hash: 3D511F5510DBD29EC3268B7D4490196FFF16E77101708CA9ED4EA47B83C118F698DBB2

Function 0044CC70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24557554f048d09c11f52b81739e88c448550ecefce97a4484db0471796f5e0
Instruction ID: 554509d59a7e6b4a1349e53bd175d0025d61dc91f93769c7bcc3e41a9e3a7bba
Opcode Fuzzy Hash: e24557554f048d09c11f52b81739e88c448550ecefce97a4484db0471796f5e0
Instruction Fuzzy Hash: 1E41521510DBD29EC326877D48904A6FFE15EB6001B4CCA8EE4E987B83C158F658D7B2

Function 00405B22 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd373d7a952e2fbf3ab71dfe800a2a8438d60254132115f7e844557371adecb
Instruction ID: d5b70b75f62433a2347a798cd4f756ab0f511337e50d4e161060c94aa0b0b908
Opcode Fuzzy Hash: dcd373d7a952e2fbf3ab71dfe800a2a8438d60254132115f7e844557371adecb
Instruction Fuzzy Hash: 280152766207498FD308DFADFCC152673A6FBD9312708463ADA01C3266EB74E521C694

Function 00405A40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
Instruction ID: e46ac8c8d649937048925bbc22b10e31c7d260e61c9919193dd0f57e0586c858
Opcode Fuzzy Hash: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
Instruction Fuzzy Hash: 75011E326019208FA38DCE3AC80545377E3FFCA325326C1E8D845AB579D6316802CBD4

Function 00405AB1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
Instruction ID: 1c8cf4990013556009a943ce68bbe5c533817c3d042a03847a5f6a4628de1edc
Opcode Fuzzy Hash: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
Instruction Fuzzy Hash: DA01E8326159308FA389DE3AC80144377E3FFCA32532AC1E5C945AB57DD6316847DB90

Function 0040298A Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004029B7
_wcsicmp.MSVCRT ref: 004029E8
_wcsicmp.MSVCRT ref: 00402A16
_wcsicmp.MSVCRT ref: 00402A44

Part of subcall function 0040B04F: wcslen.MSVCRT ref: 0040B062
Part of subcall function 0040B04F: memcpy.MSVCRT(?,?,00000000,00000000,0040D237,00000000,?,?), ref: 0040B081

memset.MSVCRT ref: 00402D70
memcpy.MSVCRT(?,?,00000011), ref: 00402DAC

Part of subcall function 00407687: GetProcAddress.KERNEL32(0045EC00,00000000), ref: 004076B7
Part of subcall function 00407687: FreeLibrary.KERNEL32(00000000,00000141,?,-000000FB,?,004016C4,?,00000000,00000000,?), ref: 004076DA
Part of subcall function 00407687: CryptUnprotectData.CRYPT32(-000000FB,00000000,-000000FB,00000000,00000000,-000000FB,-000000FB), ref: 004076FC

memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 00402E10
LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402E75
FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402E86

Strings

u, xrefs: 00402B8F
z, xrefs: 00402C80
u, xrefs: 00402B40
8, xrefs: 00402BC6
q, xrefs: 00402BD5
L, xrefs: 00402D20
>, xrefs: 00402A82
', xrefs: 00402B3B
#, xrefs: 00402D00
y, xrefs: 00402BA3
&, xrefs: 00402AAA
@, xrefs: 00402C50
t, xrefs: 00402C48
}, xrefs: 00402A8C
n, xrefs: 00402C70
$, xrefs: 00402CC8
\, xrefs: 00402C28
K, xrefs: 00402C58
H, xrefs: 00402A87
2, xrefs: 00402CA8
t, xrefs: 00402D58
Account, xrefs: 00402A0B
n, xrefs: 00402CB8
A, xrefs: 00402AF0
K, xrefs: 00402B13
>, xrefs: 00402A91
=, xrefs: 00402C38
/, xrefs: 00402BFC
X, xrefs: 00402D40
h, xrefs: 00402BDF
H, xrefs: 00402A7D
F, xrefs: 00402B18
`, xrefs: 00402BCB
w, xrefs: 00402BF7
t, xrefs: 00402D30
^, xrefs: 00402D38
&, xrefs: 00402CF8
~, xrefs: 00402CA0
y, xrefs: 00402ADC
), xrefs: 00402CD8
{, xrefs: 00402AFF
I, xrefs: 00402B4F
server, xrefs: 004029A1
com.apple.WebKit2WebProcess, xrefs: 00402D9D
g, xrefs: 00402AB4
com.apple.Safari, xrefs: 00402D75
a, xrefs: 00402C06
b, xrefs: 00402A9B
0, xrefs: 00402B62
O, xrefs: 00402AE6
Path, xrefs: 004029DD
!, xrefs: 00402C40
S, xrefs: 00402BF2
Data, xrefs: 00402A39

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 2929817778-1134094380
Opcode ID: 995f29d439b71307d32f83be2d0feb689db9085f2827bd8da7cec9ab0f4b1b5b
Instruction ID: 5c3ec6a99a68f8aa81af4276027bb9dc61f0416e6f69787378e7b5f4b2d81055
Opcode Fuzzy Hash: 995f29d439b71307d32f83be2d0feb689db9085f2827bd8da7cec9ab0f4b1b5b
Instruction Fuzzy Hash: 07E1E56100C7C18DD332D678884978BBFD45BA7328F084B9EF1E85A2D2D7B99509C76B

Function 0040CD29 Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040CD47
_wcsicmp.MSVCRT ref: 0040CD62
_wcsnicmp.MSVCRT ref: 0040CD7C
_wcsnicmp.MSVCRT ref: 0040CD90
wcslen.MSVCRT ref: 0040CDA1
_wcsicmp.MSVCRT ref: 0040CDC3
memset.MSVCRT ref: 0040CE08
wcscpy.MSVCRT ref: 0040CE15
wcslen.MSVCRT ref: 0040CE36
wcslen.MSVCRT ref: 0040CE4E
_wcsicmp.MSVCRT ref: 0040CE99
_wcsicmp.MSVCRT ref: 0040CEB2
_wcsnicmp.MSVCRT ref: 0040CEC9
memset.MSVCRT ref: 0040CF0F
wcschr.MSVCRT ref: 0040CF17
wcslen.MSVCRT ref: 0040CF1F
wcscpy.MSVCRT ref: 0040CF3D
wcschr.MSVCRT ref: 0040CF4B
_wcsnicmp.MSVCRT ref: 0040CF81
memset.MSVCRT ref: 0040CFB5
strlen.MSVCRT ref: 0040CFBB
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,00000175), ref: 0040CFD7
strchr.MSVCRT ref: 0040CFEC
memset.MSVCRT ref: 0040D016
memset.MSVCRT ref: 0040D02B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040D04C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040D05F

Strings

http://, xrefs: 0040CD76
:stringdata, xrefs: 0040CDBD
https://, xrefs: 0040CD8A
ftp://, xrefs: 0040CEC3

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$ftp://$http://$https://
API String ID: 2787044678-1921111777
Opcode ID: ec0114e663ce19aff3f90003a8fd63b11b9c22cd63c360598622bef034e99d4e
Instruction ID: 31c4756266147e6910c9b81443fc6bcc098cf3ae963dfb44ea8ac31e231b8895
Opcode Fuzzy Hash: ec0114e663ce19aff3f90003a8fd63b11b9c22cd63c360598622bef034e99d4e
Instruction Fuzzy Hash: E591C571900209AEEF10EF65CC85EAF776CEF41308F11017AFD48A7181EA39ED559BA9

Function 00415A4F Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00415A7C
GetDlgItem.USER32(?,000003E8), ref: 00415A88
GetWindowLongW.USER32(00000000,000000F0), ref: 00415A97
GetWindowLongW.USER32(?,000000F0), ref: 00415AA3
GetWindowLongW.USER32(00000000,000000EC), ref: 00415AAC
GetWindowLongW.USER32(?,000000EC), ref: 00415AB8
GetWindowRect.USER32(00000000,?), ref: 00415ACA
GetWindowRect.USER32(?,?), ref: 00415AD5
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00415AE9
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00415AF7
GetDC.USER32 ref: 00415B30
wcslen.MSVCRT ref: 00415B70
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00415B81
ReleaseDC.USER32(?,?), ref: 00415BCE
_snwprintf.MSVCRT ref: 00415C91
SetWindowTextW.USER32(?,?), ref: 00415CA5
SetWindowTextW.USER32(?,00000000), ref: 00415CC3
GetDlgItem.USER32(?,00000001), ref: 00415CF9
GetWindowRect.USER32(00000000,?), ref: 00415D09
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00415D17
GetClientRect.USER32(?,?), ref: 00415D2E
GetWindowRect.USER32(?,?), ref: 00415D38
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00415D7E
GetClientRect.USER32(?,?), ref: 00415D88
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00415DC0

Strings

%s:, xrefs: 00415C86
STATIC, xrefs: 00415C30
EDIT, xrefs: 00415C66

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 73acb0ed32a970b20df8983533c2da65e35bdd152e1489d9eefe2103cdb0831a
Instruction ID: 2a77a63511e309727bf0294579c2b04fd4d2a03fba58f863ebfb764bbd101497
Opcode Fuzzy Hash: 73acb0ed32a970b20df8983533c2da65e35bdd152e1489d9eefe2103cdb0831a
Instruction Fuzzy Hash: ACB1C075108301AFD721DFA8C985E6BBBF9FF88704F004A2DF59582261DB75E9088F56

Function 00403F83 Relevance: 45.1, APIs: 30, Instructions: 102windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00410381: memset.MSVCRT ref: 004103C4
Part of subcall function 00410381: memset.MSVCRT ref: 004103D9
Part of subcall function 00410381: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004103EB
Part of subcall function 00410381: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00410409
Part of subcall function 00410381: SendMessageW.USER32(?,00001003,00000001,?), ref: 00410446
Part of subcall function 00410381: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0041045A
Part of subcall function 00410381: ImageList_SetImageCount.COMCTL32(00000000,0000000A), ref: 00410465
Part of subcall function 00410381: SendMessageW.USER32(?,00001003,00000000,?), ref: 0041047D
Part of subcall function 00410381: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00410489
Part of subcall function 00410381: GetModuleHandleW.KERNEL32(00000000), ref: 00410498
Part of subcall function 00410381: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 004104AA
Part of subcall function 00410381: GetModuleHandleW.KERNEL32(00000000), ref: 004104B5
Part of subcall function 00410381: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 004104C7
Part of subcall function 00410381: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004104D8
Part of subcall function 00410381: GetSysColor.USER32(0000000F), ref: 004104E0

GetModuleHandleW.KERNEL32(00000000), ref: 00403F95
LoadIconW.USER32(00000000,00000072), ref: 00403FA0
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403FB1
GetModuleHandleW.KERNEL32(00000000), ref: 00403FB5
LoadIconW.USER32(00000000,00000074), ref: 00403FBA
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403FC5
GetModuleHandleW.KERNEL32(00000000), ref: 00403FC9
LoadIconW.USER32(00000000,00000073), ref: 00403FCE
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403FD9
GetModuleHandleW.KERNEL32(00000000), ref: 00403FDD
LoadIconW.USER32(00000000,00000075), ref: 00403FE2
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 00403FED
GetModuleHandleW.KERNEL32(00000000), ref: 00403FF1
LoadIconW.USER32(00000000,0000006F), ref: 00403FF6
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00404001
GetModuleHandleW.KERNEL32(00000000), ref: 00404005
LoadIconW.USER32(00000000,00000076), ref: 0040400A
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00404015
GetModuleHandleW.KERNEL32(00000000), ref: 00404019
LoadIconW.USER32(00000000,00000077), ref: 0040401E
ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 00404029
GetModuleHandleW.KERNEL32(00000000), ref: 0040402D
LoadIconW.USER32(00000000,00000070), ref: 00404032
ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 0040403D
GetModuleHandleW.KERNEL32(00000000), ref: 00404041
LoadIconW.USER32(00000000,00000078), ref: 00404046
ImageList_ReplaceIcon.COMCTL32(?,00000008,00000000), ref: 00404051
GetModuleHandleW.KERNEL32(00000000), ref: 00404055
LoadIconW.USER32(00000000,00000079), ref: 0040405A
ImageList_ReplaceIcon.COMCTL32(?,00000009,00000000), ref: 00404065

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Icon$Image$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 264706568-0
Opcode ID: 7a8e7a753c4a6969c8ebad43a6ff4298becb11f1dffce4c04823a78b46f89c4a
Instruction ID: 4987a5fc14cceb3ec057973e66b70c09839ea495ac49043ce4cc72b72b9a55f5
Opcode Fuzzy Hash: 7a8e7a753c4a6969c8ebad43a6ff4298becb11f1dffce4c04823a78b46f89c4a
Instruction Fuzzy Hash: 46211DA0B857087AF63037B2DC4BF7B7A5EDF81B89F224410F74C990E0C9E6AC104928

Function 00413704 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00413749
GetDlgItem.USER32(?,000003EA), ref: 00413761
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0041377F
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0041378B
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00413793
memset.MSVCRT ref: 004137BA
memset.MSVCRT ref: 004137DC
memset.MSVCRT ref: 004137F5
memset.MSVCRT ref: 00413809
memset.MSVCRT ref: 00413823
memset.MSVCRT ref: 00413838
GetCurrentProcess.KERNEL32 ref: 00413840
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00413863
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00413895
memset.MSVCRT ref: 004138E8
GetCurrentProcessId.KERNEL32 ref: 004138F6
memcpy.MSVCRT(?,0045BA90,0000021C), ref: 00413924
wcscpy.MSVCRT ref: 00413947
_snwprintf.MSVCRT ref: 004139B6
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004139CE
GetDlgItem.USER32(?,000003EA), ref: 004139D8
SetFocus.USER32(00000000), ref: 004139DF

Strings

{Unknown}, xrefs: 004137CE
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 004139AB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 96155596f3279f9d03c0a9243ad5968801c4fe39fa66a488338b1dd2f38d3b4c
Instruction ID: f28911e6e9c8f7c9bcffcad48f5b4909217dcd52314a7c8ddb419c581ced49a2
Opcode Fuzzy Hash: 96155596f3279f9d03c0a9243ad5968801c4fe39fa66a488338b1dd2f38d3b4c
Instruction Fuzzy Hash: 087180B280121DFEEB11AF51DC45EEB776CEB08355F0440BAF508A2151EB799E848FA9

Function 004017B0 Relevance: 39.2, APIs: 26, Instructions: 185COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 00401808
ChildWindowFromPoint.USER32(?,?,?), ref: 0040181A
GetDlgItem.USER32(?,000003EE), ref: 00401850
ChildWindowFromPoint.USER32(?,?,?), ref: 0040185D
GetDlgItem.USER32(?,000003EC), ref: 0040188B
ChildWindowFromPoint.USER32(?,?,?), ref: 0040189D
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 004018A6
LoadCursorW.USER32(00000000,00000067), ref: 004018AF
SetCursor.USER32(00000000,?,?), ref: 004018B6
GetDlgItem.USER32(?,000003EE), ref: 004018D7
ChildWindowFromPoint.USER32(?,?,?), ref: 004018E4
GetDlgItem.USER32(?,000003EC), ref: 004018FE
SetBkMode.GDI32(?,00000001), ref: 0040190A
SetTextColor.GDI32(?,00C00000), ref: 00401918
GetSysColorBrush.USER32(0000000F), ref: 00401920
GetDlgItem.USER32(?,000003EE), ref: 00401941
EndDialog.USER32(?,?), ref: 00401976
DeleteObject.GDI32(?), ref: 00401982
GetDlgItem.USER32(?,000003ED), ref: 004019A7
ShowWindow.USER32(00000000), ref: 004019B0
GetDlgItem.USER32(?,000003EE), ref: 004019BC
ShowWindow.USER32(00000000), ref: 004019BF
SetDlgItemTextW.USER32(?,000003EE,0045E778), ref: 004019D0
SetWindowTextW.USER32(?,00000000), ref: 004019E2
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004019FA
SetDlgItemTextW.USER32(?,000003EC,?), ref: 00401A0B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID:
API String ID: 829165378-0
Opcode ID: 28d1f74300f5acc619f393cf0bab4760741c336622d5a51f223752340646ab01
Instruction ID: 2e860b65d83457e398c211b7ef8e3c32b9ff1fce9bb52c2d4974f341227d48e7
Opcode Fuzzy Hash: 28d1f74300f5acc619f393cf0bab4760741c336622d5a51f223752340646ab01
Instruction Fuzzy Hash: 3E519D79500708ABEB21AF70DC88E6E7BB5FB44301F10493AF552A21F1C7B9AA54DF18

Function 00410E8D Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 263windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D8B5: LoadMenuW.USER32(00000000), ref: 0040D8BD

SetMenu.USER32(?,00000000), ref: 00410F9A
CreateStatusWindowW.COMCTL32(50000000,0044F4CC,?,00000101), ref: 00410FB5
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00410FCD
GetModuleHandleW.KERNEL32(00000000), ref: 00410FDC
LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 00410FE9
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 00411013
GetModuleHandleW.KERNEL32(00000000), ref: 00411020
CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411047
memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 0041110F
ShowWindow.USER32(?,?), ref: 00411145
GetFileAttributesW.KERNEL32(0045F078), ref: 00411176
GetTempPathW.KERNEL32(00000104,0045F078), ref: 00411186
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 004111C1
SendMessageW.USER32(?,00000404,00000002,?), ref: 004111FB
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0041120E

Part of subcall function 004054CF: wcslen.MSVCRT ref: 004054EC
Part of subcall function 004054CF: SendMessageW.USER32(?,00001061,?,?), ref: 00405510

Strings

SysListView32, xrefs: 00411041
commdlg_FindReplace, xrefs: 004111BC
report.html, xrefs: 00411191
/nosaveload, xrefs: 004110CC

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Message$SendWindow$Create$HandleLoadMenuModule$AttributesFileImagePathRegisterShowStatusTempToolbarmemcpywcslen
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
API String ID: 2327787793-2103577948
Opcode ID: 777271bfed07e17862ed6d8aebfb67f85c61c800a569c266c8f994dafd1a2857
Instruction ID: 95a3d167940fe3ebdcb7c516ac7433945ec5bcbd5685e9f747196b27d1c22ec3
Opcode Fuzzy Hash: 777271bfed07e17862ed6d8aebfb67f85c61c800a569c266c8f994dafd1a2857
Instruction Fuzzy Hash: FEA1BF71640388AFEB11DF64CC89BCA3FA5AF55304F0444B9FE08AF292C7B59548CB69

Function 00446665 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(0040E0C9,?,00000000), ref: 0044667B
??2@YAPAXI@Z.MSVCRT(?,00000000,0040E0C9,?,00000000), ref: 00446696
GetFileVersionInfoW.VERSION(0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466A6
VerQueryValueW.VERSION(00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466B9
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466F6
_snwprintf.MSVCRT ref: 00446716
wcscpy.MSVCRT ref: 00446740
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 004467F0

Strings

\VarFileInfo\Translation, xrefs: 004466F0
%4.4X%4.4X, xrefs: 0044670B
InternalName, xrefs: 004467AD
OriginalFileName, xrefs: 004467D7
FileDescription, xrefs: 00446759
ProductName, xrefs: 00446747
FileVersion, xrefs: 0044676E
ProductVersion, xrefs: 00446783
040904E4, xrefs: 0044673A
LegalCopyright, xrefs: 004467C2
CompanyName, xrefs: 00446798

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: d4dd335fc41ad2063f46854916b7d01aa3fbdbc7a054ebd33d2c839f8f36a85c
Instruction ID: d5653fb1b2b7478917158de9cf610de98b6740d2027696868c611b94d6ffcb81
Opcode Fuzzy Hash: d4dd335fc41ad2063f46854916b7d01aa3fbdbc7a054ebd33d2c839f8f36a85c
Instruction Fuzzy Hash: C64113B2A00218BAD704EF91DD41DDEB7ACFF09304F11451BB905B3142EF78A659CBA9

