Edit tour

Windows Analysis Report
vV5EOx0ipU.exe

Overview

General Information

Sample name:	vV5EOx0ipU.exe renamed because original name is a hash value
Original sample name:	c0aed7042e2ac3344c4ccc0bd7d5b04825538f1302074b021f80afdca8747668.exe
Analysis ID:	1586716
MD5:	bdb812b2a360c206c5ab9de2acd75435
SHA1:	2c888c5ef480d02aa6a972906c29d2c498fd430a
SHA256:	c0aed7042e2ac3344c4ccc0bd7d5b04825538f1302074b021f80afdca8747668
Tags:	exeuser-crep1x
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

vV5EOx0ipU.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\vV5EOx0ipU.exe" MD5: BDB812B2A360C206C5AB9DE2ACD75435)

iScrPaint.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Local\Temp\iScrPaint.exe" MD5: 098AC4621EE0E855E0710710736C2955)

iScrPaint.exe (PID: 5992 cmdline: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe MD5: 098AC4621EE0E855E0710710736C2955)

cmd.exe (PID: 5768 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lvHost_v4.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe MD5: 967F4470627F823F4D7981E511C9824F)

iScrPaint.exe (PID: 6408 cmdline: "C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe" MD5: 098AC4621EE0E855E0710710736C2955)

cmd.exe (PID: 6344 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

iScrPaint.exe (PID: 6976 cmdline: "C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe" MD5: 098AC4621EE0E855E0710710736C2955)

cmd.exe (PID: 7000 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lvHost_v4.exe (PID: 5668 cmdline: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe MD5: 967F4470627F823F4D7981E511C9824F)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\iScrPaint.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2697973370.00000000094EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000012.00000002.3565366108.00000000025DC000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.3190324611.0000000003250000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.3459279888.00000000055E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: iScrPaint.exe PID: 6776	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 5768	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: lvHost_v4.exe PID: 5640	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6344	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.cmd.exe.32507f8.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.32507f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f28:$s2: Elevation:Administrator!new:
18.2.lvHost_v4.exe.26286ed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.lvHost_v4.exe.26286ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e617:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6a2:$s1: CoGetObject 0x25e5fb:$s2: Elevation:Administrator!new:
10.2.cmd.exe.52886cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.52886cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e617:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6a2:$s1: CoGetObject 0x25e5fb:$s2: Elevation:Administrator!new:
2.0.iScrPaint.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
16.2.cmd.exe.562cacd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.cmd.exe.562cacd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f217:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2a2:$s1: CoGetObject 0x25f1fb:$s2: Elevation:Administrator!new:
10.2.cmd.exe.5287acd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.5287acd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f217:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2a2:$s1: CoGetObject 0x25f1fb:$s2: Elevation:Administrator!new:
18.2.lvHost_v4.exe.2627aed.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.lvHost_v4.exe.2627aed.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f217:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2a2:$s1: CoGetObject 0x25f1fb:$s2: Elevation:Administrator!new:
4.2.cmd.exe.50e8acd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.cmd.exe.50e8acd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f217:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2a2:$s1: CoGetObject 0x25f1fb:$s2: Elevation:Administrator!new:
8.2.lvHost_v4.exe.27b26ed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.lvHost_v4.exe.27b26ed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e617:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6a2:$s1: CoGetObject 0x25e5fb:$s2: Elevation:Administrator!new:
8.2.lvHost_v4.exe.276ca20.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.lvHost_v4.exe.276ca20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42e4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a436f:$s1: CoGetObject 0x2a42c8:$s2: Elevation:Administrator!new:
16.2.cmd.exe.55e7a00.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.cmd.exe.55e7a00.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42e4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a436f:$s1: CoGetObject 0x2a42c8:$s2: Elevation:Administrator!new:
10.2.cmd.exe.5242a00.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.5242a00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42e4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a436f:$s1: CoGetObject 0x2a42c8:$s2: Elevation:Administrator!new:
8.2.lvHost_v4.exe.27b1aed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.lvHost_v4.exe.27b1aed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f217:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2a2:$s1: CoGetObject 0x25f1fb:$s2: Elevation:Administrator!new:
4.2.cmd.exe.50e96cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.cmd.exe.50e96cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e617:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6a2:$s1: CoGetObject 0x25e5fb:$s2: Elevation:Administrator!new:
4.2.cmd.exe.50a3a00.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.cmd.exe.50a3a00.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42e4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a436f:$s1: CoGetObject 0x2a42c8:$s2: Elevation:Administrator!new:
18.2.lvHost_v4.exe.25e2a20.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.lvHost_v4.exe.25e2a20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42e4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a436f:$s1: CoGetObject 0x2a42c8:$s2: Elevation:Administrator!new:
16.2.cmd.exe.562d6cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.cmd.exe.562d6cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e617:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6a2:$s1: CoGetObject 0x25e5fb:$s2: Elevation:Administrator!new:
Click to see the 28 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\WebUI.dll	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\bgsystem_test\WebUI.dll	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: vV5EOx0ipU.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ondkpifasfpiuy	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\xgxgnfo	Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 10.2.cmd.exe.32507f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.lvHost_v4.exe.26286ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.52886cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.562cacd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.5287acd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.lvHost_v4.exe.2627aed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.50e8acd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.lvHost_v4.exe.27b26ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.lvHost_v4.exe.276ca20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.55e7a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.5242a00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.lvHost_v4.exe.27b1aed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.50e96cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.50a3a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.lvHost_v4.exe.25e2a20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.cmd.exe.562d6cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2697973370.00000000094EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3565366108.00000000025DC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3190324611.0000000003250000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3459279888.00000000055E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvHost_v4.exe PID: 5640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6344, type: MEMORYSTR