Function 00410381 Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004103C4
memset.MSVCRT ref: 004103D9
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004103EB
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00410409
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00410422
ImageList_SetImageCount.COMCTL32(00000000,0000000A), ref: 0041042D
SendMessageW.USER32(?,00001003,00000001,?), ref: 00410446
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0041045A
ImageList_SetImageCount.COMCTL32(00000000,0000000A), ref: 00410465
SendMessageW.USER32(?,00001003,00000000,?), ref: 0041047D
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00410489
GetModuleHandleW.KERNEL32(00000000), ref: 00410498
LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 004104AA
GetModuleHandleW.KERNEL32(00000000), ref: 004104B5
LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 004104C7
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004104D8
GetSysColor.USER32(0000000F), ref: 004104E0
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 004104FB
ImageList_AddMasked.COMCTL32(?,?,?), ref: 0041050B
DeleteObject.GDI32(?), ref: 00410517
DeleteObject.GDI32(?), ref: 0041051D
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0041053A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d592f4ebbee006bb6ed55b3a21e33839510d47025a9d6a972f2f5b101dbbb872
Instruction ID: 7f26086368a8811bff09cc620d8db4ef3709b429c5b5910aef32137d5162c258
Opcode Fuzzy Hash: d592f4ebbee006bb6ed55b3a21e33839510d47025a9d6a972f2f5b101dbbb872
Instruction Fuzzy Hash: 84419675640304BFE720AF60DC8AFD77798FB49745F000839B799A61D1C7F6A8849B29

Function 0040F696 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 185COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F6B7
memset.MSVCRT ref: 0040F6E1
memset.MSVCRT ref: 0040F6F7
memset.MSVCRT ref: 0040F70D
_snwprintf.MSVCRT ref: 0040F746
wcscpy.MSVCRT ref: 0040F791
_snwprintf.MSVCRT ref: 0040F81E
wcscat.MSVCRT ref: 0040F850

Part of subcall function 00416DB4: _snwprintf.MSVCRT ref: 00416DD8

wcscpy.MSVCRT ref: 0040F832
_snwprintf.MSVCRT ref: 0040F88F

Strings

 , xrefs: 0040F84A
<font color="%s">%s</font>, xrefs: 0040F811
o<@, xrefs: 0040F7A6, 0040F7C2, 0040F85A
bgcolor="%s", xrefs: 0040F738
nowrap, xrefs: 0040F78B
</table><p>, xrefs: 0040F8B3
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040F6BF
<table border="1" cellpadding="5">, xrefs: 0040F74E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s$o<@
API String ID: 1607361635-3679438452
Opcode ID: 4731570b1df8245d9ba0a7b5cb35d7f58960f04d5df534be5afec6bb741ccfcf
Instruction ID: c9c9c2a4c0014aec28f6a6d1c50fe2906790d152b0bc8d99d06e27721e28e2e0
Opcode Fuzzy Hash: 4731570b1df8245d9ba0a7b5cb35d7f58960f04d5df534be5afec6bb741ccfcf
Instruction Fuzzy Hash: 5B61C031900208EFDF24EF54CC85EEE7779EF45314F1041AAF804AB292DB39AA94CB55

Function 004134F0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413513

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

wcscpy.MSVCRT ref: 00413577
wcscpy.MSVCRT ref: 00413588
memset.MSVCRT ref: 004135A1
memset.MSVCRT ref: 004135B6
_snwprintf.MSVCRT ref: 004135D0
wcscpy.MSVCRT ref: 004135E3
memset.MSVCRT ref: 0041360F
memset.MSVCRT ref: 0041366E
memset.MSVCRT ref: 00413683
_snwprintf.MSVCRT ref: 0041369F
wcscpy.MSVCRT ref: 004136B2

Strings

IsRelative, xrefs: 004136E2
Profile%d, xrefs: 004135BC, 00413691
profiles.ini, xrefs: 0041351E
Path, xrefs: 004136C7
General, xrefs: 00413582

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 2454223109-2600475665
Opcode ID: f5d1d8963b751ecd1a35c643c487ff4ade738b5c65df3c9a6eb4e6993c7bb1e1
Instruction ID: 9f98b962bf64fc41312729a32297df74b75f7af46428a9f2a50f724a012a647b
Opcode Fuzzy Hash: f5d1d8963b751ecd1a35c643c487ff4ade738b5c65df3c9a6eb4e6993c7bb1e1
Instruction Fuzzy Hash: C6510DB294122CBADB20EB55CD45ECF77BCAF55754F0140E6B508A2142EA385B84CFAA

Function 00416E84 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00416EA6
memset.MSVCRT ref: 00416EBB
wcscpy.MSVCRT ref: 00416EED
_snwprintf.MSVCRT ref: 00416F0D
wcscat.MSVCRT ref: 00416F1A
_snwprintf.MSVCRT ref: 00416F49
wcscat.MSVCRT ref: 00416F56
wcscat.MSVCRT ref: 00416F64
wcscat.MSVCRT ref: 00416F76
wcscat.MSVCRT ref: 00416F81
wcscat.MSVCRT ref: 00416F93
wcscat.MSVCRT ref: 00416FA5

Strings

<b>, xrefs: 00416F70
size="%d", xrefs: 00416EFC
</b>, xrefs: 00416F8D
<font, xrefs: 00416EE7
color="#%s", xrefs: 00416F38
</font>, xrefs: 00416F9F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 3ea85b475066484b5fca8c45ce1ff678e1ca65170c514b6952232c65087133fa
Instruction ID: 38fb58bcee569138cf1c6d38f2492e07bff0653b862c37002d8b5a61cc6a81ae
Opcode Fuzzy Hash: 3ea85b475066484b5fca8c45ce1ff678e1ca65170c514b6952232c65087133fa
Instruction Fuzzy Hash: 0A31C8B2501309BDE720BB559D829BE737C9B41715F21806FF61462182E67C9E858B19

Function 00413A57 Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040BB60,?,000000FF,00000000,00000104), ref: 00413A6A
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413A81
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00413A93
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00413AA5
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00413AB7
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00413AC9
GetProcAddress.KERNEL32(NtQueryObject), ref: 00413ADB
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00413AED
GetProcAddress.KERNEL32(NtResumeProcess), ref: 00413AFF

Strings

NtQueryObject, xrefs: 00413ACB
NtQuerySystemInformation, xrefs: 00413A76
NtResumeProcess, xrefs: 00413AEF
NtQuerySymbolicLinkObject, xrefs: 00413AB9
ntdll.dll, xrefs: 00413A65
NtLoadDriver, xrefs: 00413A83
NtOpenSymbolicLinkObject, xrefs: 00413AA7
NtUnloadDriver, xrefs: 00413A95
NtSuspendProcess, xrefs: 00413ADD

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: 688ae1a650c2843fb022fdb0e80312dcfa35bd94c2434b86a4149cb05d0d823f
Instruction ID: 3094f08e780b7640ee0285fea3f53bfe9e93f2d39e0d9e3b23931a4aeb60f93e
Opcode Fuzzy Hash: 688ae1a650c2843fb022fdb0e80312dcfa35bd94c2434b86a4149cb05d0d823f
Instruction Fuzzy Hash: 91019774D41714AACB2B9F72ED19A153FA0F704B6371004B7E805922A3DA7CC20CCE8D

Function 0040913E Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 0040D0D4: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040118B,?,?,?,?,000003FF), ref: 0040D0F2
Part of subcall function 0040D0D4: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040D146

Part of subcall function 0040D19E: _wcsicmp.MSVCRT ref: 0040D1D8

memset.MSVCRT ref: 004091C9
memset.MSVCRT ref: 004091DE
_wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,formSubmitURL,guid,00000000,00000132,00000000,00000131,00000000), ref: 00409349
_wcsicmp.MSVCRT ref: 0040935D
memset.MSVCRT ref: 0040937E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 004093B2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004093C9
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004093E0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004093F7
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000000FF,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040940E

Part of subcall function 0040911D: _wtoi64.MSVCRT ref: 00409121

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00409425
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040943C
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00409453

Part of subcall function 00408F0A: memset.MSVCRT ref: 00408F30
Part of subcall function 00408F0A: memset.MSVCRT ref: 00408F47
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408F6A
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FC3
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FDA
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FED
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409000
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409013
Part of subcall function 00408F0A: wcscpy.MSVCRT ref: 00409022
Part of subcall function 00408F0A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409048
Part of subcall function 00408F0A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409062

Strings

null, xrefs: 00409355
logins, xrefs: 00409175
guid, xrefs: 00409258
formSubmitURL, xrefs: 00409265

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$strcpy$memset$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
String ID: formSubmitURL$guid$logins$null
API String ID: 1954096314-80472114
Opcode ID: 5770c7b9e0db175cc848b6b14382923acb5d78691a521a18d34b6d93cc53e77d
Instruction ID: ed379e5704be75f3e6866550497b864d9ddced9f47acb00a3616e2846d1467bc
Opcode Fuzzy Hash: 5770c7b9e0db175cc848b6b14382923acb5d78691a521a18d34b6d93cc53e77d
Instruction Fuzzy Hash: 318175B1D4021EBAEF20BBA18C82EEE767DEF04318F11417BB514B61D2DA385E459F64

Function 0040BAE3 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 212fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BB0B

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040BB32

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040700C), ref: 0040B5FE

Part of subcall function 00413A57: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040BB60,?,000000FF,00000000,00000104), ref: 00413A6A
Part of subcall function 00413A57: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413A81
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00413A93
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00413AA5
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00413AB7
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00413AC9
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtQueryObject), ref: 00413ADB
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00413AED
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00413AFF

CloseHandle.KERNEL32(C0000004,?,000000FF,00000000,00000104), ref: 0040BB9C
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040BBA7
_wcsicmp.MSVCRT ref: 0040BC10
_wcsicmp.MSVCRT ref: 0040BC23
_wcsicmp.MSVCRT ref: 0040BC36
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040BC4A
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040BC90
DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040BC9F
memset.MSVCRT ref: 0040BCBD
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040BCF0
_wcsicmp.MSVCRT ref: 0040BD10
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040BD50

Strings

taskhost.exe, xrefs: 0040BC1B
dllhost.exe, xrefs: 0040BC07
taskhostex.exe, xrefs: 0040BC2E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateNameOpen
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 480273677-3398334509
Opcode ID: 41abfebd1c81519318b0f84339465481cac2966d8304d7996ed66729d33f3768
Instruction ID: 29761171d8d6f99e34678da7c42ad3d9b616dea413bdd79b79df07308111e2da
Opcode Fuzzy Hash: 41abfebd1c81519318b0f84339465481cac2966d8304d7996ed66729d33f3768
Instruction Fuzzy Hash: E2815971900209EFDB10EF95CC85AAEBBB5FF44305F20447AE905B7291D739AE80CB98

Function 0040FCDC Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FD02
memset.MSVCRT ref: 0040FD17
memset.MSVCRT ref: 0040FD2C
_snwprintf.MSVCRT ref: 0040FD5B
_snwprintf.MSVCRT ref: 0040FD8A
wcscpy.MSVCRT ref: 0040FD9B
_snwprintf.MSVCRT ref: 0040FDBB
memset.MSVCRT ref: 0040FDFA
_snwprintf.MSVCRT ref: 0040FE1B
_snwprintf.MSVCRT ref: 0040FE55

Part of subcall function 00416DB4: _snwprintf.MSVCRT ref: 00416DD8

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 0040FDAA
bgcolor="%s", xrefs: 0040FD4A
<font color="%s">, xrefs: 0040FD79
</font>, xrefs: 0040FD95
<th%s>%s%s%s, xrefs: 0040FE44
width="%s", xrefs: 0040FE0A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 5fe8db686efc772fa6b4f80b717c1a9ed323b4090c8ee1f0a390374eed08aaa7
Instruction ID: de9e738956947f7a13c6b231079008692334f1b8e04242fb28e7d90039f4c50e
Opcode Fuzzy Hash: 5fe8db686efc772fa6b4f80b717c1a9ed323b4090c8ee1f0a390374eed08aaa7
Instruction Fuzzy Hash: 024154B1940219AAEB20EB55CC81EEB737CFF45304F0540BBB908A2552E7399B988F65

Function 0040FCDB Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FD02
memset.MSVCRT ref: 0040FD17
memset.MSVCRT ref: 0040FD2C
_snwprintf.MSVCRT ref: 0040FD5B
_snwprintf.MSVCRT ref: 0040FD8A
wcscpy.MSVCRT ref: 0040FD9B
_snwprintf.MSVCRT ref: 0040FDBB
memset.MSVCRT ref: 0040FDFA
_snwprintf.MSVCRT ref: 0040FE1B
_snwprintf.MSVCRT ref: 0040FE55

Part of subcall function 00416DB4: _snwprintf.MSVCRT ref: 00416DD8

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 0040FDAA
bgcolor="%s", xrefs: 0040FD4A
<font color="%s">, xrefs: 0040FD79
</font>, xrefs: 0040FD95
<th%s>%s%s%s, xrefs: 0040FE44
width="%s", xrefs: 0040FE0A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 35a9874a1796bbad2c5835aadc159d16ef12338abd3b36aedf42a62c4a9f3186
Instruction ID: 16ebb7c4a1209ddf7042b365c973bf7ab66be9daa39a45122df40dcc931b4b2c
Opcode Fuzzy Hash: 35a9874a1796bbad2c5835aadc159d16ef12338abd3b36aedf42a62c4a9f3186
Instruction Fuzzy Hash: F64194B1940219AAEB20EB55CC81EEB777CFF45304F0540BBF908E2552E7399B988F65

Function 0040E055 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E07B
memset.MSVCRT ref: 0040E097

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

Part of subcall function 00446665: GetFileVersionInfoSizeW.VERSION(0040E0C9,?,00000000), ref: 0044667B
Part of subcall function 00446665: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040E0C9,?,00000000), ref: 00446696
Part of subcall function 00446665: GetFileVersionInfoW.VERSION(0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466A6
Part of subcall function 00446665: VerQueryValueW.VERSION(00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466B9
Part of subcall function 00446665: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466F6
Part of subcall function 00446665: _snwprintf.MSVCRT ref: 00446716
Part of subcall function 00446665: wcscpy.MSVCRT ref: 00446740

wcscpy.MSVCRT ref: 0040E0DB
wcscpy.MSVCRT ref: 0040E0EA
wcscpy.MSVCRT ref: 0040E0FA
EnumResourceNamesW.KERNEL32(0040E1F9,00000004,0040DE05,00000000), ref: 0040E15F
EnumResourceNamesW.KERNEL32(0040E1F9,00000005,0040DE05,00000000), ref: 0040E169
wcscpy.MSVCRT ref: 0040E171

Strings

general, xrefs: 0040E0EF
TranslatorName, xrefs: 0040E106
hE, xrefs: 0040E0F4
strings, xrefs: 0040E16B
TranslatorURL, xrefs: 0040E117
Version, xrefs: 0040E12D
RTL, xrefs: 0040E140

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$TranslatorName$TranslatorURL$Version$general$hE$strings
API String ID: 3037099051-2452564618
Opcode ID: 36a298b38765c7c9715b799f2682acc7fcb4a893d173dce7fa7602aae9355a61
Instruction ID: 2c5873c7a60e264be4f9171a36220462047ece05b997d6ce6468ce1c7a270e3a
Opcode Fuzzy Hash: 36a298b38765c7c9715b799f2682acc7fcb4a893d173dce7fa7602aae9355a61
Instruction Fuzzy Hash: DB21D972E4021875D720BB978C46FCB3B6C9F45758F010477B90876193E6B85BC885AE

Function 00404B0A Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404B34

Part of subcall function 0040ACA5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040121D,?,?,?,?,?,?,?), ref: 0040ACBE

memcpy.MSVCRT(0000013F,00000000,00000000,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 00404C24
memcmp.MSVCRT(00000000,0045B4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 00404C34
memcpy.MSVCRT(00000014,00000023,?), ref: 00404C67
memcpy.MSVCRT(0000012F,?,00000010), ref: 00404C80
memcmp.MSVCRT(00000000,0045B4E8,00000006), ref: 00404C96
memcpy.MSVCRT(00000014,00000015,?), ref: 00404CB2
memcpy.MSVCRT(-0000011F,?,00000010), ref: 00404CCB
memcmp.MSVCRT(00000000,0045B238,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404D79
memcmp.MSVCRT(00000000,0045B500,00000006), ref: 00404D91
memcpy.MSVCRT(00000268,00000023,?), ref: 00404DCA
memcpy.MSVCRT(000003C8,00000042,00000010), ref: 00404DE6
memcpy.MSVCRT(-00000368,00000054,00000020), ref: 00404E02
memcmp.MSVCRT(00000000,0045B4F8,00000006), ref: 00404E14
memcpy.MSVCRT(00000268,00000015,?), ref: 00404E38
memcpy.MSVCRT(-00000368,0000001A,00000020), ref: 00404E50

Strings

, xrefs: 00404BFD

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp$ByteCharMultiWidememset
String ID:
API String ID: 3715365532-3916222277
Opcode ID: 5ecca13a8667a5055cb12e86e8931f63f7f9f3ee63bd6537aeb0e59f26b2527b
Instruction ID: 9db0de9f1e5b33104745f3d8eac733b3821debaf75d372e7250164ca2aaf5d57
Opcode Fuzzy Hash: 5ecca13a8667a5055cb12e86e8931f63f7f9f3ee63bd6537aeb0e59f26b2527b
Instruction Fuzzy Hash: 03A1C8B1A01215ABDB11EF61CC41BDF73A8BF45308F01453BFA15E7282E778AA548BD9

Function 004097B9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,00409C47,?,?,?,0000001E,?,?,00000104), ref: 004097E2
??2@YAPAXI@Z.MSVCRT(00000001,?,00409C47,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004097F6

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

memset.MSVCRT ref: 00409828
memset.MSVCRT ref: 0040984A
memset.MSVCRT ref: 0040985F
strcmp.MSVCRT ref: 0040989E
strcpy.MSVCRT(?,?,?,?,?,?), ref: 00409934
strcpy.MSVCRT(?,?,?,?,?,?), ref: 00409953
memset.MSVCRT ref: 00409967
strcmp.MSVCRT ref: 004099C4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 004099F6
CloseHandle.KERNEL32(?,?,00409C47,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004099FF

Strings

---, xrefs: 004099BE

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3751793120-2854292027
Opcode ID: 9829021a33fa0c4240cc714bdbc117138227f934a385a668a1d7ce2f2a0a4b46
Instruction ID: b5e8b399fdeb6a040b223f826d27245e63d255c1968850f26e436778d13c1eb2
Opcode Fuzzy Hash: 9829021a33fa0c4240cc714bdbc117138227f934a385a668a1d7ce2f2a0a4b46
Instruction Fuzzy Hash: 946173B2C0526DAADF21EB948C859DFB7BCAB15314F1440BFE504B3242DB385E85CB69

Function 0040BD7C Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BAE3: memset.MSVCRT ref: 0040BB0B
Part of subcall function 0040BAE3: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040BB32
Part of subcall function 0040BAE3: CloseHandle.KERNEL32(C0000004,?,000000FF,00000000,00000104), ref: 0040BB9C
Part of subcall function 0040BAE3: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040BBA7
Part of subcall function 0040BAE3: _wcsicmp.MSVCRT ref: 0040BC10

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040700C), ref: 0040B5FE

OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040BDF1
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040BE10
DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040BE1D
GetFileSize.KERNEL32(?,00000000), ref: 0040BE32

Part of subcall function 0040A004: GetTempPathW.KERNEL32(00000104,?,?), ref: 0040A01B
Part of subcall function 0040A004: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040A02D
Part of subcall function 0040A004: GetTempFileNameW.KERNEL32(?,004011DE,00000000,?), ref: 0040A044

Part of subcall function 00409C9B: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,00410072,00000000,?,004122A5,00000000,00000000,?,00000000,00000000), ref: 00409CAD

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040BE5C
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040BE71
WriteFile.KERNEL32(00000000,00000000,00000104,0040C401,00000000), ref: 0040BE8C
UnmapViewOfFile.KERNEL32(00000000), ref: 0040BE93
CloseHandle.KERNEL32(?), ref: 0040BE9C
CloseHandle.KERNEL32(00000000), ref: 0040BEA1
CloseHandle.KERNEL32(?), ref: 0040BEA6
CloseHandle.KERNEL32(?), ref: 0040BEAB

Strings

bhv, xrefs: 0040BE3B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateMappingNameOpenPathSizeUnmapWindowsWrite_wcsicmpmemset
String ID: bhv
API String ID: 1287099752-2689659898
Opcode ID: d3d03c9a8ad57b8a463548e7c00375ceaece33a157552ba418978e92bf0b6b2d
Instruction ID: 81637e7f8efa5e62e8569a4f404239e6b0c8c80861be29ec9ae91375cb438629
Opcode Fuzzy Hash: d3d03c9a8ad57b8a463548e7c00375ceaece33a157552ba418978e92bf0b6b2d
Instruction Fuzzy Hash: 26411676900218FBCF119FA1CC499DFBFB9EF09750F108026FA04A6251D7749A44DBE9

Function 00412145 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0041214B
_wcsicmp.MSVCRT ref: 00412160

Strings

/stabular, xrefs: 0041219A
/sverhtml, xrefs: 0041215B
/skeepass, xrefs: 004121C4
/stab, xrefs: 00412185
/shtml, xrefs: 00412146
/scomma, xrefs: 004121AF
/sxml, xrefs: 00412170

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: 64e89c5a136ad70e2acd74f1c00236fdbd2f6e87aea00cca4f40c1ec5a2b789d
Instruction ID: e86e95086dff50f6aeac70f7173157b3529105d44adcd95765e423e28c57b3de
Opcode Fuzzy Hash: 64e89c5a136ad70e2acd74f1c00236fdbd2f6e87aea00cca4f40c1ec5a2b789d
Instruction Fuzzy Hash: 7201DE7328B31134F825A1A72D27B8707598BD2B7BF32455BF915C81C5EF8C849450AE

Function 0041530E Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0041533A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0041534B
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041535C
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041536D
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041537E
FreeLibrary.KERNEL32(00000000), ref: 0041539E

Strings

GetModuleFileNameExW, xrefs: 00415356
EnumProcesses, xrefs: 00415367
GetModuleInformation, xrefs: 00415378
EnumProcessModules, xrefs: 00415345
psapi.dll, xrefs: 0041531C
GetModuleBaseNameW, xrefs: 00415334

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2012295524-70141382
Opcode ID: 525b725ba8c3cdc06b652b5915534c9690f6b9e2340cfe00d9bbfd5c1f2d1a79
Instruction ID: 5d1c1eff7ac7706bec5e35702e10e1a9346d9393ddc5072ea1b98c1f41432ca5
Opcode Fuzzy Hash: 525b725ba8c3cdc06b652b5915534c9690f6b9e2340cfe00d9bbfd5c1f2d1a79
Instruction Fuzzy Hash: 080175B0941B15D9D7115B35ED00BBB3FA49B85B82B10003BEC14D2A92DBBCC8469B6D

Function 0041528A Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004138C5), ref: 00415299
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004152B2
GetProcAddress.KERNEL32(00000000,Module32First), ref: 004152C3
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 004152D4
GetProcAddress.KERNEL32(00000000,Process32First), ref: 004152E5
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004152F6

Strings

CreateToolhelp32Snapshot, xrefs: 004152AC
Module32First, xrefs: 004152BD
Module32Next, xrefs: 004152CE
Process32Next, xrefs: 004152F0
kernel32.dll, xrefs: 00415294
Process32First, xrefs: 004152DF

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 26c7815ee6b58201438f61c557156c8ff69da56f2b6ddbed2f7ec124cb4fbf79
Instruction ID: 5e4339a03d4da52fda9f673776543f218f6d4f87af018ab15887d8e286533b58
Opcode Fuzzy Hash: 26c7815ee6b58201438f61c557156c8ff69da56f2b6ddbed2f7ec124cb4fbf79
Instruction Fuzzy Hash: 70F08630905B19E997215F35AD61BBF2EE89785B82714043BEC00D3296DBA8C8468AAC

Function 00411CBF Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00411D4C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00411D57
ReleaseDC.USER32(00000000,00000000), ref: 00411D6C
SetBkMode.GDI32(?,00000001), ref: 00411D7F
SetTextColor.GDI32(?,00FF0000), ref: 00411D8D
SelectObject.GDI32(?,?), ref: 00411D9E
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00411DD2
SelectObject.GDI32(00000014,00000005), ref: 00411DDE

Part of subcall function 00411B13: GetCursorPos.USER32(?), ref: 00411B1D
Part of subcall function 00411B13: GetSubMenu.USER32(?,00000000), ref: 00411B2B
Part of subcall function 00411B13: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 00411B5C

GetModuleHandleW.KERNEL32(00000000), ref: 00411DF9
LoadCursorW.USER32(00000000,00000067), ref: 00411E02
SetCursor.USER32(00000000), ref: 00411E09
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00411E51
memcpy.MSVCRT(?,?,00002008), ref: 00411E9A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
String ID:
API String ID: 1700100422-0
Opcode ID: 1cf45927c7e1b7e483f25d449432d44785f5cb0323d7f80aabb60001f85816e7
Instruction ID: c3388cb0b8e88e79d9fe84f40c546f28c4105956407e34fadf5c2981354f7f70
Opcode Fuzzy Hash: 1cf45927c7e1b7e483f25d449432d44785f5cb0323d7f80aabb60001f85816e7
Instruction Fuzzy Hash: 4D61B031604205ABDB14EFA4CC89BEA77A5FF44301F10452AFB059B2A1CB79AC91CB99

Function 0040DF8F Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

wcscpy.MSVCRT ref: 0040DFA9
wcscpy.MSVCRT ref: 0040DFB9
GetPrivateProfileIntW.KERNEL32(0045E668,rtl,00000000,0045E458), ref: 0040DFCA

Part of subcall function 0040DB0B: GetPrivateProfileStringW.KERNEL32(0045E668,?,0044F4CC,0045E6F8,?,0045E458), ref: 0040DB27

Strings

XE, xrefs: 0040DFA3
general, xrefs: 0040DFAE
TranslatorName, xrefs: 0040DFEE
hE, xrefs: 0040DFB3
TranslatorURL, xrefs: 0040E002
rtl, xrefs: 0040DFC4
charset, xrefs: 0040DFD8
xE, xrefs: 0040DFF3

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$XE$charset$general$hE$rtl$xE
API String ID: 3176057301-1663435254
Opcode ID: ce03a71f4104ba65c7634943c1c0a2916f24712798544291b36441c7694ed038
Instruction ID: 3d8b461fbaaec7ca5a0689e4e93172b3bcab4f1f7887f11f1c83d51a75cfd1f7
Opcode Fuzzy Hash: ce03a71f4104ba65c7634943c1c0a2916f24712798544291b36441c7694ed038
Instruction Fuzzy Hash: 31F0FC21FC132175E2253A635C07F2E35148BD3B57F5648BBBC147E1D3C66C5A48829E

Function 00410D08 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00410D27
GetWindowRect.USER32(?,?), ref: 00410D3D
GetWindowRect.USER32(?,?), ref: 00410D53
GetDlgItem.USER32(00000000,0000040D), ref: 00410D8D
GetWindowRect.USER32(00000000), ref: 00410D94
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00410DA4
BeginDeferWindowPos.USER32(00000004), ref: 00410DC8
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 00410DEB
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 00410E0A
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 00410E35
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00410E4D
EndDeferWindowPos.USER32(?), ref: 00410E52

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: 9f9a1085919ae9ac6807100c514c4c2990173c35f6b033fad767d96a1109aff9
Instruction ID: f4b3975cf6f7d3be18b30986ddc530eb89c4367e0f7efeac37d180ea3f2c0f2c
Opcode Fuzzy Hash: 9f9a1085919ae9ac6807100c514c4c2990173c35f6b033fad767d96a1109aff9
Instruction Fuzzy Hash: AC41C275900209BFEB11DFA8DD89FEEBBBAFB48300F104565E615A21A0C772AA54DB14

Function 0040C532 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C703,?,?,*.*,0040C76D,00000000), ref: 0040C552

Part of subcall function 0040A8EC: SetFilePointer.KERNEL32(0040C76D,?,00000000,00000000,?,0040C573,00000000,00000000,?,00000020,?,0040C703,?,?,*.*,0040C76D), ref: 0040A8F9

GetFileSize.KERNEL32(00000000,00000000), ref: 0040C582

Part of subcall function 0040C4A1: _memicmp.MSVCRT ref: 0040C4BB
Part of subcall function 0040C4A1: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C76D,00000000), ref: 0040C4D2

memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C5C9
strchr.MSVCRT ref: 0040C5EE
strchr.MSVCRT ref: 0040C5FF
_strlwr.MSVCRT ref: 0040C60D
memset.MSVCRT ref: 0040C628
CloseHandle.KERNEL32(00000000), ref: 0040C675

Strings

h, xrefs: 0040C5DA
4, xrefs: 0040C576

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: da7a13692060ae409e5302e4995310e5dd5bbfb7a5391393f0fdcb30f537ecd3
Instruction ID: 65cccf327fa0b5529330076339007647872360192ef6f3cf49ce6089d60f06ae
Opcode Fuzzy Hash: da7a13692060ae409e5302e4995310e5dd5bbfb7a5391393f0fdcb30f537ecd3
Instruction Fuzzy Hash: 3B3182B1900218FEEB20EB64CC85EEE77ACEF05318F10457AF608E6181D7399F548B69

Function 004164F5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00416523
memset.MSVCRT ref: 00416538
_snwprintf.MSVCRT ref: 00416552
_snwprintf.MSVCRT ref: 00416571
memset.MSVCRT ref: 004165A3
memset.MSVCRT ref: 004165B8
memset.MSVCRT ref: 004165CD
_snwprintf.MSVCRT ref: 004165E7
_snwprintf.MSVCRT ref: 00416604

Strings

%%0.%df, xrefs: 00416545, 004165DA

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: c99c8e2211586e52f8e911d5eb7fbf623d9b3fc3e27082e659afd7ab3044fb1d
Instruction ID: 27f99667104659e00ebd78455ae99a1af8c3fb89703bd44fec75f468f68576de
Opcode Fuzzy Hash: c99c8e2211586e52f8e911d5eb7fbf623d9b3fc3e27082e659afd7ab3044fb1d
Instruction Fuzzy Hash: 2231A471840229BADB20EF55CC85FEB777CFF49314F0104EAB50DA2102E7349A54CB69

Function 004078E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 00407903
KillTimer.USER32(?,00000041), ref: 00407913
KillTimer.USER32(?,00000041), ref: 00407924
GetTickCount.KERNEL32 ref: 00407947
GetParent.USER32(?), ref: 00407972
SendMessageW.USER32(00000000), ref: 00407979
BeginDeferWindowPos.USER32(00000004), ref: 00407987
EndDeferWindowPos.USER32(00000000), ref: 004079D7
InvalidateRect.USER32(?,?,00000001), ref: 004079E3

Strings

A, xrefs: 0040792F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: af84783409e1975db288b0c72e71a8e687db4ca826836481a8f26c8b0f9bbfa9
Instruction ID: af3d0bace5b62026118a6a1531e93ae50cbe973fa598ddd1ec3a4275e27b1afc
Opcode Fuzzy Hash: af84783409e1975db288b0c72e71a8e687db4ca826836481a8f26c8b0f9bbfa9
Instruction Fuzzy Hash: F431C2B9640305BBEB201F61CC86FAB7B6ABB44711F00443AF709B91E0C7F9A855CB59

Function 0040DE05 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(?,?), ref: 0040DE2D

Part of subcall function 0040DC55: GetMenuItemCount.USER32(?), ref: 0040DC6B
Part of subcall function 0040DC55: memset.MSVCRT ref: 0040DC8A
Part of subcall function 0040DC55: GetMenuItemInfoW.USER32 ref: 0040DCC6
Part of subcall function 0040DC55: wcschr.MSVCRT ref: 0040DCDE

DestroyMenu.USER32(00000000), ref: 0040DE4B
CreateDialogParamW.USER32(?,?,00000000,0040DE00,00000000), ref: 0040DEA0
GetDesktopWindow.USER32 ref: 0040DEAB
CreateDialogParamW.USER32(?,?,00000000), ref: 0040DEB8
memset.MSVCRT ref: 0040DED1
GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DEE8
EnumChildWindows.USER32(00000005,Function_0000DD46,00000000), ref: 0040DF15
DestroyWindow.USER32(00000005), ref: 0040DF1E

Part of subcall function 0040DA84: _snwprintf.MSVCRT ref: 0040DAA9

Strings

caption, xrefs: 0040DEFF

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: de0643627d12cd9ffe249f933e94cd636f301555e7367070b26c87a68ee5e60d
Instruction ID: fb89002f7bebac49d56e068043a0f8d6468f1f005a4246ac5316588196cd2f0c
Opcode Fuzzy Hash: de0643627d12cd9ffe249f933e94cd636f301555e7367070b26c87a68ee5e60d
Instruction Fuzzy Hash: 3E317072900208BFEF11AF90DC85AAF3B69FB15364F10843AF905A91A1D7798998CF59

Function 004105A7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004105DF
memset.MSVCRT ref: 004105F4
memset.MSVCRT ref: 00410609
_snwprintf.MSVCRT ref: 00410631
wcscpy.MSVCRT ref: 0041064D
_snwprintf.MSVCRT ref: 00410690

Strings

<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410683
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410624
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004105B7
<table dir="rtl"><tr><td>, xrefs: 00410647

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 86694fa9596e8e718e964b02816faf9a37d1d78763b9eb9bb7709ff927f38285
Instruction ID: 23ba5de25e919ab4fdab3582845b47b673a12a4a92696f01ca941476ed93b1dd
Opcode Fuzzy Hash: 86694fa9596e8e718e964b02816faf9a37d1d78763b9eb9bb7709ff927f38285
Instruction Fuzzy Hash: 1D21B8B5A001186BDB21BB95CC41EDA37BCEF58745F0140BEF508D3151DA389AC88F69

Function 004153A6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 004153BF
wcscpy.MSVCRT ref: 004153CF

Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DC5
Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DCF
Part of subcall function 00409DB6: _memicmp.MSVCRT ref: 00409DEA

wcscpy.MSVCRT ref: 0041541E
wcscat.MSVCRT ref: 00415429
memset.MSVCRT ref: 00415405

Part of subcall function 0040A394: GetWindowsDirectoryW.KERNEL32(0045EC58,00000104,?,0041545E,?,?,00000000,00000208,?), ref: 0040A3AA
Part of subcall function 0040A394: wcscpy.MSVCRT ref: 0040A3BA

memset.MSVCRT ref: 0041544D
memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00415468
wcscat.MSVCRT ref: 00415474

Strings

\systemroot, xrefs: 004153DC

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: fa167bbd5e4528be15fe591abc0a22bdfd687e9aef1f213e27ce40de2961ead0
Instruction ID: f104943179f08cd93f8001f39408b1af5f6ad57b201dd995218135a96354df9e
Opcode Fuzzy Hash: fa167bbd5e4528be15fe591abc0a22bdfd687e9aef1f213e27ce40de2961ead0
Instruction Fuzzy Hash: 572129B2506304A9F621F3A24C46EEB63EC9F46714F20455FF524D2082EB7C99C44B6F

Function 0041A5D7 Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 004192F2: GetVersionExW.KERNEL32(?), ref: 00419315

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0041A603
malloc.MSVCRT ref: 0041A60E
free.MSVCRT ref: 0041A61E
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041A632
free.MSVCRT ref: 0041A637
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0041A64D
malloc.MSVCRT ref: 0041A655
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041A668
free.MSVCRT ref: 0041A66D
free.MSVCRT ref: 0041A681
free.MSVCRT ref: 0041A6A0

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$FullNamePath$malloc$Version
String ID:
API String ID: 3356672799-0
Opcode ID: 81b576499755cb31c8c6be5d07b3d32296e332f63dcbe60c266eca3a6750f240
Instruction ID: f6f3b6a306e4f0e49f71bf4976b7ceda75d2138abfea52430b05dfcd18a6bddb
Opcode Fuzzy Hash: 81b576499755cb31c8c6be5d07b3d32296e332f63dcbe60c266eca3a6750f240
Instruction Fuzzy Hash: 2121987190211CBFEF10BBA5DC46CDF7FA9DF41368B25007BF404A2161DB395E90966A

Function 00416B16 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00416B89

Strings

Startup, xrefs: 00416B41
Common Desktop, xrefs: 00416B75
Desktop, xrefs: 00416B33
Favorites, xrefs: 00416B48
Common Start Menu, xrefs: 00416B56
Common Startup, xrefs: 00416B7C
Start Menu, xrefs: 00416B3A
Common Programs, xrefs: 00416B83
Programs, xrefs: 00416B4F
AppData, xrefs: 00416B6E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: dd6fa36c037bc6e4ff8f29b7a4256e51cef250e0a1f7438453280f81013bf7c0
Instruction ID: d324c76f68bf74469ccfd3712f78ba9dcc04a4285760018fac4a8f65c25a8c98
Opcode Fuzzy Hash: dd6fa36c037bc6e4ff8f29b7a4256e51cef250e0a1f7438453280f81013bf7c0
Instruction Fuzzy Hash: 95F036316ECF3562143415282916EFA401891317F73BB43176C0EE22E6C9CCF9CA905F

Function 0040D759 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040D76F
memset.MSVCRT ref: 0040D793
GetMenuItemInfoW.USER32 ref: 0040D7CE
memset.MSVCRT ref: 0040D7FD
wcschr.MSVCRT ref: 0040D809
wcscat.MSVCRT ref: 0040D864
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040D880

Strings

6, xrefs: 0040D7B9
0, xrefs: 0040D7AE

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 2396ed8fc361ba4a45bb880d20a87c435b430e1ae6be7f4a73d8f914fd610035
Instruction ID: f65e57152afae8b0dd47d5e8eb23764001e0fb6d1e5383f22b1dcfc0afcde8a7
Opcode Fuzzy Hash: 2396ed8fc361ba4a45bb880d20a87c435b430e1ae6be7f4a73d8f914fd610035
Instruction Fuzzy Hash: BE319072808300AFDB20AF91D84499FB7E8EF84354F04893FFA98A2191D375D948CF5A

Function 0040948F Relevance: 15.3, APIs: 12, Instructions: 268COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004094B7

Part of subcall function 0040ACA5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040121D,?,?,?,?,?,?,?), ref: 0040ACBE

memset.MSVCRT ref: 0040952E
memset.MSVCRT ref: 00409544

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMultiWide
String ID:
API String ID: 290601579-0
Opcode ID: 03c39fb9b8d424ef954cafc48962265f98f5dfa66375acb9161703e9137a6be8
Instruction ID: d523f13bca41d4f63d03b58f3e107dc7881316ec19a855ef67c9f0f82ee91530
Opcode Fuzzy Hash: 03c39fb9b8d424ef954cafc48962265f98f5dfa66375acb9161703e9137a6be8
Instruction Fuzzy Hash: FF9183B2D042199FDF14EFA59C82AEDB7B5AF44314F1404AFF608B6282DB395D44CB19

Function 0040A501 Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000011), ref: 0040A51A
GetSystemMetrics.USER32(00000010), ref: 0040A520
GetDC.USER32(00000000), ref: 0040A52D
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040A53E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040A545
ReleaseDC.USER32(00000000,00000000), ref: 0040A54C
GetWindowRect.USER32(?,?), ref: 0040A55F
GetParent.USER32(?), ref: 0040A564
GetWindowRect.USER32(00000000,00000000), ref: 0040A581
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A5E0

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: ead36faa3fb79a80cd8612a374053d91ddf5485b81bdcaaea8d99c602293a2a0
Instruction ID: f502094e92981caa4834973bf97846e608375c731a187de988a633f4dd51eeda
Opcode Fuzzy Hash: ead36faa3fb79a80cd8612a374053d91ddf5485b81bdcaaea8d99c602293a2a0
Instruction Fuzzy Hash: C2317076A00209AFDB14CFB8CC85AEEBBB9FB48355F150179E901F3290DA71AD458B60

Function 004037BE Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 370COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403A68
_snwprintf.MSVCRT ref: 00403AFB
_snwprintf.MSVCRT ref: 00403B26
_snwprintf.MSVCRT ref: 00403B51
wcschr.MSVCRT ref: 00403972

Part of subcall function 0040B0B2: wcslen.MSVCRT ref: 0040B0CE
Part of subcall function 0040B0B2: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F32D), ref: 0040B0F1

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF75

Strings

", xrefs: 0040384D
", xrefs: 00403BB0
%I64d, xrefs: 00403AE8, 00403AF7, 00403B22, 00403B4D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintf$freememcpywcslen$memsetwcschr
String ID: "$"$%I64d
API String ID: 22347003-3439576549
Opcode ID: f2385fb97e0c4f99ddef286ed600442e38c7ba1bb554b94d3fe1eb697817be01
Instruction ID: 0bf4e81249543337a88649caf9663a23bfc85987250b829cb93633c0d649e96a
Opcode Fuzzy Hash: f2385fb97e0c4f99ddef286ed600442e38c7ba1bb554b94d3fe1eb697817be01
Instruction Fuzzy Hash: 94D1A172508345AFD710EF55C88199BBBE8FF84308F00493FF591A3191D779EA498B9A