Source: vV5EOx0ipU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: ntdll.pdb source: lvHost_v4.exe, 00000008.00000002.3102124081.0000000004334000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106590330.0000000006932000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104779550.0000000005D3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102784686.0000000004B38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105984046.000000000653C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107284723.0000000006F34000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101463436.0000000003F3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104018972.0000000005738000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101289098.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103367885.000000000513F000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102947734.0000000004D35000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103107493.0000000004F31000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3100994144.0000000003B3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103810517.0000000005531000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099208641.0000000002318000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101955475.0000000004135000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104516106.0000000005B33000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102613241.0000000004933000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107062406.0000000006D3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105012121.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103601072.000000000533C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104231085.0000000005931000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102453423.0000000004730000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106834191.0000000006B30000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105733026.0000000006339000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102294459.0000000004530000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105455567.0000000006131000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107577502.000000000713B000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099999615.0000000002CA0000.00000004.00001000.00020000.00000000.s
Source:	Binary string: wntdll.pdbUGP source: iScrPaint.exe, 00000002.00000002.2700347108.00000000098E1000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2701262061.0000000009C40000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990396766.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2989966381.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190419576.0000000004E9F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190937313.0000000005770000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: lvHost_v4.exe, 00000008.00000002.3102124081.0000000004334000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106590330.0000000006932000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104779550.0000000005D3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102784686.0000000004B38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105984046.000000000653C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107284723.0000000006F34000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101463436.0000000003F3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104018972.0000000005738000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101289098.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103367885.000000000513F000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102947734.0000000004D35000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103107493.0000000004F31000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3100994144.0000000003B3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103810517.0000000005531000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099208641.0000000002318000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101955475.0000000004135000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104516106.0000000005B33000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102613241.0000000004933000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107062406.0000000006D3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105012121.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103601072.000000000533C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104231085.0000000005931000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102453423.0000000004730000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106834191.0000000006B30000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105733026.0000000006339000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102294459.0000000004530000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105455567.0000000006131000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107577502.000000000713B000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099999615.0000000002CA0000.00000004.00001000.00020000.0000000
Source:	Binary string: c:\Qt\WebUI2\Release\WebUI.pdb source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C326000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CBB6000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdb source: iScrPaint.exe, 00000002.00000002.2700347108.00000000098E1000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2701262061.0000000009C40000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990396766.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2989966381.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190419576.0000000004E9F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190937313.0000000005770000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	1_2_0040301A
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	1_2_00402B79
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6C97D46D FindFirstFileW,FindClose,	2_2_6C97D46D
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,	8_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,	8_2_0000000140007628

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_000000014000D848 GetLogicalDriveStringsW,GetDlgItem,GetDriveTypeW,_cwprintf_s_l,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetSpecialFolderPathW,lstrlenW,SHGetSpecialFolderPathW,lstrlenW,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,RegOpenKeyExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,SendMessageW,SendMessageW,SendMessageW,RegCloseKey,