Function 00403037 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00403043
abs.MSVCRT ref: 00403133
abs.MSVCRT ref: 00403163
log.MSVCRT ref: 004031FF
log.MSVCRT ref: 00403210
free.MSVCRT ref: 0040322C
free.MSVCRT ref: 0040323E

Strings

, xrefs: 00403069

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$wcslen
String ID:
API String ID: 3592753638-3916222277
Opcode ID: 817fdffa1778754f202b473bcf56fa80498cf4c5f79b1c0829f3a8a504be4d4d
Instruction ID: c97d06dd0f2be15faafac33d75df6d0848abc1c3546c13c08877cf69662a8948
Opcode Fuzzy Hash: 817fdffa1778754f202b473bcf56fa80498cf4c5f79b1c0829f3a8a504be4d4d
Instruction Fuzzy Hash: E9616D30C0521ADADF18AF95E4814EEBB79FF08307F60857FE411B6295DB394A81CB59

Function 0040AC20 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409D23,?,00000000,?,004101B0,00000000,?,004122A5,00000000), ref: 0040AC45
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409D23,?,00000000,?,004101B0), ref: 0040AC63
wcslen.MSVCRT ref: 0040AC70
wcscpy.MSVCRT ref: 0040AC80
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409D23,?,00000000,?,004101B0,00000000), ref: 0040AC8A
wcscpy.MSVCRT ref: 0040AC9A

Strings

netmsg.dll, xrefs: 0040AC40
Unknown Error, xrefs: 0040AC92

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 65878271f7dde4f835bb4f16d13d15af7b94efba0f9313b390defd79aaf9ef92
Instruction ID: 2c1f00bf4471f0602265d83304054939549967734e239daa98e0476f80b6536b
Opcode Fuzzy Hash: 65878271f7dde4f835bb4f16d13d15af7b94efba0f9313b390defd79aaf9ef92
Instruction Fuzzy Hash: 15014231208210BFFB142B61DE4AEAF7B6CDF01B91F21003AF902B00D1DA385E90D69E

Function 00408F0A Relevance: 13.9, APIs: 11, Instructions: 137stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408F30
memset.MSVCRT ref: 00408F47
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408F6A
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FC3
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FDA
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FED
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409000
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409013
wcscpy.MSVCRT ref: 00409022
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409048
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409062

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: strcpy$ByteCharMultiWidememset$wcscpy
String ID:
API String ID: 4248099071-0
Opcode ID: 3b10a0de6ee468264d86d1eb0d10d9c5d0e098c8a42a896ac47af6df3413975e
Instruction ID: 9fcf6790c625b5749f60fa5132a1aa849aae2f3610ed6a5dc53586237da03b21
Opcode Fuzzy Hash: 3b10a0de6ee468264d86d1eb0d10d9c5d0e098c8a42a896ac47af6df3413975e
Instruction Fuzzy Hash: DA51FCB59007189FDB60DF65C884FDAB7F8BB08314F0045AAE55DE3241DB34AA88CF65

Function 0043150A Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000020), ref: 004315CE
memset.MSVCRT ref: 00431609

Strings

unable to open database: %s, xrefs: 00431761
database is already attached, xrefs: 00431634
too many attached databases - max %d, xrefs: 00431563
cannot ATTACH database within transaction, xrefs: 00431579
attached databases must use the same text encoding as main database, xrefs: 00431682
database %s is already in use, xrefs: 004315DB
out of memory, xrefs: 00431778

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: fc04c1ccaf6d060ca3cb3a4a573306b6aac5391b95642690e4c4f6da1e14753e
Instruction ID: 41aed9512f3f75185fd37d9d4a788dbe0235547fbfc8844ed61f99ff34c0eb5c
Opcode Fuzzy Hash: fc04c1ccaf6d060ca3cb3a4a573306b6aac5391b95642690e4c4f6da1e14753e
Instruction Fuzzy Hash: 6091B670A00305AFDB10DF95C481B9ABBF1EF48308F24945FE8559B362D778E941CB59

Function 0040E63B Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E428
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E436
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E447
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E45E
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E467

??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E67B
??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E697
memcpy.MSVCRT(?,0045B248,00000014,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?), ref: 0040E6BC
memcpy.MSVCRT(?,0045B234,00000014,?,0045B248,00000014,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?), ref: 0040E6D0
??2@YAPAXI@Z.MSVCRT(00000000,?,004121F5,00000000), ref: 0040E753
??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004121F5,00000000), ref: 0040E75D
??2@YAPAXI@Z.MSVCRT(00000000,?,004121F5,00000000), ref: 0040E795

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT(00000000,00000002), ref: 0040D6FA

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

Strings

d, xrefs: 0040E774
(, xrefs: 0040E71D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: ($d
API String ID: 1140211610-1915259565
Opcode ID: 22d640288c57e05958ef48d510536d835924167508facb2840f18c0f6a69e3cb
Instruction ID: 861c2aa1e39ae2bba27ef8b85a75b2e75a9a29af417f25c333be1a6f913ae9ac
Opcode Fuzzy Hash: 22d640288c57e05958ef48d510536d835924167508facb2840f18c0f6a69e3cb
Instruction Fuzzy Hash: 3C517FB1601704AFD724DF2AC486B5AB7F8FF48314F10892EE55ACB391DB74E5408B58

Function 004197DE Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00419836
Sleep.KERNEL32(00000001), ref: 00419840
GetLastError.KERNEL32 ref: 00419852
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041992A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 14e06bfcd18a1faaafc00e1b2c20e061f42331a31f2f6822b30b51d360152e16
Instruction ID: 6a48cf500290cbfe024f60d9f8fa3e5acb2fed0f29f408aef03af8af8d2d1aa4
Opcode Fuzzy Hash: 14e06bfcd18a1faaafc00e1b2c20e061f42331a31f2f6822b30b51d360152e16
Instruction Fuzzy Hash: 434115B5028301AFE7209F25CC217A7B3E0AFC1714F10092EF5A552390DB79DDC98A1E

Function 0041A475 Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045EBC0,00419B91,00000000,?,00000000,00000000), ref: 0041A49F
GetFileAttributesW.KERNEL32(00000000), ref: 0041A4A6
GetLastError.KERNEL32 ref: 0041A4B3
Sleep.KERNEL32(00000064), ref: 0041A4C8
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045EBC0,00419B91,00000000,?,00000000,00000000), ref: 0041A4D1
GetFileAttributesA.KERNEL32(00000000), ref: 0041A4D8
GetLastError.KERNEL32 ref: 0041A4E5
Sleep.KERNEL32(00000064), ref: 0041A4FA
free.MSVCRT ref: 0041A503

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleep$free
String ID:
API String ID: 2802642348-0
Opcode ID: 9713d0eb204f2a511566aa6d075d332d8e1a186ec528611af723e0883a3f4745
Instruction ID: f0aea9e426d4f49770c787e6b61ec6af62ac575cb635bed3fd537f80c1297bc8
Opcode Fuzzy Hash: 9713d0eb204f2a511566aa6d075d332d8e1a186ec528611af723e0883a3f4745
Instruction Fuzzy Hash: 3311063D5062107AC62137306D8D5BF3565879B379B110236EA23922D1DB2C0CE6512F

Function 00416DE5 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,",0000000C,?,?,00000000,0040F92F,?,?,?,<item>), ref: 00416E1C
memcpy.MSVCRT(?,&,0000000A,?,?,00000000,0040F92F,?,?,?,<item>), ref: 00416E48
memcpy.MSVCRT(?,<,00000008,?,?,00000000,0040F92F,?,?,?,<item>), ref: 00416E62

Strings

<, xrefs: 00416DF9
>, xrefs: 00416E07
&, xrefs: 00416E42
°, xrefs: 00416E33
<br>, xrefs: 00416E5C
", xrefs: 00416E16

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: d67847fae3f197d59aa4d50c09892c40249a44cebd0e4ea6531cd0ad7979b3c5
Instruction ID: d80b0e8a1faee3cf81fd98aea7e87b5c7a6978c7cc7b6d64d1c3866e47b73bb9
Opcode Fuzzy Hash: d67847fae3f197d59aa4d50c09892c40249a44cebd0e4ea6531cd0ad7979b3c5
Instruction Fuzzy Hash: 940180BAE4472061E6312109CC42FF716599B63716FA3472BFD46252C6E18D89C781AF

Function 0041548C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00413909,00000000,00000000), ref: 004154C7
memset.MSVCRT ref: 00415529
memset.MSVCRT ref: 00415539

Part of subcall function 004153A6: wcscpy.MSVCRT ref: 004153CF

memset.MSVCRT ref: 00415624
wcscpy.MSVCRT ref: 00415645
CloseHandle.KERNEL32(?,9A,?,?,?,00413909,00000000,00000000), ref: 0041569B

Strings

9A, xrefs: 0041566E, 004155AF

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID: 9A
API String ID: 3300951397-4291763745
Opcode ID: cb1afc34fd9e2d64f19af581a3b5eaedaf59f9c3ee057bb96672fc9edb01fa6c
Instruction ID: 195d0570f18187fafaf8b777caec24cc97833dc6dbb2a5a73c5ac716df796b0f
Opcode Fuzzy Hash: cb1afc34fd9e2d64f19af581a3b5eaedaf59f9c3ee057bb96672fc9edb01fa6c
Instruction Fuzzy Hash: 43511971508740EFD720DF25C888ADBBBE9FBC4344F400A2EF99982251DB75D944CBAA

Function 0040D5E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
wcscpy.MSVCRT ref: 0040D663

Part of subcall function 0040DAD4: memset.MSVCRT ref: 0040DAE7
Part of subcall function 0040DAD4: _itow.MSVCRT ref: 0040DAF5

wcslen.MSVCRT ref: 0040D681
GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F
LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
memcpy.MSVCRT(00000000,00000002), ref: 0040D6FA

Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT(00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D57A
Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D598
Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D5B6
Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D5F0,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D5D4

Strings

strings, xrefs: 0040D659

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 83f2c4dafeecc99ee3eef0caec914b4911d667406a77c7368fe1af62c77103f1
Instruction ID: b1470fe84c434e0d92e5d9d764ba88a8e864f1e5bfb716432bcb129c57bfcb41
Opcode Fuzzy Hash: 83f2c4dafeecc99ee3eef0caec914b4911d667406a77c7368fe1af62c77103f1
Instruction Fuzzy Hash: 204160759003019BD71EDF9AED819263365F788306710087AE906972A3DF36EA89CB6D

Function 0040AA19 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AA3A
_snwprintf.MSVCRT ref: 0040AA6D
wcslen.MSVCRT ref: 0040AA79
memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040AA91
wcslen.MSVCRT ref: 0040AA9F
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040AAB2

Strings

%s (%s), xrefs: 0040AA62

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: c6bf2ed547002a79412dcf0007d59944c4ad18f5877495ef8b57a3994eba2edc
Instruction ID: b6d6d83be4212d1c483e19f60897e6584e32f0ecf7c368d7e799a2f76849004c
Opcode Fuzzy Hash: c6bf2ed547002a79412dcf0007d59944c4ad18f5877495ef8b57a3994eba2edc
Instruction Fuzzy Hash: 3C216FB2900218ABDF21EF55CD45D8AB7F8FF04358F058466E948AB102EB74EA18CFD5

Function 00406F91 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,004552B0,?,?,004116CB,?,General,?,00000000,00000001), ref: 00406FA9
FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 00406FBA
LoadResource.KERNEL32(00000000,00000000), ref: 00406FC8
SizeofResource.KERNEL32(?,00000000), ref: 00406FD8
LockResource.KERNEL32(00000000), ref: 00406FE1
memcpy.MSVCRT(00000000,00000000,00000000), ref: 00407011

Strings

BIN, xrefs: 00406FAF

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
String ID: BIN
API String ID: 1668488027-1015027815
Opcode ID: 0cc70d90eb5fe2022f84bb375c7f586452e31cf1ff3c5ba81afc9f946eb2bfa1
Instruction ID: d4af116c543dc71c648d7e8b177643e8ae674b9e270c37636f22300aa75b878c
Opcode Fuzzy Hash: 0cc70d90eb5fe2022f84bb375c7f586452e31cf1ff3c5ba81afc9f946eb2bfa1
Instruction Fuzzy Hash: 5F11C635C00225EBC7116BE2DC49DAFBE78FF85765F020836F811B2291DB385D158AA9

Function 0040DD46 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DD6B
GetDlgCtrlID.USER32(?), ref: 0040DD76
GetWindowTextW.USER32(?,?,00001000), ref: 0040DD8D
memset.MSVCRT ref: 0040DDB4
GetClassNameW.USER32(?,?,000000FF), ref: 0040DDCB
_wcsicmp.MSVCRT ref: 0040DDDD

Part of subcall function 0040DC1C: memset.MSVCRT ref: 0040DC2F
Part of subcall function 0040DC1C: _itow.MSVCRT ref: 0040DC3D

Strings

sysdatetimepick32, xrefs: 0040DDD7

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 8102298fea940e88dbedffba4a1eb78ca5cb1cc1c3ab67c0e4d17f8e38664f99
Instruction ID: 9b29a85ed4be641e65b10d3861343448fbe1dffed752f9636a38eeae2f61c522
Opcode Fuzzy Hash: 8102298fea940e88dbedffba4a1eb78ca5cb1cc1c3ab67c0e4d17f8e38664f99
Instruction Fuzzy Hash: 5F11CA329002197BEB14FB91CC49AEF77BCEF05350F004076F908D2092E7344A85CB59

Function 0041D730 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,00420EBE,00000000,00000000), ref: 0041D868
memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,00420EBE,00000000,00000000), ref: 0041D87A
memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,00420EBE,00000000,00000000), ref: 0041D892
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,00420EBE,00000000,00000000), ref: 0041D8AF
memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041D8C7
memset.MSVCRT ref: 0041D994

Strings

-journal, xrefs: 0041D88C
-wal, xrefs: 0041D8C1

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 7e1ec76c87b47a5a2be34a09444443ce7059d041aaa469940b1fe5e3b6163d17
Instruction ID: de08a271c8033e28d41d160dfbeb7eb0a582d0ed0f381ff02535cf89bb22e03f
Opcode Fuzzy Hash: 7e1ec76c87b47a5a2be34a09444443ce7059d041aaa469940b1fe5e3b6163d17
Instruction Fuzzy Hash: FFA1C1B1E04606AFDB14DF64C8417DEBBB0FF05314F14826EE46997382D738AA95CB98

Function 00407278 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0040731C
GetDlgItem.USER32(?,000003E9), ref: 0040732F
GetDlgItem.USER32(?,000003E9), ref: 00407344
GetDlgItem.USER32(?,000003E9), ref: 0040735C
EndDialog.USER32(?,00000002), ref: 00407378
EndDialog.USER32(?,00000001), ref: 0040738D

Part of subcall function 00407037: GetDlgItem.USER32(?,000003E9), ref: 00407044
Part of subcall function 00407037: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00407059

SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 004073A5
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 004074B6

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 1b8c1b744b44118a1d00fc74b7d8bfeaf52c27222ffa2e36781ac251d1cb99c8
Instruction ID: 4d7fe854b84bffb36cdfb0f409f7702d3ffab78e9dfebf1b38e0a9661c8b6889
Opcode Fuzzy Hash: 1b8c1b744b44118a1d00fc74b7d8bfeaf52c27222ffa2e36781ac251d1cb99c8
Instruction Fuzzy Hash: 9261A330904B05ABEB31AF25C886A2BB7A5FF10314F00C63EFD01A66D1D778B955DB5A

Function 00446134 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004461B4
_wcsicmp.MSVCRT ref: 004461C9
_wcsicmp.MSVCRT ref: 004461DE

Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DC5
Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DCF
Part of subcall function 00409DB6: _memicmp.MSVCRT ref: 00409DEA

Strings

http://, xrefs: 0044616B
signIn, xrefs: 004461D8
.save, xrefs: 004461AE
log profile, xrefs: 00446142
https://, xrefs: 00446176

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmp$wcslen$_memicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 1214746602-2708368587
Opcode ID: c25681c330007c681027023b8fef3e46109c9436a99cce23058c3c7b6e338d58
Instruction ID: 5e484990e1fe59e7fa87e07e780c8912ce5a7b58b3c72e29c52105d59935e75b
Opcode Fuzzy Hash: c25681c330007c681027023b8fef3e46109c9436a99cce23058c3c7b6e338d58
Instruction Fuzzy Hash: 824119711043019AF7306A65984136777D4DB47326F22896FFC6BE26C3EABCE885451F

Function 004074C6 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C), ref: 004074D6
??3@YAXPAX@Z.MSVCRT(00000000), ref: 004074F2
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00407518
memset.MSVCRT ref: 00407528
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00407557
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 004075A4
SetFocus.USER32(?,?,?,?), ref: 004075AD
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004075BD

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: e675ad0a266bc96670d571add91fa9578aec271a38db8ff1ba01c2f3931e097b
Instruction ID: aa93cf9892cb136432a885b6c040c00acd20fa1824247a7ddfcc4fe67478404c
Opcode Fuzzy Hash: e675ad0a266bc96670d571add91fa9578aec271a38db8ff1ba01c2f3931e097b
Instruction Fuzzy Hash: E031B0B1901201BFEB20AF29DD8591AB7A4FF04314B11853EF505E76A0D739EC80CBA5

Function 00407784 Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040779B
GetWindow.USER32(?,00000005), ref: 004077B3
GetWindow.USER32(00000000), ref: 004077B6

Part of subcall function 00401E4A: GetWindowRect.USER32(?,?), ref: 00401E59

GetWindow.USER32(00000000,00000002), ref: 004077C2
GetDlgItem.USER32(?,0000040C), ref: 004077D8
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00407817
GetDlgItem.USER32(?,0000040E), ref: 00407821
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00407870

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Window$ItemMessageRectSend$Client
String ID:
API String ID: 2047574939-0
Opcode ID: fe54eeb19441843d95fdd849ea5d8071feeb7e1862c97c4ad6b95fcb8b242d9a
Instruction ID: 2817ce33af67de4568897f7594256d54fbf45e6d9d619dfc684942712a2cffd5
Opcode Fuzzy Hash: fe54eeb19441843d95fdd849ea5d8071feeb7e1862c97c4ad6b95fcb8b242d9a
Instruction Fuzzy Hash: 11219576A4030877E6023B719C47FAF275CAB85718F11403AFE01771C2DABA6D1645AF

Function 00449D70 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 00449C90: memset.MSVCRT ref: 00449C9B
Part of subcall function 00449C90: memset.MSVCRT ref: 00449CAB
Part of subcall function 00449C90: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000020,?,00000000), ref: 00449D0D
Part of subcall function 00449C90: memcpy.MSVCRT(?,?,?,?,?,00000000,00000020,?,00000000), ref: 00449D5A

memcpy.MSVCRT(?,?,00000040), ref: 00449E6F
memcpy.MSVCRT(?,?,00000004,00000000), ref: 00449EBC
memcpy.MSVCRT(?,?,00000040), ref: 00449F38

Part of subcall function 004499A0: memcpy.MSVCRT(?,00449AD2,00000040,?,?,?,00449AD2,?,?,?,?,00449EEF,?,?,?,00000000), ref: 004499D2
Part of subcall function 004499A0: memcpy.MSVCRT(?,00449AD2,00000008,?,?,?,00449AD2,?,?,?,?,00449EEF,?,?,?,00000000), ref: 00449A1E

memcpy.MSVCRT(?,?,00000000), ref: 00449F88
memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449FC9
memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 00449FFA

Strings

gj, xrefs: 00449D89

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: gj
API String ID: 438689982-4203073231
Opcode ID: a1826e050d6e3d68a1f2c5dfa01eae9680517dde8f20abcfd8e35bf37672f032
Instruction ID: 3f3b464479e0d70e050848f60aaa72c5089d0acdf18e9fe99dc29a9aef4a41ed
Opcode Fuzzy Hash: a1826e050d6e3d68a1f2c5dfa01eae9680517dde8f20abcfd8e35bf37672f032
Instruction Fuzzy Hash: 6271B3B39083445BE310EF65D88099FB7E9ABD5348F050A2EF88997201E639DE09C797

Function 00407103 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0040711A
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00407133
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00407140
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0040714C
memset.MSVCRT ref: 004071B0
SendMessageW.USER32(?,0000105F,?,?), ref: 004071E5
SetFocus.USER32(?), ref: 0040726B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 591c16118d863813ab471e160c4fd565b0629bf706d474ce27cebc159554fed7
Instruction ID: e2e651f42ab0d4b7e7b6f1b53d2a0dc89a1afd109539422a1d010a9987f6e0ab
Opcode Fuzzy Hash: 591c16118d863813ab471e160c4fd565b0629bf706d474ce27cebc159554fed7
Instruction Fuzzy Hash: 8C415A74901219FBDB20DF95CC459AFBFB9FF04354F1040AAF508A6291D374AA80CBA5

Function 0040F56C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

wcscat.MSVCRT ref: 0040F63B
_snwprintf.MSVCRT ref: 0040F662

Strings

 , xrefs: 0040F635
<td bgcolor=#%s>%s, xrefs: 0040F58A
<td bgcolor=#%s nowrap>%s, xrefs: 0040F57C
<tr>, xrefs: 0040F594

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 4bae3b1c020fc46a540f34cadb4edddbf196e78b99bdfbdb6ab0bb772013daad
Instruction ID: e0f29f3203d759466a2a243950708939727ff8ca945fdb9ba1a968257c2252f6
Opcode Fuzzy Hash: 4bae3b1c020fc46a540f34cadb4edddbf196e78b99bdfbdb6ab0bb772013daad
Instruction Fuzzy Hash: 8A31A031A00208EFCF10AF54CC85ADE7B75FF05324F11417AE805AB2A2D739AD55DB94

Function 0040DC55 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040DC6B
memset.MSVCRT ref: 0040DC8A
GetMenuItemInfoW.USER32 ref: 0040DCC6
wcschr.MSVCRT ref: 0040DCDE

Strings

0, xrefs: 0040DCA5
6, xrefs: 0040DCAD

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 0aaec32fb9f4fe92eeae193f48d1b194cbc3028e5b72559f9307ee4a45127174
Instruction ID: 965894ef64f39c048953856348d1c0b0167852fc172e3142d5b86853f7cdf95d
Opcode Fuzzy Hash: 0aaec32fb9f4fe92eeae193f48d1b194cbc3028e5b72559f9307ee4a45127174
Instruction Fuzzy Hash: B521F471909300ABD720DF91C845A9FB7E8FF85754F04093FFA4492290E779CA44C79A

Function 0040523B Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 004053C0: GetLastError.KERNEL32(?,00000000,0040533E,?,?,?,00000000,00000000,?,00404787,?,?,00000060,00000000), ref: 004053D5

memset.MSVCRT ref: 00405271
memset.MSVCRT ref: 00405288
memset.MSVCRT ref: 0040529F
memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004052B4
memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004052C9

Strings

6, xrefs: 004052DF
\, xrefs: 004052D7

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$memcpy$ErrorLast
String ID: 6$\
API String ID: 404372293-1284684873
Opcode ID: a1a63dbf3b9459c821aff241a78b06548bfbfbca43745efa68bf068cdd8b3242
Instruction ID: 4d496e1acd8f7d0bb321dbc0636b4993eabad3a605fa072d2af56a88efec649e
Opcode Fuzzy Hash: a1a63dbf3b9459c821aff241a78b06548bfbfbca43745efa68bf068cdd8b3242
Instruction Fuzzy Hash: 7F2183B280121CBADF11AB99DC45EDF7BBCDF15344F0144A6F908E2152D2788F988F65

Function 0040A62B Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A647
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A673
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A688
wcscpy.MSVCRT ref: 0040A698
wcscat.MSVCRT ref: 0040A6A5
wcscat.MSVCRT ref: 0040A6B4
wcscpy.MSVCRT ref: 0040A6C6

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: b58d772f936a03b258490eb3cb21bdc86c123face1b49a42d628fdd75bcc1e61
Instruction ID: 0243e103d97181127624a16127823fe836f95e320959a325dc59fd852366c67f
Opcode Fuzzy Hash: b58d772f936a03b258490eb3cb21bdc86c123face1b49a42d628fdd75bcc1e61
Instruction Fuzzy Hash: 08118F72900108BFEB20AF90DD45EEB777CEB01744F144076F605A2050E6359E898BBB

Function 004075C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00407670: FreeLibrary.KERNEL32(?,004075D1,00000000,00000000,?,0040B908,?,00000000,?), ref: 00407678

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(?,00000000), ref: 004075FC
GetProcAddress.KERNEL32(?,00000000), ref: 00407610
GetProcAddress.KERNEL32(?,00000000), ref: 00407623
GetProcAddress.KERNEL32(?,00000000), ref: 00407637
GetProcAddress.KERNEL32(?,00000000), ref: 0040764B

Strings

advapi32.dll, xrefs: 004075D1

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
String ID: advapi32.dll
API String ID: 2012295524-4050573280
Opcode ID: 33e7785ff47320705234322eea76ada849e33b817e3b8b7f6a9643b06ba54316
Instruction ID: b1f28a9f87d2897bb1716b12b8d83edd3b0eb137f397b03dff6d846beed85bc2
Opcode Fuzzy Hash: 33e7785ff47320705234322eea76ada849e33b817e3b8b7f6a9643b06ba54316
Instruction Fuzzy Hash: 13118FB0804B409EF6302F36DC0AE27BAB4DF40725F100D3FE082965E0DB79B854CA66

Function 0040A737 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A757
_snwprintf.MSVCRT ref: 0040A77E
wcscat.MSVCRT ref: 0040A790
wcscat.MSVCRT ref: 0040A7AD
wcscat.MSVCRT ref: 0040A7BC

Strings

%2.2X, xrefs: 0040A76D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: d8de8c6d683fe6c0a5c08c0a9bf4179f23b0233aed7098f39cd8b73d3a5c30e3
Instruction ID: 4776974aedcd9b8bea86e7681cb476536998a60eaa44b54f5b5777e80f521d0b
Opcode Fuzzy Hash: d8de8c6d683fe6c0a5c08c0a9bf4179f23b0233aed7098f39cd8b73d3a5c30e3
Instruction Fuzzy Hash: 29012872E003146AF73077159C86BBA33B8AB41B15F11803FFC54A61C2EA7CD9584A99

Function 0040FB6F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FB94
memset.MSVCRT ref: 0040FBA9
_snwprintf.MSVCRT ref: 0040FBF6

Strings

<?xml version="1.0" ?>, xrefs: 0040FBBB
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040FBC2
<%s>, xrefs: 0040FBE5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 6f2a1b8eab8695b849e3f90b76870ba262ffa8b6eec972095743b55347378454
Instruction ID: f89c52ae9f649753db215819e8a95a7ceddb9bde2180362b42a5fc979dbbd26a
Opcode Fuzzy Hash: 6f2a1b8eab8695b849e3f90b76870ba262ffa8b6eec972095743b55347378454
Instruction Fuzzy Hash: 66019BB1A002197AD720A759CC41FFE776CEF45748F1140BBBA08F3152D7389E598BA9

Function 004465D6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 004465EB
wcscat.MSVCRT ref: 004465FA
wcscat.MSVCRT ref: 0044660B
wcscat.MSVCRT ref: 0044661A
VerQueryValueW.VERSION(?,?,00000000,?), ref: 00446634

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT(?,?,000000FF,?,00446651,00000000,?,?,?,00000000,?), ref: 00409FA2

Part of subcall function 0040A04F: lstrcpyW.KERNEL32(?,?,00446659,?,?,?,00000000,?), ref: 0040A064
Part of subcall function 0040A04F: lstrlenW.KERNEL32(?), ref: 0040A06B

Strings

\StringFileInfo\, xrefs: 004465E5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: d4165d7f50266fa13a5b531a4f01ad866930043b5560520190855b71b76da5e1
Instruction ID: ad7517ef6bb7be25d6ac765d434d23ce8d777cc6758ad1086d9e8c390f57c567
Opcode Fuzzy Hash: d4165d7f50266fa13a5b531a4f01ad866930043b5560520190855b71b76da5e1
Instruction Fuzzy Hash: F3019A72A00209A6DB50AAA1CC06DDF77ACAB05304F0105BBB954E2013EE38DB869A5A

Function 0040DA84 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040DAA9
wcscpy.MSVCRT ref: 0040DACC

Strings

general, xrefs: 0040DAC2
strings, xrefs: 0040DAB7
menu_%d, xrefs: 0040DA8D
dialog_%d, xrefs: 0040DA9D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 2d27ce870dcdc0356c472e238f6887c9b469fb6313562511eb920d5e3df5e042
Instruction ID: 49826c5e287938e985e88a530ad471c797b7a96a0663e00b3f963554c3d6ef55
Opcode Fuzzy Hash: 2d27ce870dcdc0356c472e238f6887c9b469fb6313562511eb920d5e3df5e042
Instruction Fuzzy Hash: 5CE04F31F9D30071E82421D20D02B5A26608AA5B2AFB14867FD06B41E3E1BD859D5C0F

Function 0044632F Relevance: 10.2, APIs: 8, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044636A
memcpy.MSVCRT(?,0044F98C,0000000B,?,?,?,00000000,00000000,00000000), ref: 0044640E
memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00446420
memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00446448
memcpy.MSVCRT(?,0044F98C,0000000B), ref: 0044645A
memcpy.MSVCRT(?,00000001,00000008), ref: 0044646C
memcpy.MSVCRT(0044659A,?,00000008,?,?), ref: 004464BB
memset.MSVCRT ref: 00446509

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memchrmemset
String ID:
API String ID: 1581201632-0
Opcode ID: 4d233e4afd6ff29041f3c6f611680654f4aa68e75756faee7c9936c8c726fefb
Instruction ID: a6c008d970df26256353228000b1674c0094f59a7a9bfa7c7c5a6d2f045070f8
Opcode Fuzzy Hash: 4d233e4afd6ff29041f3c6f611680654f4aa68e75756faee7c9936c8c726fefb
Instruction Fuzzy Hash: 3A5106719002186BDF10EF64DC81EEEBBB9AF05304F05486BF555D3246E738EA44CBA5

Function 00404701 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00404765

Part of subcall function 00404683: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 004046AF

memset.MSVCRT ref: 004047B1
memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 004047C4
memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 004047D7
memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 0040481D
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00404830
memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 0040485D
memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00404872

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memsetstrlen
String ID:
API String ID: 2350177629-0
Opcode ID: 85ae6cca462db74fc9d517c8532b09502b655fda8b3ede5b79185c6b0435583b
Instruction ID: d0b86a8e0b1ed09a54c1958bd2773174a4505737e3a5990953cddb4a85005ec9
Opcode Fuzzy Hash: 85ae6cca462db74fc9d517c8532b09502b655fda8b3ede5b79185c6b0435583b
Instruction Fuzzy Hash: 4351F3B290050DBEEB41DAE8CC41FDFB7BDAB09304F014475F708E6151E6759A498BA6

Function 0042CD1D Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042CD9C

Strings

ORDER, xrefs: 0042CF27
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042CFDF
8, xrefs: 0042CEB4
GROUP, xrefs: 0042CF59
a GROUP BY clause is required before HAVING, xrefs: 0042CFCB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: b08f1c7c1c784f11e339bc558d21b342480e82a29914c690e576521ecfd1ee8c
Instruction ID: 5991db5cdfe02a92001a53b2659b7cff3bc1ad689f245b1de322542099a0f38c
Opcode Fuzzy Hash: b08f1c7c1c784f11e339bc558d21b342480e82a29914c690e576521ecfd1ee8c
Instruction Fuzzy Hash: BE818D716083219FCB10CF15E48161FBBE1BF94314F95886FE88897292D378ED44CB9A

Function 0040C871 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B7D1: free.MSVCRT ref: 0040B7D4
Part of subcall function 0040B7D1: free.MSVCRT ref: 0040B7DC

Part of subcall function 00416466: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00416C27,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,004148A8,?,?,00000000), ref: 00416479

Part of subcall function 0040AFF4: free.MSVCRT ref: 0040B003

memset.MSVCRT ref: 0040C8E7
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C915
_wcsupr.MSVCRT ref: 0040C92F

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF75

memset.MSVCRT ref: 0040C97E
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C9A9
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C9B6

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID:
API String ID: 4131475296-0
Opcode ID: d30ab4aae847c2bab66a724a932e69195760680e6f4ba13dddd40aab1fe6d2e6
Instruction ID: 00aa335d5cf85b89362f6a9aadfcc732b8efce75ac460415b761aff3ddc3b274
Opcode Fuzzy Hash: d30ab4aae847c2bab66a724a932e69195760680e6f4ba13dddd40aab1fe6d2e6
Instruction Fuzzy Hash: FA41EFB2D00119BBDB10EF95DC85AEFB7BCEF48304F10417AB514F6191D7749A448BA5

Function 0041A521 Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041A553
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041A561
free.MSVCRT ref: 0041A5A7

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: AttributesFilefreememset
String ID:
API String ID: 2507021081-0
Opcode ID: 3f26cb4930ba2ae58a9a28ad6dda560801c2adcc14f28edc482860ed1ce7c104
Instruction ID: 7395bd2a308086f3fd2d4c6b452b5aa1ac1e70db218c9d4fbfcd5f8a884c914b
Opcode Fuzzy Hash: 3f26cb4930ba2ae58a9a28ad6dda560801c2adcc14f28edc482860ed1ce7c104
Instruction Fuzzy Hash: B2110A7290A119FBDB21AFA48C809FF33AAEB45354B51013BF915E2284D6388DD5926F

Function 0041944C Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00419453
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00419471
malloc.MSVCRT ref: 0041947B
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00419492
free.MSVCRT ref: 0041949B
free.MSVCRT ref: 004194B9

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidefree$ApisFilemalloc
String ID:
API String ID: 4131324427-0
Opcode ID: fd694bdbf1a5288751afab5916eb464ac1068d8597691c81853ece6260929c55
Instruction ID: d2ec6eabaf1a5e80c3afeaedd941492bb30a106db416a89a7fee490f69d676c2
Opcode Fuzzy Hash: fd694bdbf1a5288751afab5916eb464ac1068d8597691c81853ece6260929c55
Instruction Fuzzy Hash: 5E01D472609125BBAB116AA59C01DEF379CDF463747210336FC15E3280EA28CD4242BD

Function 0041A0EE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,00419CBA), ref: 0041A132
GetTempPathA.KERNEL32(000000E6,?,?,00419CBA), ref: 0041A15A
free.MSVCRT ref: 0041A182

Strings

%s\etilqs_, xrefs: 0041A1D9
etilqs_, xrefs: 0041A18A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: PathTemp$free
String ID: %s\etilqs_$etilqs_
API String ID: 924794160-1420421710
Opcode ID: bab2ed1f527ee8a656d929be1b160a4a852a5d62a151918d7f1c5c0f436632ca
Instruction ID: 86187f938b98f06affb9dfa87fa418505d5dbd7a5a9bd49ee38ced054dacd9ce
Opcode Fuzzy Hash: bab2ed1f527ee8a656d929be1b160a4a852a5d62a151918d7f1c5c0f436632ca
Instruction Fuzzy Hash: 8E312831A092496AE725A765DC41BFF73A89B54308F1404BFE846C2283EF7C9EC5865E

Function 00411618 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411649

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

wcsrchr.MSVCRT ref: 00411667
wcscat.MSVCRT ref: 00411681

Strings

.cfg, xrefs: 0041167B
General, xrefs: 0041168B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg$General
API String ID: 776488737-1188829934
Opcode ID: 05d865f8f1fbf1afa81b1740172245d7630aa72eb646d50dbed4ba79973170d9
Instruction ID: 118cea2e70e189b156e6f7c6b3a683fd49b902604a6a275d9fc0e819739e64fb
Opcode Fuzzy Hash: 05d865f8f1fbf1afa81b1740172245d7630aa72eb646d50dbed4ba79973170d9
Instruction Fuzzy Hash: E711933250121C6ADB10EF51CC85ACA7368BF54714F1404EBE908AB142D775ABD88B99

Function 0040F8D7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F90E

Part of subcall function 00416DE5: memcpy.MSVCRT(?,<,00000008,?,?,00000000,0040F92F,?,?,?,<item>), ref: 00416E62

Part of subcall function 0040F0F7: wcscpy.MSVCRT ref: 0040F0FC
Part of subcall function 0040F0F7: _wcslwr.MSVCRT ref: 0040F137

_snwprintf.MSVCRT ref: 0040F958

Strings

</item>, xrefs: 0040F974
<%s>%s</%s>, xrefs: 0040F94B
<item>, xrefs: 0040F8E1

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 795fdbf1178cbb4566f4ded2e51011bbdab7768b91a9f779536e95c46b73b6be
Instruction ID: e757c57b7439aa271c71178676e27b4ad6085045d172985a4d63abbb6152d9b4
Opcode Fuzzy Hash: 795fdbf1178cbb4566f4ded2e51011bbdab7768b91a9f779536e95c46b73b6be
Instruction Fuzzy Hash: D611C435600309BBDB21AF29CC82E997B25FF04708F10007AF90467A93C339F968DB88

Function 00416644 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00416653
wcscpy.MSVCRT ref: 0041666E
CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,004116BA,?,General,?,00000000,00000001), ref: 00416695
CloseHandle.KERNEL32(00000000), ref: 0041669C

Strings

General, xrefs: 00416668

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: ed3c1823b04d3e0c62bd7214a39938c8b74bf6441286b00033080fb2913483c2
Instruction ID: f01d66d13555934190104f6a09e645eb52914f374063e62784237bdfd735f1bc
Opcode Fuzzy Hash: ed3c1823b04d3e0c62bd7214a39938c8b74bf6441286b00033080fb2913483c2
Instruction Fuzzy Hash: 2CF059B3109300BFF7206B619C85EAB77DCDF40318F12883FF04891141CA398C94866E

Function 0040DBA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DBC8
GetPrivateProfileStringW.KERNEL32(0045E668,?,0044F4CC,?,00001000,0045E458), ref: 0040DBF0
WritePrivateProfileStringW.KERNEL32(0045E668,?,?,0045E458), ref: 0040DC12

Strings

XE, xrefs: 0040DBD0
hE, xrefs: 0040DBEA

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$Writememset
String ID: XE$hE
API String ID: 747731527-2175974288
Opcode ID: ede71be8cfb000d6f647e9b079099f0124216ddcdab21ee2ea2fb028081f9ff6
Instruction ID: 3f24a6620cd36916ca3736dea7931fee652e2a6ad1dc5343ab1a7f2c6f25142e
Opcode Fuzzy Hash: ede71be8cfb000d6f647e9b079099f0124216ddcdab21ee2ea2fb028081f9ff6
Instruction Fuzzy Hash: 81F06836950354FAFB115B51CC4DFCB3B68EB55755F004076FB04A1182D7B88A48C6AD

Function 00409CFB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,004101B0,00000000,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 00409D0F
_snwprintf.MSVCRT ref: 00409D3C
MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409D55

Strings

Error, xrefs: 00409D46
Error %d: %s, xrefs: 00409D2B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: e1fdb32dfef422dff48cb9ab629eed33cb04251586a29e7e9f8c167c9a74f7e6
Instruction ID: d9c3214ff741d8e793b5fb5d5340e1d373de9dbbbbb1b4938000c24ebbed5cab
Opcode Fuzzy Hash: e1fdb32dfef422dff48cb9ab629eed33cb04251586a29e7e9f8c167c9a74f7e6
Instruction Fuzzy Hash: BFF0277A51020867DB11A794CC02FDA73ACAB45796F0400BBB944A2141DAB89E488E68

Function 00437897 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

oid, xrefs: 00437961
foreign key constraint failed, xrefs: 00437B37
new, xrefs: 00437925
old, xrefs: 0043791B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 78d1a63a5ea67a9e42337c47af4419ff18a1c500e7b5e2e5722190ef6454fa26
Instruction ID: 80b6a815d8446b075644860295f848db11862a5b470e777900e0cbaee52b5eda
Opcode Fuzzy Hash: 78d1a63a5ea67a9e42337c47af4419ff18a1c500e7b5e2e5722190ef6454fa26
Instruction Fuzzy Hash: 50E19FB1E04209AFDB14DFA5D881AEEBBB5FF48304F10842EE805AB351DB799A41CB55

Function 004350BF Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 334COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004350D4
memset.MSVCRT ref: 004351CD