8_2_000000014000D848

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.12:52457 -> 162.159.36.2:53

Source: unknown

DNS traffic detected: query: plerukilo0.site replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: plerukilo0.site

Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C1EC000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CA7C000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://bugreports.qt-project.org/
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C1EC000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CA7C000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://epscd.catcert.net/crl/ec-acc.crl0.
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://epscd2.catcert.net/crl/ec-acc.crl0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.catcert.cat0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000000.2926710967.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.catcert.cat/descarrega/acc.crt0#
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EA5000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C2C4000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CB54000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EA5000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C2C4000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CB54000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-/W3C/DTD
Source: iScrPaint.exe, 00000002.00000002.2697973370.000000000924E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.0000000005054000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.000000000271D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000000.2926710967.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000000.2926710967.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: lvHost_v4.exe, 00000008.00000002.3098687914.00000000004B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/
Source: lvHost_v4.exe, 00000008.00000002.3099063854.0000000000A42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/jaron-rush-documentary-debuts-monday-night-on-metro-sports
Source: lvHost_v4.exe, 00000008.00000002.3098687914.000000000050E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/jaron-rush-documentary-debuts-monday-night-on-metro-sports?ms7qd64jdhcdp=4L0
Source: lvHost_v4.exe, 00000008.00000003.3094364331.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3097354681.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3092450440.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3082273805.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3095891609.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3084116335.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443
Source: lvHost_v4.exe, 00000008.00000003.3087124152.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3094364331.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3097354681.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3092450440.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3095891609.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443.dllt;
Source: lvHost_v4.exe, 00000008.00000003.3087124152.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3084116335.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443/
Source: lvHost_v4.exe, 00000008.00000003.3079480723.00000000004E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443/jaron-rush-documentary-debuts-monday-night-on-metro-sports?ms7qd64jdhcdp
Source: lvHost_v4.exe, 00000008.00000003.3080820458.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443Q:
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://stats.itopupdate.com/multi_app_new.php
Source: iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.cat/verCIT-10
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,

8_2_0000000140007860

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,

8_2_0000000140007860

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_0000000140007274 GetDlgItem,GetDlgItem,GetWindowRect,ScreenToClient,ScreenToClient,GetClientRect,CreateDIBSection,GetDC,CreateCompatibleDC,SelectObject,SelectObject,ReleaseDC,SendMessageW,

8_2_0000000140007274

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_00000001400038A8 KillTimer,GetAsyncKeyState,SetTimer,

8_2_00000001400038A8

Source: Yara match

File source: Process Memory Space: iScrPaint.exe PID: 6776, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.cmd.exe.32507f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.lvHost_v4.exe.26286ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.52886cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.cmd.exe.562cacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.5287acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.lvHost_v4.exe.2627aed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.50e8acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.lvHost_v4.exe.27b26ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.lvHost_v4.exe.276ca20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.cmd.exe.55e7a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.5242a00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.lvHost_v4.exe.27b1aed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.50e96cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.50a3a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.lvHost_v4.exe.25e2a20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.cmd.exe.562d6cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_000000014011FF38 CreateFileW,malloc,ReadFile,NtClose,