Strings

rows deleted, xrefs: 00435438
VtC, xrefs: 00435217, 004351B9, 00435239, 0043524C, 004352CD, 0043535C, 00435399
VtC, xrefs: 0043544D, 004350F6, 00435167, 004351D2, 004352AB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset
String ID: VtC$VtC$rows deleted
API String ID: 2221118986-3271433201
Opcode ID: 285e4370a89cc5d60ce435c08b76b458e0c9e97a2273653d553d833e96bb1a07
Instruction ID: 8eee3fd8308e863b15c20577b933f05ddeb2eec06ba64818cf6e3fd673dab534
Opcode Fuzzy Hash: 285e4370a89cc5d60ce435c08b76b458e0c9e97a2273653d553d833e96bb1a07
Instruction Fuzzy Hash: 70C1C071E00618ABDF21DF95CC42B9FBBB1EF48314F14105AF904AB282D779AE50DB99

Function 0043355E Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?), ref: 0043365E
memcpy.MSVCRT(?,?,00000000), ref: 00433775

Strings

foreign key on %s should reference only one column of table %T, xrefs: 004335BA
unknown column "%s" in foreign key definition, xrefs: 00433745
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004335E2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: e4adabbe1decd632362e132ce6bab9d224831924daf4b8fb608a03f475e217cd
Instruction ID: fb1fd52c892a386ff9235e04c27833661dd88198db5bdd6c779901d429b6f073
Opcode Fuzzy Hash: e4adabbe1decd632362e132ce6bab9d224831924daf4b8fb608a03f475e217cd
Instruction Fuzzy Hash: C6914EB5A0020ADFCB10DF59C581A9EBBF1FF48315F14815AE805AB352DB35EA41CF99

Function 00411224 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411246

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT(00000000,00000002), ref: 0040D6FA

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

Part of subcall function 0040AA19: memset.MSVCRT ref: 0040AA3A
Part of subcall function 0040AA19: _snwprintf.MSVCRT ref: 0040AA6D
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA79
Part of subcall function 0040AA19: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040AA91
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA9F
Part of subcall function 0040AA19: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040AAB2

Part of subcall function 0040A838: GetSaveFileNameW.COMDLG32(?), ref: 0040A887
Part of subcall function 0040A838: wcscpy.MSVCRT ref: 0040A89E

Strings

*.htm;*.html, xrefs: 004112AC
*.csv, xrefs: 00411297
txt, xrefs: 0041124B
*.txt, xrefs: 00411268

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$txt
API String ID: 1392923015-2111886889
Opcode ID: aafac17d9ad648619bbc2820d08f5d6f77f7253f9c21e5715a78e07660b7453b
Instruction ID: 21c56e8af235b710a4191330bbdd055b03883b3d4342fd00990d051e634670c5
Opcode Fuzzy Hash: aafac17d9ad648619bbc2820d08f5d6f77f7253f9c21e5715a78e07660b7453b
Instruction Fuzzy Hash: FE31FDB1D00258ABDB00EFE5DC816DDBBB8FB44318F20407BE945BB281DB389A458B59

Function 00449C90 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00449C9B
memset.MSVCRT ref: 00449CAB
memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000020,?,00000000), ref: 00449D0D
memcpy.MSVCRT(?,?,?,?,?,00000000,00000020,?,00000000), ref: 00449D5A

Strings

gj, xrefs: 00449CB0

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: gj
API String ID: 1297977491-4203073231
Opcode ID: bc066ce618c8efd45368092d21e9600cda6cc543f99e188020d63ac60b6c492b
Instruction ID: 1e6fb78b96cc295ab1e64a1d2520aab5d7b4c62cf2bfa8bfbbde786d8273fed9
Opcode Fuzzy Hash: bc066ce618c8efd45368092d21e9600cda6cc543f99e188020d63ac60b6c492b
Instruction Fuzzy Hash: D3212CF37003405BE724AA79CC81A5B779D9FCA318F06481EF6468B342E57EDA05C725

Function 0040B7F7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040B804
free.MSVCRT ref: 0040B827

Part of subcall function 00409FB3: malloc.MSVCRT ref: 00409FCF
Part of subcall function 00409FB3: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FE7
Part of subcall function 00409FB3: free.MSVCRT ref: 00409FF0

free.MSVCRT ref: 0040B84A
memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,6n@,00406D1D,6n@,00000000,?,?,00406E36,00000000), ref: 0040B86E

Strings

6n@, xrefs: 0040B7F7

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocwcslen
String ID: 6n@
API String ID: 726966127-1376077705
Opcode ID: 9c7b5ed43217881e54566e3aaae3d088c30ddfe0133c3a6c6c6cf896538b121f
Instruction ID: 2a297e2a749568a602d4fdd98617bb0f2def5a372598a852c8599cd2a9d3c103
Opcode Fuzzy Hash: 9c7b5ed43217881e54566e3aaae3d088c30ddfe0133c3a6c6c6cf896538b121f
Instruction Fuzzy Hash: 1E21C372500704EFD730EF18C881C9AB7F9EF453247108A2EF852976A1C735B905CB98

Function 0040E482 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E428
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E436
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E447
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E45E
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E467

??3@YAXPAX@Z.MSVCRT(?,?,004117F5,00000000,?,004122B3,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E49D
??3@YAXPAX@Z.MSVCRT(?,?,004117F5,00000000,?,004122B3,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E4B0
??3@YAXPAX@Z.MSVCRT(?,?,004117F5,00000000,?,004122B3,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E4C3
??3@YAXPAX@Z.MSVCRT(?,?,004117F5,00000000,?,004122B3,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E4D6
free.MSVCRT ref: 0040E50F

Part of subcall function 0040B02A: free.MSVCRT ref: 0040B031

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fa52488197fdfc127ac9ce96ddf417577be6c4487586e28702ed92ce05cb8b53
Instruction ID: 42ba5fb2483a06204b9652fd9eb83631712146579ad8a5126b95c8e5bf80326c
Opcode Fuzzy Hash: fa52488197fdfc127ac9ce96ddf417577be6c4487586e28702ed92ce05cb8b53
Instruction Fuzzy Hash: 0E018E326029305BCA357B2B944142FB394FE95B2431A497FF8157B282DF3CAC5186EE

Function 004193E6 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 004193EE
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0041940E
malloc.MSVCRT ref: 00419414
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00419432
free.MSVCRT ref: 0041943B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ApisFilefreemalloc
String ID:
API String ID: 4053608372-0
Opcode ID: 2ce22bffb2f624be5e4887deef8eb2f5bb9639764511aad977b4a3fe63ad4965
Instruction ID: 2534f474cf9bcd12f65d63d56baaca5d61982f7a50fdf52695ea10ed44cee065
Opcode Fuzzy Hash: 2ce22bffb2f624be5e4887deef8eb2f5bb9639764511aad977b4a3fe63ad4965
Instruction Fuzzy Hash: A40181B150411CBEAB115BA5DC84CBF7BACEA453EC720427AF414E2190D6344E4196B5

Function 0040D8EF Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040D901
GetWindowRect.USER32(?,?), ref: 0040D90E
GetClientRect.USER32(00000000,?), ref: 0040D919
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D929
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D945

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: d02ceeb989c3102075357568c0cbbbc984dee6c70047c108da9a167d24dee429
Instruction ID: 0a594369ed784f6632fdda1da01060cc62096c5628082a149af8216bf0db4298
Opcode Fuzzy Hash: d02ceeb989c3102075357568c0cbbbc984dee6c70047c108da9a167d24dee429
Instruction Fuzzy Hash: D3018C3A801029BBDB119BA59C49EFFBFBCEF46710F00402AF901E2090D7789506CBA4

Function 0044653E Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00414948,?,?,?,?,00000104), ref: 00446555
??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 00446569
memset.MSVCRT ref: 00446578

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0044659B

Part of subcall function 0044632F: memchr.MSVCRT ref: 0044636A
Part of subcall function 0044632F: memcpy.MSVCRT(?,0044F98C,0000000B,?,?,?,00000000,00000000,00000000), ref: 0044640E
Part of subcall function 0044632F: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00446420
Part of subcall function 0044632F: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00446448

CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004465A2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: b10e60e63540a25e64c8f52e86f8898149edc7e427002224bebf473f2803b541
Instruction ID: b0bb4d93dabac42749b0baec13122cd485f3faf15da61d3af90c3903c02b6b6c
Opcode Fuzzy Hash: b10e60e63540a25e64c8f52e86f8898149edc7e427002224bebf473f2803b541
Instruction Fuzzy Hash: 99F0F6725012107AE6207732AC89E5B7B9CDFD7375F12483FF916911D3EA388804817A

Function 0040E41C Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E428
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E436
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E447
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E45E
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040E654,?,?,?,004036B0,?,?,004121F5,00000000,00000000,?,00000000), ref: 0040E467

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 5e31a971ce0e90ae997dd929e40599bb8b987aa99a7b75be807bbe98793c0777
Instruction ID: 5bcbd1bb2dbe542c664d49e0b1e478a6f9f39dce4da0d1c56c0f2abaad1a289c
Opcode Fuzzy Hash: 5e31a971ce0e90ae997dd929e40599bb8b987aa99a7b75be807bbe98793c0777
Instruction Fuzzy Hash: A4F0EC726057019BDB30AF6BA4C041BB7E9AF593147658C3FF049D2641CB38A8504A19

Function 00406CF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040B7F7: wcslen.MSVCRT ref: 0040B804
Part of subcall function 0040B7F7: free.MSVCRT ref: 0040B827
Part of subcall function 0040B7F7: free.MSVCRT ref: 0040B84A
Part of subcall function 0040B7F7: memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,6n@,00406D1D,6n@,00000000,?,?,00406E36,00000000), ref: 0040B86E

memset.MSVCRT ref: 00406D33
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000FFF,00000000,00000000,00406E36,00000000,-00000002,0040702A,00000000), ref: 00406D4C

Part of subcall function 0040B6F7: strlen.MSVCRT ref: 0040B6FE
Part of subcall function 0040B6F7: free.MSVCRT ref: 0040B721
Part of subcall function 0040B6F7: free.MSVCRT ref: 0040B752
Part of subcall function 0040B6F7: memcpy.MSVCRT(00000000,?,00000000,00000000,00406D5E,?), ref: 0040B77F

free.MSVCRT ref: 00406D73

Strings

6n@, xrefs: 00406D0D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$memcpy$ByteCharMultiWidememsetstrlenwcslen
String ID: 6n@
API String ID: 832090674-1376077705
Opcode ID: 54479ce15e440bb149d53c2abbc7b093be4f2da72d99af89ca78a096c42e0ab3
Instruction ID: ecbed58b480fc252fdf2742d1a2ea52a83645ae883cc2f402a8ff7b73a586809
Opcode Fuzzy Hash: 54479ce15e440bb149d53c2abbc7b093be4f2da72d99af89ca78a096c42e0ab3
Instruction Fuzzy Hash: 0D219371904258BFDB209B59EC40CA937ACEB46329F11807BF855A7393D734DD448BA8

Function 0040FC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FC3A
memset.MSVCRT ref: 0040FC51

Part of subcall function 0040F0F7: wcscpy.MSVCRT ref: 0040F0FC
Part of subcall function 0040F0F7: _wcslwr.MSVCRT ref: 0040F137

_snwprintf.MSVCRT ref: 0040FC80

Strings

</%s>, xrefs: 0040FC6F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 127f91db7fa9967f18098fe8fb428d38ade9bf4ee3e8a23e6577a73e3d6a66d9
Instruction ID: 220adabbb6dc37e078a4cbf870aa6778b0d4aa36b0e6c53f25afcd46a8fb6da8
Opcode Fuzzy Hash: 127f91db7fa9967f18098fe8fb428d38ade9bf4ee3e8a23e6577a73e3d6a66d9
Instruction Fuzzy Hash: ED018BB3D4021566D720B755CC45FEA776CAF45708F0100B6BB08B7182D7789A558AA9

Function 0040DA01 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DA3B
SetWindowTextW.USER32(?,?), ref: 0040DA6B
EnumChildWindows.USER32(?,Function_0000D9A3,00000000), ref: 0040DA7B

Strings

caption, xrefs: 0040DA50

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 4d4bf3293b7fefa2b3ab9066dfd798a39334cfedb85569feeb9d9acd745ef1c9
Instruction ID: d45ce5b55de9e56b0e3606efc23fee37021493b8ccd152581ff18ec388878a93
Opcode Fuzzy Hash: 4d4bf3293b7fefa2b3ab9066dfd798a39334cfedb85569feeb9d9acd745ef1c9
Instruction Fuzzy Hash: C2F0C876E40314AAFB246B95DC4EBCA336C9B05715F1100B2FE04B61D2D7B8EE48CA9C

Function 0040174F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A1BC: memset.MSVCRT ref: 0040A1C6
Part of subcall function 0040A1BC: wcscpy.MSVCRT ref: 0040A206

CreateFontIndirectW.GDI32(?), ref: 0040176E
SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040178D
SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 004017AB

Strings

MS Sans Serif, xrefs: 0040175A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 5a950ce4a8f62aae84bef4ee5eac7b078e3a2a1a80d89d7679ccc58871670326
Instruction ID: c4faab8ea403b72454229b7d8bee71ac123bd04467b8ab2dfae6cb72e56ca799
Opcode Fuzzy Hash: 5a950ce4a8f62aae84bef4ee5eac7b078e3a2a1a80d89d7679ccc58871670326
Instruction Fuzzy Hash: 15F08275A5030877E731ABA0DC46F8A77BDB784B01F004939F721BA1D1D7F4A189C698

Function 0040A33E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A35D
GetClassNameW.USER32(?,00000000,000000FF), ref: 0040A374
_wcsicmp.MSVCRT ref: 0040A386

Strings

edit, xrefs: 0040A380

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: 100da318b6eef65e8fb27ecc8cf20afda242377d63b4814d6acd95be43c53634
Instruction ID: 615f9df5883ac46bac081f077562738f5b314669235998c993cfb201dc9db725
Opcode Fuzzy Hash: 100da318b6eef65e8fb27ecc8cf20afda242377d63b4814d6acd95be43c53634
Instruction Fuzzy Hash: 17E0927298030E6AFB10ABA0DC4AFA937ACAB00704F1001B5AA15E10C3E77496494A95

Function 0041738A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(0045EB90,00000001,00000000), ref: 00417394
InitializeCriticalSection.KERNEL32(0045EAE8), ref: 004173A4
Sleep.KERNEL32(00000001), ref: 004173C3

Strings

E, xrefs: 0041739E

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CompareCriticalExchangeInitializeInterlockedSectionSleep
String ID: E
API String ID: 4144454223-2089609516
Opcode ID: e6fbb2d3d1c0865c93e4ca0e00724d4cc99f07dafa5266e25547b3f1b449e72a
Instruction ID: fc88e8258406b36d4da82e75fe45474a615d48495b5640232e67b615d5a4112a
Opcode Fuzzy Hash: e6fbb2d3d1c0865c93e4ca0e00724d4cc99f07dafa5266e25547b3f1b449e72a
Instruction Fuzzy Hash: 92E04F359492249BEB249B736C087CB3E24AB41703F020037FD19E5553C3A84DC4D6DE

Function 0040489A Relevance: 6.4, APIs: 5, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,00000000,00000000,00000000,?), ref: 004048BB
memcmp.MSVCRT(?,?,00000010,00404E88,00000014,?,0000012F,0000011F,00000010,?,00000000,00000000,?), ref: 0040491E

Part of subcall function 00404701: strlen.MSVCRT ref: 00404765
Part of subcall function 00404701: memset.MSVCRT ref: 004047B1
Part of subcall function 00404701: memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 004047C4
Part of subcall function 00404701: memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 004047D7

memcmp.MSVCRT(?,?,00000010,00404E88,00000014,0000011F,00000010,?,00000000,00000000,?), ref: 0040494C
memset.MSVCRT ref: 0040496B
memcpy.MSVCRT(-00000244,?,00000018,00000001,00000268,00000368,00000020,?,?,?,?,00000000,00000000,?), ref: 004049CB

Part of subcall function 004045A7: strlen.MSVCRT ref: 00404601

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memcmpmemsetstrlen$strcpy
String ID:
API String ID: 1095719737-0
Opcode ID: 74240cb5f961abd085359b0634ca8e8dff2a69e9ecdb28326ef061e22fa89259
Instruction ID: 9ce700d3882f5f923fbb2479c9cfede1bda771696aaf60353e7394d058dfcfd5
Opcode Fuzzy Hash: 74240cb5f961abd085359b0634ca8e8dff2a69e9ecdb28326ef061e22fa89259
Instruction Fuzzy Hash: 693165B190070DBEEB20DAB0CC45EDFB7BCEB49304F00443AE655A6181E776AA498B65

Function 0041F7EB Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041F7FE
memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041F814
memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041F823
memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041F86B
memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041F886

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: 37284c2f66642d2ddd48264b57aea92c17a23a416b39e5917ac6500f9f335e0f
Instruction ID: eba548dffeb7cbb86d277e9e8be7ea604d675ef8a9d9add480594eb241d03b37
Opcode Fuzzy Hash: 37284c2f66642d2ddd48264b57aea92c17a23a416b39e5917ac6500f9f335e0f
Instruction Fuzzy Hash: 9D217F76E10208ABDB14EBA6D841EDF73ECAF44704F14482AF516D7181EB38E649C665

Function 00412577 Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412596
memset.MSVCRT ref: 004125AC
memset.MSVCRT ref: 004125BE
memcpy.MSVCRT(?,0044659A,00000010,;dD,?,0044F98C), ref: 004125E3
memset.MSVCRT ref: 004125ED

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 080f722c0ffb7d8c385f632dd20dccb4c50922f07ff88e280dd473830913b811
Instruction ID: a4c7653764e20342dfd6e83a4be63b5372cd9455a0b84470ab9be2deaa940da2
Opcode Fuzzy Hash: 080f722c0ffb7d8c385f632dd20dccb4c50922f07ff88e280dd473830913b811
Instruction Fuzzy Hash: B30128B1A80B007AE3357B35CC43F6A73A4AB91714F010A1EF252966C2DBA8A244817E

Function 004108E2 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004020E9: GetMenu.USER32(?), ref: 00402107
Part of subcall function 004020E9: GetSubMenu.USER32(00000000), ref: 0040210E
Part of subcall function 004020E9: EnableMenuItem.USER32(?,?,00000000), ref: 00402126

Part of subcall function 00402130: SendMessageW.USER32(?,00000412,?,00000000), ref: 00402147
Part of subcall function 00402130: SendMessageW.USER32(?,00000411,?,?), ref: 0040216B

GetMenu.USER32(?), ref: 00410AD4
GetSubMenu.USER32(00000000), ref: 00410AE1
GetSubMenu.USER32(00000000), ref: 00410AE4
CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410AF0

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Menu$ItemMessageSend$CheckEnableRadio
String ID:
API String ID: 1889144086-0
Opcode ID: b29996890921790c89765a35e80ffc15c9887586477020220e0e376b9c9daa8c
Instruction ID: 6d8cac7b40754edf87d272c1bfb0116240dcbcd3534315d38a6e00175b30c6d6
Opcode Fuzzy Hash: b29996890921790c89765a35e80ffc15c9887586477020220e0e376b9c9daa8c
Instruction Fuzzy Hash: FD518670A40304BBEB209B66CD4AF9FBBF9EB84704F10046DB245772E2C6B56D91D754

Function 00419F2C Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 0041A00F
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 0041A03A
GetLastError.KERNEL32 ref: 0041A061
CloseHandle.KERNEL32(00000000), ref: 0041A077

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: 4d39a1befb4b444ca1625393fd6a5d283320a0bed10b0f3eee81afd0bc35f62a
Instruction ID: 44d3c2b2ec300ebaed5fc3dda4e0471611584753ac233c2b16f5379b4c7cc4bc
Opcode Fuzzy Hash: 4d39a1befb4b444ca1625393fd6a5d283320a0bed10b0f3eee81afd0bc35f62a
Instruction Fuzzy Hash: C4515A752053029FD724CF25C980AA7BBE5FF88305F10492EF88687651E734ED98CB9A

Function 00430AD1 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00417A12: memset.MSVCRT ref: 00417A2C

memcpy.MSVCRT(?,?,?), ref: 00430BB9

Strings

sqlite_altertab_%s, xrefs: 00430B8A
virtual tables may not be altered, xrefs: 00430B10
Cannot add a column to a view, xrefs: 00430B26

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 275910ba7e0f0c96ad37673a583fd695216ffdde9dc2204ffc985ed4bb567882
Instruction ID: 72999ff3d0cfdfb5e9367ee4ed3faa0f46e6dce2196ea4cba2caab35ae0537ad
Opcode Fuzzy Hash: 275910ba7e0f0c96ad37673a583fd695216ffdde9dc2204ffc985ed4bb567882
Instruction Fuzzy Hash: 80418E71A00205EFCB08DF59C881A99B7F0FF08314F25966AE848AB352D779ED50CB88

Function 00406900 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406947

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT(00000000,00000002), ref: 0040D6FA

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

Part of subcall function 0040AA19: memset.MSVCRT ref: 0040AA3A
Part of subcall function 0040AA19: _snwprintf.MSVCRT ref: 0040AA6D
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA79
Part of subcall function 0040AA19: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040AA91
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA9F
Part of subcall function 0040AA19: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040AAB2

Part of subcall function 0040A7D1: GetOpenFileNameW.COMDLG32(?), ref: 0040A81A
Part of subcall function 0040A7D1: wcscpy.MSVCRT ref: 0040A828

Strings

*.*, xrefs: 00406988
dat, xrefs: 0040694C
x=E, xrefs: 0040696D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
String ID: *.*$dat$x=E
API String ID: 3589925243-2636922731
Opcode ID: 5b1c68347a222ffadd2cfbfa5b6b642c86afeb0b6d325ee6a9cca5e14e506a85
Instruction ID: d7f72c37b5c0960b3a93de2d3de2f44bd36794eda0f7d1f606609bc45afe3b75
Opcode Fuzzy Hash: 5b1c68347a222ffadd2cfbfa5b6b642c86afeb0b6d325ee6a9cca5e14e506a85
Instruction Fuzzy Hash: DF418671A00205AFDB04FF61DD46A9E77B9FF00318F11C02BF906A71D1EB79A9958B84

Function 0041078D Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040E814: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,0041079D,?), ref: 0040E835
Part of subcall function 0040E814: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,0041079D,?), ref: 0040E8FC

wcslen.MSVCRT ref: 004107BB
_wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 004107C7
_wcsicmp.MSVCRT ref: 00410815
_wcsicmp.MSVCRT ref: 00410826

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 521bfcc9bad965401c26efa2b72ae5d9106d53d3b49f8bb5091054076f9510e0
Instruction ID: be044668a024ec5caeb14a2b8b02c3aaa195db98e278daf5b9384581b1cfce75
Opcode Fuzzy Hash: 521bfcc9bad965401c26efa2b72ae5d9106d53d3b49f8bb5091054076f9510e0
Instruction Fuzzy Hash: 08418B31900308EFCB61EF5AC980AD9BBB4EF48315F1144AAEC15DB356D678DAC0CB99

Function 00414F42 Relevance: 6.1, APIs: 4, Instructions: 100timeCOMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(00000000,?,?), ref: 00414F68

Part of subcall function 0040AD10: _snwprintf.MSVCRT ref: 0040AD6A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00414FB9
free.MSVCRT ref: 00415030
memcpy.MSVCRT(?,?,00001E38,?,?), ref: 00415063

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Time$CreateFileGuidSystem_snwprintffreememcpy
String ID:
API String ID: 2968200804-0
Opcode ID: 2f9ba14a2f8dc736bd715059495414ae64c87d84619f28dbac8dd1c6da2f391f
Instruction ID: 25fc22cfe4b5cde183837428320e4c1379d013834ecb010c5ec9b74078343e2e
Opcode Fuzzy Hash: 2f9ba14a2f8dc736bd715059495414ae64c87d84619f28dbac8dd1c6da2f391f
Instruction Fuzzy Hash: 6E317A72D00619ABCF01EF55C8809DEB7B8AF88314F164276EC14FB241E738AE558BE5

Function 00411B65 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411BA4

Part of subcall function 0040A6D5: ShellExecuteW.SHELL32(?,open,?,0044F4CC,0044F4CC,00000005), ref: 0040A6EB

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 00411C14
GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 00411C2E
GetKeyState.USER32(00000010), ref: 00411C5A

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: 110857cfc2ea4ecf3d2e2f0a099ce967012f78d6f618a689b674ba793c676c63
Instruction ID: ebbdbb9de51bfb825555d7e990b9e0e06ff93dbce945c066a165325672d84fca
Opcode Fuzzy Hash: 110857cfc2ea4ecf3d2e2f0a099ce967012f78d6f618a689b674ba793c676c63
Instruction Fuzzy Hash: 1241D030640305DFDB309F25C888B9673B4AB50329F10857AEA699B2E2D778AD85CB58

Function 0040F041 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F09A
memcpy.MSVCRT(00000000,?,00000001,+>@,00000000,00001E38,?,?,?,00403E2B), ref: 0040F0AC
memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F0DF

Strings

+>@, xrefs: 0040F0BC, 0040F059

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$free
String ID: +>@
API String ID: 2888793982-4232063742
Opcode ID: 80fa03900417df2a92a9176d47486ea1bc487edf58bdf5f2f086700b407fb3cc
Instruction ID: a4b117dcc49df0d4677d1a1554444a6f58dddbe622eac26ef29304aa8a98fb1c
Opcode Fuzzy Hash: 80fa03900417df2a92a9176d47486ea1bc487edf58bdf5f2f086700b407fb3cc
Instruction Fuzzy Hash: 25219030A00605EFCB20EF29CA4185ABBF6FF44314720467EE852E3B92E735EE519B55

Function 004124D9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040,00000001,0044F98C,?,?,00412D17,?,0044F98C), ref: 0041251C
memcpy.MSVCRT(?,?,00000040,00000001,0044F98C,?,?,00412D17,?,0044F98C), ref: 00412546
memcpy.MSVCRT(?,?,00000013,00000001,0044F98C,?,?,00412D17,?,0044F98C), ref: 0041256A

Strings

@, xrefs: 00412558

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 1a8ca5cada9ad0e9eb845eafeefd174272e9607b940f064bebe2dc7a1e42d05d
Instruction ID: e394cabee66379c814482ce599a1792370699005e64803ab7b2efeceeecbd966
Opcode Fuzzy Hash: 1a8ca5cada9ad0e9eb845eafeefd174272e9607b940f064bebe2dc7a1e42d05d
Instruction Fuzzy Hash: B9113BB25003047FCB289F25D9C0CAA77AAFF50344701062EF906C6252E674DFA586E9

Function 0040B4F8 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401C27,?,?,?,?,00458788,0000000C), ref: 0040B52D
memset.MSVCRT ref: 0040B53E
memcpy.MSVCRT(0045B474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401C27,?,?,?,?,00458788,0000000C), ref: 0040B54A
??3@YAXPAX@Z.MSVCRT ref: 0040B557

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: f0960726fd40cdc9ae45f90f762857dd8f0b7d200d88f073f2e85c6963b5fa7f
Instruction ID: aafbb257eb0cb79d1a62da41bbc700b7fe6572c6948dd35e3e17e6ab681315f4
Opcode Fuzzy Hash: f0960726fd40cdc9ae45f90f762857dd8f0b7d200d88f073f2e85c6963b5fa7f
Instruction Fuzzy Hash: 16118C71604601AFD328DF1DC891E26F7E5EFD9304B25892EE49A97381DB35E801CB68

Function 0041638F Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004163BB

Part of subcall function 0040A912: _snwprintf.MSVCRT ref: 0040A957
Part of subcall function 0040A912: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A967

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 004163E4
memset.MSVCRT ref: 004163EE
GetPrivateProfileStringW.KERNEL32(?,?,0044F4CC,?,00002000,?), ref: 00416410

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: fd369af08461e68e8af29ce9eb542014cb5cfd53075e89779255da270f569b26
Instruction ID: f3ab12530ca15f18597a66c6933a9b69f611745656a43028b292f8596be22397
Opcode Fuzzy Hash: fd369af08461e68e8af29ce9eb542014cb5cfd53075e89779255da270f569b26
Instruction Fuzzy Hash: 7C118EB2600219AFDF11AF65EC02EDE3B69EF05704F11006AFB05F2061E6359E648BAD

Function 00416CF0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00416D00
SHBrowseForFolderW.SHELL32(?), ref: 00416D32
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00416D46
wcscpy.MSVCRT ref: 00416D59

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 6a246380b1c5f8880238d42239ebf0d3dc96a60f32716ef5ab3fc8f08e63b26a
Instruction ID: e53360a3a95c928778c5eecace91b7a860d411a781c8edf1bb59ff18ee2a4c16
Opcode Fuzzy Hash: 6a246380b1c5f8880238d42239ebf0d3dc96a60f32716ef5ab3fc8f08e63b26a
Instruction Fuzzy Hash: AC11EC75A00208AFDB10DFA5D9889EEB7F8FB49304F10446AE505E7200DB38DB45CB65

Function 00431D8F Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 00431DCA
memset.MSVCRT ref: 00431DD4
memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,00000000,?,00000000,00000068,?,?,00000068), ref: 00431DFF

Strings

sqlite_master, xrefs: 00431DA2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: 50ce9bdbcbbafd13e081e20970f75e6f660356cc808d36c36f9c0c11973c8031
Instruction ID: 9f101942a68db4e790d7b6a69b6e003f8a3c489338379646b69a5518e9817596
Opcode Fuzzy Hash: 50ce9bdbcbbafd13e081e20970f75e6f660356cc808d36c36f9c0c11973c8031
Instruction Fuzzy Hash: E101B972944218BAEB11BBA18C42FDEB77DFF04318F10055AF50062042D73AA615C7A5

Function 00410AFB Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT(00000000,00000002), ref: 0040D6FA

_snwprintf.MSVCRT ref: 00410B28
SendMessageW.USER32(?,0000040B,00000000,?), ref: 00410B8D

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

_snwprintf.MSVCRT ref: 00410B53
wcscat.MSVCRT ref: 00410B66

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: 0e6b7667e56475d7b9f4e87a61fadb8ecb0fd6bc9a92603bad5de248469984c0
Instruction ID: d8a36cc9ebfe16c4016e2f7d8ce927a21bbfbb5a34db6cd482cb30cff4dedb25
Opcode Fuzzy Hash: 0e6b7667e56475d7b9f4e87a61fadb8ecb0fd6bc9a92603bad5de248469984c0
Instruction Fuzzy Hash: F40188B190030866F720F7B5CC86FEB73AC9B4070DF14446AB719E2183D679A9554A6D

Function 0041938B Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,004194B6,?), ref: 004193A9
malloc.MSVCRT ref: 004193B0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76F8DF80,?,004194B6,?), ref: 004193CF
free.MSVCRT ref: 004193D6

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 7272131d04c6d774e786cc75aec82cebd7b04aebb3355190285584dbadfac89e
Instruction ID: ffb41da00ab2b38d2186f0124ec64ac670dece32c0042acda28ef17f3fef3975
Opcode Fuzzy Hash: 7272131d04c6d774e786cc75aec82cebd7b04aebb3355190285584dbadfac89e
Instruction Fuzzy Hash: BBF0B4B260D21E7F7A102A655CC0C7BBB9CD68A2FCB20073FF520911C0D9555C0156B5

Function 0040A0F1 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0040A0FF
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 0040A117
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 0040A12D
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 0040A150

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 23c7d58ea5e9d2a7b917a314186be0afa9840c28c7dffcbe9a9049126b0066b5
Instruction ID: 6ff75ca8442cb1aaba57c9855211930760e6665974d32c71f4c26f3b37502511
Opcode Fuzzy Hash: 23c7d58ea5e9d2a7b917a314186be0afa9840c28c7dffcbe9a9049126b0066b5
Instruction Fuzzy Hash: A3F06975A0020CBEDB018F958CC1CBFBBB9EB49784F20407AF504EA150D270AE11AB61

Function 00411F2F Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00411F50
RegisterClassW.USER32(00000001), ref: 00411F75
GetModuleHandleW.KERNEL32(00000000), ref: 00411F7C
CreateWindowExW.USER32(00000000,00000000,0044F4CC,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00411FA2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID:
API String ID: 2678498856-0
Opcode ID: b5bbf0ae051fe51f02939c0630202113e2a9289baae73011afc51dd1c0ebc6e3
Instruction ID: 99e030ddf9f13c5852d1981898f16885884db78983a3d6c06d17877ae79c9dc0
Opcode Fuzzy Hash: b5bbf0ae051fe51f02939c0630202113e2a9289baae73011afc51dd1c0ebc6e3
Instruction Fuzzy Hash: 350125B1901229ABD7109FA59C89ADFBFBCFF09710F10422AF108A2240D7B45A448BE8

Function 00419AB5 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00419AD2
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00419AF2
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00419AFE
GetLastError.KERNEL32 ref: 00419B0C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 986a2fee5f05a16e76f0cef6e54be21541a9d0a22b66a179d935c389a5993231
Instruction ID: f326d1aa279b3286dc61effd62df9caa1a27d224ff9dba1ebef161e5ee26a254
Opcode Fuzzy Hash: 986a2fee5f05a16e76f0cef6e54be21541a9d0a22b66a179d935c389a5993231
Instruction Fuzzy Hash: 5F01D175504208FFDB21DFA4EC84C9B77B8FB81754F20443AF502D5050E634AD48CB65

Function 0040F1F6 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F21B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044F684,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F234
strlen.MSVCRT ref: 0040F246
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F257

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: af324034355b8326fc79afd52d6166ba087be1d4dfb2b911d4ab16e42422411b
Instruction ID: 693f9c66229169b877fb65a07178d670502057314d81cba2c0b658d4e4f309f7
Opcode Fuzzy Hash: af324034355b8326fc79afd52d6166ba087be1d4dfb2b911d4ab16e42422411b
Instruction Fuzzy Hash: B8F04FB680121CBEFB01A7949CC5DEB776CDB05254F0040B2B705D2042E5749E488B78

Function 0040F187 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F1AC
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F1C9
strlen.MSVCRT ref: 0040F1DB
WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F1EC

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: b6fc7f5051e315d886dd0844a980d33df026f7d5ca875cb3320374fcca0aa7ef
Instruction ID: 214f2a4103aa1d7c130f25418be1d7ef950c2207e9cb189a5e29a9696e3271f8
Opcode Fuzzy Hash: b6fc7f5051e315d886dd0844a980d33df026f7d5ca875cb3320374fcca0aa7ef
Instruction Fuzzy Hash: B0F062B680111CBEEB81A794DC81DEB77ACEB05258F0180B2B749D2041E9749F4C4F7D

Function 0040374F Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403774
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403791
strlen.MSVCRT ref: 004037A3
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004037B4

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 3a8f2ef2901fd1bf96b16f805e9566abfadfd8793c1561c94dc77c8a8d5e4b08
Instruction ID: 1ce7aa51f862e36c5a0d70db4a972110d182e6fdccd903b3ebab4b2d8822c945
Opcode Fuzzy Hash: 3a8f2ef2901fd1bf96b16f805e9566abfadfd8793c1561c94dc77c8a8d5e4b08
Instruction Fuzzy Hash: C6F062B780121CBEFB01A794DCC5DEB776CDB05254F0040B2B705D2042E5749F488B79

Function 00415DC8 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 0040A33E: memset.MSVCRT ref: 0040A35D
Part of subcall function 0040A33E: GetClassNameW.USER32(?,00000000,000000FF), ref: 0040A374
Part of subcall function 0040A33E: _wcsicmp.MSVCRT ref: 0040A386

SetBkMode.GDI32(?,00000001), ref: 00415DEF
SetBkColor.GDI32(?,00FFFFFF), ref: 00415DFD
SetTextColor.GDI32(?,00C00000), ref: 00415E0B
GetStockObject.GDI32(00000000), ref: 00415E13

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 42e4004be367d569ef6b1ed2fd7568d25a8fc534219fc729a21696d2538a26ff
Instruction ID: f6ca766a756f956276b7987b22366021d45869a5efd1f957245e1e0f0cc444aa
Opcode Fuzzy Hash: 42e4004be367d569ef6b1ed2fd7568d25a8fc534219fc729a21696d2538a26ff
Instruction Fuzzy Hash: 2BF04F36500209FBCF116FA4EC0AADE3B65FF85721F10413AF915A41F2CB79A9A49A49

Function 0040AD77 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040AD93
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040ADA3
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040ADB2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: 500b3f37a8e27eabcf8092cb1f440f01365611260bcda39269a24c65035c9a43
Instruction ID: 31e7aa1bea13d32e7bca6e77574f5e504946d2401e2512c444bffb4365324c75
Opcode Fuzzy Hash: 500b3f37a8e27eabcf8092cb1f440f01365611260bcda39269a24c65035c9a43
Instruction Fuzzy Hash: A0F0FE769112099BEB119BA0DD49BBBB3FCBB4570BF044439E552E1080EB74D4098B65

Function 004139EE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(0045B808,?,00000050,?,00401C6E,?), ref: 00413A08
memcpy.MSVCRT(0045B538,?,000002CC,0045B808,?,00000050,?,00401C6E,?), ref: 00413A1A
GetModuleHandleW.KERNEL32(00000000), ref: 00413A2D
DialogBoxParamW.USER32(00000000,0000006B,?,Function_00013704,00000000), ref: 00413A41

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 4d87169f9d56b17e00e3402c301ad3cb042f0108c164b9bdc7b5e575712afbe5
Instruction ID: bbec9d8a740cb9b84f1fef4082fdc1a95378a550d55470654ec0ec15965ea30e
Opcode Fuzzy Hash: 4d87169f9d56b17e00e3402c301ad3cb042f0108c164b9bdc7b5e575712afbe5
Instruction Fuzzy Hash: 85F027B2640320ABE310BFB5BC06F463AA4F709B1BF114836F600A51D2C3B949558FDD

Function 0044E1A7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(02110048), ref: 0044E1B1
??3@YAXPAX@Z.MSVCRT(02120050), ref: 0044E1C1
??3@YAXPAX@Z.MSVCRT(009F6D40), ref: 0044E1D1
??3@YAXPAX@Z.MSVCRT(02120458), ref: 0044E1E1

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ff29cf86c77b574f117a7c2e416dd39f00a755436dc2afce52489674462316f8
Instruction ID: 0040574f82d095680108ff298768a764fab42f46883a413dd34ad4582741df14
Opcode Fuzzy Hash: ff29cf86c77b574f117a7c2e416dd39f00a755436dc2afce52489674462316f8
Instruction Fuzzy Hash: 46E0197130120006BE2CEB3FA981A2223CC2E61301319883AF900C2282CF28E980802E

Function 00411855 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 004118BE
InvalidateRect.USER32(?,00000000,00000000), ref: 0041190E

Strings

xr@, xrefs: 00411A93

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: InvalidateMessageRectSend
String ID: xr@
API String ID: 909852535-3463887390
Opcode ID: ba6026d9526b87ee37bd19c55eabe9f4096063d0fb6082bcfa7714a2564ce611
Instruction ID: 0293175210dcad0e75e5e34cf014ada8c26fc98d1d87670dbb71c7f4721f3b00
Opcode Fuzzy Hash: ba6026d9526b87ee37bd19c55eabe9f4096063d0fb6082bcfa7714a2564ce611
Instruction Fuzzy Hash: B761F6307002045BCF20EB658885EEE73E6AF44768F52446BF2595B2B2CB79ADC5CB4D

Function 0040F295 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040F2D7
wcschr.MSVCRT ref: 0040F2E5

Part of subcall function 0040B0B2: wcslen.MSVCRT ref: 0040B0CE
Part of subcall function 0040B0B2: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F32D), ref: 0040B0F1

Strings

", xrefs: 0040F321

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 03968bedbba8fd43ed3f28f545e1ed9fa43ac2e70cc11921a3825c77fa5f6545
Instruction ID: 10195603321605bd56750b7816c0d0271b844f9ce746ccc2960791535488f280
Opcode Fuzzy Hash: 03968bedbba8fd43ed3f28f545e1ed9fa43ac2e70cc11921a3825c77fa5f6545
Instruction Fuzzy Hash: DA318371904204EBDF24EFA5C8419EEB7B4EF54324B21417BEC10B76D1DB78A94ACB98

Function 0040AADB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040AB07
memcpy.MSVCRT(00000000,009F34CC,00000000,?,?,009F34CC,?,?,004041EF,00000000,00000000,0044F6A0,?,?,?), ref: 0040AB53

Strings

A@, xrefs: 0040AB04

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpywcschr
String ID: A@
API String ID: 2424118378-2073013064
Opcode ID: 65d1c98ee92e68f8316e26253cac294d40828dc9945de756115462d34a8b6e5e
Instruction ID: 830330097a83edb220799b64d51470a873f960a000b5f267707f01fc502e4dd1
Opcode Fuzzy Hash: 65d1c98ee92e68f8316e26253cac294d40828dc9945de756115462d34a8b6e5e
Instruction Fuzzy Hash: B121CC32910315ABDB259F18C4809BAB3B9EB50354B50453BEE42E73D1E7B8BC61C6DA