8_2_000000014011FF38

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe

Code function: 2_2_6C97E72A: CreateFileW,DeviceIoControl,CloseHandle,

2_2_6C97E72A

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_00404FAA	1_2_00404FAA
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_0041206B	1_2_0041206B
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_0041022D	1_2_0041022D
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_00411F91	1_2_00411F91
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6CC2A78D	2_2_6CC2A78D
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6C96E84F	2_2_6C96E84F
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6C96E36C	2_2_6C96E36C
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000BFFC	8_2_000000014000BFFC
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001D000	8_2_000000014001D000
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000B824	8_2_000000014000B824
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014002F838	8_2_000000014002F838
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000D848	8_2_000000014000D848
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140021068	8_2_0000000140021068
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000909C	8_2_000000014000909C
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00000001400238F8	8_2_00000001400238F8
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001A9B8	8_2_000000014001A9B8
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00000001400041C8	8_2_00000001400041C8
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00000001400231CC	8_2_00000001400231CC
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140021A00	8_2_0000000140021A00
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000E214	8_2_000000014000E214
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140024A78	8_2_0000000140024A78
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001F2A4	8_2_000000014001F2A4
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000A378	8_2_000000014000A378
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140122B98	8_2_0000000140122B98
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140013390	8_2_0000000140013390
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140020BB8	8_2_0000000140020BB8
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140001424	8_2_0000000140001424
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140008C3C	8_2_0000000140008C3C
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140005450	8_2_0000000140005450
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000D458	8_2_000000014000D458
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014011B450	8_2_000000014011B450
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001048C	8_2_000000014001048C
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00000001400EE4C4	8_2_00000001400EE4C4
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00000001400FC53C	8_2_00000001400FC53C
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000A5E0	8_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140022E30	8_2_0000000140022E30
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014002267C	8_2_000000014002267C
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001AE88	8_2_000000014001AE88
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140011EF4	8_2_0000000140011EF4
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00000001400FF714	8_2_00000001400FF714
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001DF44	8_2_000000014001DF44
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140040F48	8_2_0000000140040F48
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140018790	8_2_0000000140018790
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ED93FA0	8_2_00007FF67ED93FA0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5C070	8_2_00007FF67EC5C070
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECADD60	8_2_00007FF67ECADD60
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5C400	8_2_00007FF67EC5C400
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5EBB0	8_2_00007FF67EC5EBB0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ED93D10	8_2_00007FF67ED93D10
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5BC43	8_2_00007FF67EC5BC43
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EDAE1E0	8_2_00007FF67EDAE1E0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ED94300	8_2_00007FF67ED94300
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5F250	8_2_00007FF67EC5F250
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC58010	8_2_00007FF67EC58010
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC94000	8_2_00007FF67EC94000
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC60FE0	8_2_00007FF67EC60FE0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC62FE0	8_2_00007FF67EC62FE0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC7DF80	8_2_00007FF67EC7DF80
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5E780	8_2_00007FF67EC5E780
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC96F70	8_2_00007FF67EC96F70
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC58F60	8_2_00007FF67EC58F60
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ED7D900	8_2_00007FF67ED7D900
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5B920	8_2_00007FF67EC5B920
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECAD8D0	8_2_00007FF67ECAD8D0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5F8F0	8_2_00007FF67EC5F8F0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5D890	8_2_00007FF67EC5D890
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECEA8A0	8_2_00007FF67ECEA8A0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5A8A0	8_2_00007FF67EC5A8A0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5E050	8_2_00007FF67EC5E050
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECAA860	8_2_00007FF67ECAA860
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC615E0	8_2_00007FF67EC615E0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC97590	8_2_00007FF67EC97590
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5A590	8_2_00007FF67EC5A590
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC54D80	8_2_00007FF67EC54D80
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ED7CD60	8_2_00007FF67ED7CD60
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC96D40	8_2_00007FF67EC96D40
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5CF00	8_2_00007FF67EC5CF00
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC59F00	8_2_00007FF67EC59F00
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC63700	8_2_00007FF67EC63700
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC536A0	8_2_00007FF67EC536A0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC946D0	8_2_00007FF67EC946D0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5B680	8_2_00007FF67EC5B680
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC62E80	8_2_00007FF67EC62E80
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EE9C680	8_2_00007FF67EE9C680
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC536A0	8_2_00007FF67EC536A0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC59C02	8_2_00007FF67EC59C02
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC61420	8_2_00007FF67EC61420
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECADBE0	8_2_00007FF67ECADBE0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC943E0	8_2_00007FF67EC943E0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5F3E0	8_2_00007FF67EC5F3E0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECAABB0	8_2_00007FF67ECAABB0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECED340	8_2_00007FF67ECED340
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC58C90	8_2_00007FF67EC58C90
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC96450	8_2_00007FF67EC96450
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECF6450	8_2_00007FF67ECF6450
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECAD440	8_2_00007FF67ECAD440
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5D460	8_2_00007FF67EC5D460
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC97210	8_2_00007FF67EC97210
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5B210	8_2_00007FF67EC5B210
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ED929F0	8_2_00007FF67ED929F0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC599C4	8_2_00007FF67EC599C4
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67ECAD1F0	8_2_00007FF67ECAD1F0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC96990	8_2_00007FF67EC96990
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC58970	8_2_00007FF67EC58970
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5830E	8_2_00007FF67EC5830E
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC62320	8_2_00007FF67EC62320
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5A2D0	8_2_00007FF67EC5A2D0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5FA77	8_2_00007FF67EC5FA77
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5DA50