Function 0040C4A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0040A8EC: SetFilePointer.KERNEL32(0040C76D,?,00000000,00000000,?,0040C573,00000000,00000000,?,00000020,?,0040C703,?,?,*.*,0040C76D), ref: 0040A8F9

_memicmp.MSVCRT ref: 0040C4BB
memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C76D,00000000), ref: 0040C4D2

Strings

URL , xrefs: 0040C4B5

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: 8b46189477faf47e70554d53ccdcd0d71d59fab45cca677982259d8f08aed264
Instruction ID: e1781fd545be80fe7556f1c298766c282a9e191fb349476702c3e518ab4974fa
Opcode Fuzzy Hash: 8b46189477faf47e70554d53ccdcd0d71d59fab45cca677982259d8f08aed264
Instruction Fuzzy Hash: 8411E335500204FBEB11EF25CC45F5B7BE8EF42348F004066F904AB292E779EA11D7A9

Function 0040A912 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A957
memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A967

Strings

%2.2X , xrefs: 0040A94C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: b028d3dd81a9ff72aad3c771905fcdc4d2240dadb792d078678063d252d14bc1
Instruction ID: 6a588dd7550e73766d5457c33bdc9f1bb05d6c65df0ab8095161fbe55ab5aab1
Opcode Fuzzy Hash: b028d3dd81a9ff72aad3c771905fcdc4d2240dadb792d078678063d252d14bc1
Instruction Fuzzy Hash: A2118272A00308BFEB11DFE8C8829AFB3B4FB45714F118476ED14E7141D6389A158B96

Function 00419B1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00419D38,?,00000000), ref: 00419B54
CloseHandle.KERNEL32(?), ref: 00419B60

Strings

ItA, xrefs: 00419B3F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CloseFileHandleUnmapView
String ID: ItA
API String ID: 2381555830-3397558953
Opcode ID: 78d9621554c737ac66a3f4cb29ee58c3d3362d23627f1abe4208ba6ebade4b46
Instruction ID: 8fc27f8f603743712d85b87c8facf7af589576e01e28d81e59fb0ee190f4bb1a
Opcode Fuzzy Hash: 78d9621554c737ac66a3f4cb29ee58c3d3362d23627f1abe4208ba6ebade4b46
Instruction Fuzzy Hash: B3119A32409710DFCB21AF15E984A96B7E4FF40B22B00082EE592976A1C738FC85CB98

Function 0040F4EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040F51C
_snwprintf.MSVCRT ref: 0040F53C

Strings

%%-%d.%ds , xrefs: 0040F511

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: e1797fb05a737fba52aba767bb24c373e33194b62cf47ebf28a73d56ffb6a049
Instruction ID: 95e02a5c15eeed1d551906e02850d48b35c8b7aee7daa8271261a5313117e4a6
Opcode Fuzzy Hash: e1797fb05a737fba52aba767bb24c373e33194b62cf47ebf28a73d56ffb6a049
Instruction Fuzzy Hash: 4601B575600204AFD720AF19CC82D9BB7ADFB4C718B00443EFD46A7692C639F855CB64

Function 0040B109 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040B118
_memicmp.MSVCRT ref: 0040B146

Strings

History, xrefs: 0040B112, 0040B117, 0040B144

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: _memicmpwcslen
String ID: History
API String ID: 1872909662-3892791767
Opcode ID: d43cc8d850bd4f9d15064c446135e088d8750b77bb674fd7b9a2667d4b21ddf2
Instruction ID: 941d79324f8edf167e3c65633afc17faa179ac8f5e09340cfeb8a5c916fb1dc6
Opcode Fuzzy Hash: d43cc8d850bd4f9d15064c446135e088d8750b77bb674fd7b9a2667d4b21ddf2
Instruction Fuzzy Hash: EFF0A4725082018BD210EE298C41A2BF7E8DF813E9F11093FF8A1A62C2DB39DC4546ED

Function 0040A838 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 0040A887
wcscpy.MSVCRT ref: 0040A89E

Strings

X, xrefs: 0040A86C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: cf50ce10e3d8adb72faeaa0eaa9c5517279bca70dc60290c33b6f594c57b49c2
Instruction ID: 6611e8cc3d156157abd2d980a6588325782f281802a6564c3fcb0580a52e3f25
Opcode Fuzzy Hash: cf50ce10e3d8adb72faeaa0eaa9c5517279bca70dc60290c33b6f594c57b49c2
Instruction Fuzzy Hash: 3201D3B2E002499FDF15DFE9D88479EBBF4EF08319F10842AE815E6280DB789949CF55

Function 0040E293 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E2AB
SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E2DA

Strings

", xrefs: 0040E2D3

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: aee607dd69faffa0a38dbaa75629dbd7c8e2f222f7178d7bf2009bde8f964298
Instruction ID: e50019999580a74d85a60b07338c936db99593caccc9844b50c561b4a2aa9bba
Opcode Fuzzy Hash: aee607dd69faffa0a38dbaa75629dbd7c8e2f222f7178d7bf2009bde8f964298
Instruction Fuzzy Hash: 3301D179800205EFDB209F9AC841AAFB7F8FF88745F01843EE855A6281E3349855CF79

Function 00401FEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,004116D2,?,General,?,00000000,00000001), ref: 00402015
memset.MSVCRT ref: 00402028

Strings

WinPos, xrefs: 0040203B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 521b6bf8a0af6af857a236e47d383093fbaed3f27b246b805a3dea25d9df0909
Instruction ID: 6104400570af448ab2160dad3ac02d8bcb917da1af1eef173e874a3fdbf9e1c7
Opcode Fuzzy Hash: 521b6bf8a0af6af857a236e47d383093fbaed3f27b246b805a3dea25d9df0909
Instruction Fuzzy Hash: 06F04F70600304AFEB14EF94C98DF5A33ACAF04700F14007AEA099B1C1D7F8A900CA29

Function 0040A7D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0040A81A
wcscpy.MSVCRT ref: 0040A828

Strings

X, xrefs: 0040A7FB

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileNameOpenwcscpy
String ID: X
API String ID: 3246554996-3081909835
Opcode ID: 2a67dbd5aac994321e133afa0018ae29574dd41fddbd4530bc2321b891ce1e3f
Instruction ID: 539f78c5397e7073aed27145bddffd849fb5fc534cbcdb44ae1ffce86d8eed53
Opcode Fuzzy Hash: 2a67dbd5aac994321e133afa0018ae29574dd41fddbd4530bc2321b891ce1e3f
Instruction Fuzzy Hash: 6C0162B1D0124C9FDB51DFE9D8856CEBBF4BF09318F10802AE819F6240EB7495458F55

Function 0040DF2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DF52
LoadStringW.USER32(hE,00000000,?,00001000), ref: 0040DF6A

Part of subcall function 0040DC1C: memset.MSVCRT ref: 0040DC2F
Part of subcall function 0040DC1C: _itow.MSVCRT ref: 0040DC3D

Strings

hE, xrefs: 0040DF67

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$LoadString_itow
String ID: hE
API String ID: 2363904170-2023966264
Opcode ID: a9946285b92afe35a5342dbba43cd3e7e620973a75260ca37de27efc1ebb9654
Instruction ID: 9b56b68215c9794ac37e938ab49c8f41abb91b806af26c10162807848ed08486
Opcode Fuzzy Hash: a9946285b92afe35a5342dbba43cd3e7e620973a75260ca37de27efc1ebb9654
Instruction Fuzzy Hash: D8F08272D0022969F720A7459D4ABDFB79C9F05744F000076BB0CE1192D6649A44C7AE

Function 0040DC1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DC2F
_itow.MSVCRT ref: 0040DC3D

Part of subcall function 0040DBA3: memset.MSVCRT ref: 0040DBC8
Part of subcall function 0040DBA3: GetPrivateProfileStringW.KERNEL32(0045E668,?,0044F4CC,?,00001000,0045E458), ref: 0040DBF0

Strings

hE, xrefs: 0040DC1C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memset$PrivateProfileString_itow
String ID: hE
API String ID: 1482724422-2023966264
Opcode ID: 9d91d721a2435454d66ee30fea597a374f678bd0bf4a4b4aeba8e389cc8d88fc
Instruction ID: 5887821bd48b257a389a8619214a73bf64326750db89a50052b3e3f26cdab3d4
Opcode Fuzzy Hash: 9d91d721a2435454d66ee30fea597a374f678bd0bf4a4b4aeba8e389cc8d88fc
Instruction Fuzzy Hash: 82E0BFB194030CF6EF10BBD1CC46F9D77BC6B05758F110425BA04A51C1E7B4A6598756

Function 00416D79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00416D91
FreeLibrary.KERNEL32(00000000,?,00406A8C,00000000), ref: 00416DA9

Strings

shlwapi.dll, xrefs: 00416D7B

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID: shlwapi.dll
API String ID: 3150196962-3792422438
Opcode ID: 0ba260915fc044c9060a9267e76b53ad6964ed23a45c776f21564570e230f864
Instruction ID: 8953b9299a98f99d53b06e6692452402a631d67aef832c0f4ad793a499166b8b
Opcode Fuzzy Hash: 0ba260915fc044c9060a9267e76b53ad6964ed23a45c776f21564570e230f864
Instruction Fuzzy Hash: 77D01235205620AFD6516B26EC05AAF2AA5EFC2353B064035FC44D2251DB288C4A8669

Function 004173D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(0045EB90,00000000,00000001), ref: 004173DE
DeleteCriticalSection.KERNEL32(0045EAE8), ref: 004173F8

Strings

E, xrefs: 004173F2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: CompareCriticalDeleteExchangeInterlockedSection
String ID: E
API String ID: 1152216905-2089609516
Opcode ID: 41052287ff6157aca7ae807cc5e0ab8c053c410c9bf42ce8b0cf4aaaa29973d0
Instruction ID: a08b94eee07b275f18df31a14d48185bcbd6fbf62116246691b6506a81ff28e0
Opcode Fuzzy Hash: 41052287ff6157aca7ae807cc5e0ab8c053c410c9bf42ce8b0cf4aaaa29973d0
Instruction Fuzzy Hash: 6DE0C23580123043DF249B355D08BC63764A701307F000433FF08E1593D3589DC8465E

Function 0040A394 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(0045EC58,00000104,?,0041545E,?,?,00000000,00000208,?), ref: 0040A3AA
wcscpy.MSVCRT ref: 0040A3BA

Strings

XE, xrefs: 0040A39D

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: DirectoryWindowswcscpy
String ID: XE
API String ID: 3999232144-3649240766
Opcode ID: ee863e4ac16fe2bc2a50466a47192c7d1d348325111a7f9272ab4bdfadf89a60
Instruction ID: 4a4bab80cec1fde47f2faee4497fd5c8b1cbd1d111bef82ff05efc413ebbe1fc
Opcode Fuzzy Hash: ee863e4ac16fe2bc2a50466a47192c7d1d348325111a7f9272ab4bdfadf89a60
Instruction Fuzzy Hash: EED0A732819350EFF309AB16FD4688637A4EB05331F10407BF801521A1E7B49E84C68E

Function 0040E18E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

wcsrchr.MSVCRT ref: 0040E197
wcscat.MSVCRT ref: 0040E1AD

Strings

_lng.ini, xrefs: 0040E1A7

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: fc401660792f3259079d155ab2926aa0832a50f509c5fa83b23360e965731080
Instruction ID: 8b583429bb2f73c15531c1fc6ec83a8602d0f7af3b9842199d22d9f13e476b24
Opcode Fuzzy Hash: fc401660792f3259079d155ab2926aa0832a50f509c5fa83b23360e965731080
Instruction Fuzzy Hash: DBC0127668261020F12633226D03BAA02484F03709F25003BFC012E1C2ABAC56A240AF

Function 00416AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00416B0A

Strings

shell32.dll, xrefs: 00416AF0
SHGetSpecialFolderPathW, xrefs: 00416B04

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2773794195-880857682
Opcode ID: c1b45a8134029c03373e9e62df4e01b2212aa259df3a417208d0da953679c99d
Instruction ID: 99dbe11720a893006f653479ba407f655e67b82aae680071a902f62ebf455638
Opcode Fuzzy Hash: c1b45a8134029c03373e9e62df4e01b2212aa259df3a417208d0da953679c99d
Instruction Fuzzy Hash: 6BD0C7B1548311A9E7045B72BC097113654A711307F144077B800D2997EB78D9459F1D

Function 0042D909 Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000000,?), ref: 0042D9AB
memcpy.MSVCRT(?,?,?,?), ref: 0042D9E4
memset.MSVCRT ref: 0042D9FA
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042DA33

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 8146a5a9f1215ff6fa9f3d5588c159669d09d75e34f759fa96b1d6c6d51f12fb
Instruction ID: 22161e07a8dd0176d215964da5b89ff37004ec298054f59c146abe01b4a1168d
Opcode Fuzzy Hash: 8146a5a9f1215ff6fa9f3d5588c159669d09d75e34f759fa96b1d6c6d51f12fb
Instruction Fuzzy Hash: 635182B5E00219EFDF14EF55DC42AAEBBB5FF04340F55806AF904AA241E7389E50CB99

Function 0040E35C Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0040A6FB: memset.MSVCRT ref: 0040A709

??2@YAPAXI@Z.MSVCRT ref: 0040E389
??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E3B0
??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E3D1
??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E3F2

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: eb350b77a03d3952c19d09036869a2b52fa89c555923169d256a5bb9e8a87cdf
Instruction ID: a8f70b2b8f0220c2fb0a7082b37bd867e83ef99612ffde3d47a64c7db78a1032
Opcode Fuzzy Hash: eb350b77a03d3952c19d09036869a2b52fa89c555923169d256a5bb9e8a87cdf
Instruction Fuzzy Hash: F521E6B0A117008FD7619F2B8444A15FFE8FF90310B2689AFD559CB2B2D3B8C450CB25

Function 0040AEF6 Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040AF08

Part of subcall function 00409FB3: malloc.MSVCRT ref: 00409FCF
Part of subcall function 00409FB3: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FE7
Part of subcall function 00409FB3: free.MSVCRT ref: 00409FF0

free.MSVCRT ref: 0040AF2E
free.MSVCRT ref: 0040AF51
memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF75

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 331cd75d25474b200007b092dd27d2fe5eea30cc0ecd3ad211855935377a92b8
Instruction ID: 62c255610b828a0a43b98215f9d769f251a011d3a86863779d24e99e918d36f1
Opcode Fuzzy Hash: 331cd75d25474b200007b092dd27d2fe5eea30cc0ecd3ad211855935377a92b8
Instruction Fuzzy Hash: C0218EB1100705EFD720EF18C88189AB3F4EF453247108A2EF9669B2D1C735F919CB55

Function 00404447 Relevance: 5.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0045B238,00000010,00000000,00404FFF,?,00404592,00404FFF,?,00404FFF,00409A5B,00000000), ref: 0040445E

Part of subcall function 004043D9: memcmp.MSVCRT(00404FFF,0040447D,00000004,000000FF), ref: 004043F7
Part of subcall function 004043D9: memcpy.MSVCRT(00000367,00405019,48891048,?), ref: 00404426
Part of subcall function 004043D9: memcpy.MSVCRT(-00000269,0040501E,00000060,00000367,00405019,48891048,?), ref: 0040443B

memcmp.MSVCRT(?,00000000,0000000E,00000000,00404FFF,?,00404592,00404FFF,?,00404FFF,00409A5B,00000000), ref: 00404496
memcmp.MSVCRT(?,00000000,0000000B,00000000,00404FFF,?,00404592,00404FFF,?,00404FFF,00409A5B,00000000), ref: 004044C7
memcpy.MSVCRT(0000023E,00404FFF,?), ref: 004044E4

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: memcmp$memcpy
String ID:
API String ID: 231171946-0
Opcode ID: 02b7e515e6cb7942f6ab12f07e0d827038bf1469a5ded1db4bdf5d811a63220b
Instruction ID: 50c4ff2e8450c3fce798df969388a048485be3917a12ccca82d2995326f9277d
Opcode Fuzzy Hash: 02b7e515e6cb7942f6ab12f07e0d827038bf1469a5ded1db4bdf5d811a63220b
Instruction Fuzzy Hash: 2B11A5F16003146AFB2026129C06F9A3758EB91758F10843FFF44641C2FABEA950566E

Function 0040B6F7 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B6FE
free.MSVCRT ref: 0040B721

Part of subcall function 00409FB3: malloc.MSVCRT ref: 00409FCF
Part of subcall function 00409FB3: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FE7
Part of subcall function 00409FB3: free.MSVCRT ref: 00409FF0

free.MSVCRT ref: 0040B752
memcpy.MSVCRT(00000000,?,00000000,00000000,00406D5E,?), ref: 0040B77F

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocstrlen
String ID:
API String ID: 3669619086-0
Opcode ID: 97e23aac66076e39f365f82e397f054d7c8dc4d8bc002d43dba8b43fe139d604
Instruction ID: a2faa610dd64c27b0c2ef2c48459d55f7a4c7651722976a7707f5b611db7f3cc
Opcode Fuzzy Hash: 97e23aac66076e39f365f82e397f054d7c8dc4d8bc002d43dba8b43fe139d604
Instruction Fuzzy Hash: C6115A716043059FD730AB18EC8192637A6EB8733AB24813BF9049B3A3C735D8148BDD

Function 0041933B Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041A0CF,000000FF,00000000,00000000,00419CBA,?,?,00419CBA,0041A0CF,00000000,?,0041A33C,?,00000000), ref: 00419356
malloc.MSVCRT ref: 0041935E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041A0CF,000000FF,00000000,00000000,?,00419CBA,0041A0CF,00000000,?,0041A33C,?,00000000,00000000,?), ref: 00419375
free.MSVCRT ref: 0041937C

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: e4beb7e75d6b6867dc320311ec8e335ac11e6b54827e84fb66ef34ac5fc0bb4b
Instruction ID: ea87104fc79d75f86d2c504ed11776472b4b13713310e55314d530160130750a
Opcode Fuzzy Hash: e4beb7e75d6b6867dc320311ec8e335ac11e6b54827e84fb66ef34ac5fc0bb4b
Instruction Fuzzy Hash: C2F0376660521E7BD71025A55C40D77779CDB8A679B11073BFD10E21C1ED59DC0016B4

Function 0040A2DE Relevance: 5.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040A2E8
wcslen.MSVCRT ref: 0040A2F2
wcscpy.MSVCRT ref: 0040A306

Part of subcall function 00409CD8: wcslen.MSVCRT ref: 00409CD9
Part of subcall function 00409CD8: wcscat.MSVCRT ref: 00409CF1

wcscat.MSVCRT ref: 0040A314

Memory Dump Source

Source File: 00000006.00000002.1435375169.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1435355047.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435414057.000000000044F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435434041.000000000045E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1435479957.0000000000474000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Chrom.jbxd

Yara matches

Similarity

API ID: wcslen$wcscat$wcscpy
String ID:
API String ID: 1961120804-0
Opcode ID: 0805737b1f039988677200671bcaaa36b03551ad30adce6ee1146d80a995da50
Instruction ID: 1861b29a0bf7327a5836ebdd28897080e635c1e607cd20ba3add047366222a10
Opcode Fuzzy Hash: 0805737b1f039988677200671bcaaa36b03551ad30adce6ee1146d80a995da50
Instruction Fuzzy Hash: 57E0E532505209BAEF017FA2D9068CE3B95EF06379B51483BFC0892041EB3DE561879A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quote for new order 2025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\01-08-2025 11-44-34.jpg

C:\Users\Public\Downloads\01-08-2025 11-44-46.jpg

C:\Users\Public\Downloads\01-08-2025 11-44-54.jpg

C:\Users\Public\Downloads\01-08-2025 12-27-19.jpg

C:\Users\Public\Downloads\01-08-2025 12-27-27.jpg

C:\Users\Public\Downloads\01-08-2025 12-27-35.jpg

C:\Users\user\AppData\Local\Temp\chpDEA1.tmp

C:\Users\user\Desktop\Chrom.exe

C:\Users\user\Desktop\output.txt

C:\Users\user\Desktop\windown.bat

C:\Windows\Logs\SIH\SIH.20250108.114443.109.1.etl

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP30A9.tmp

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Windows Analysis Report
Quote for new order 2025.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre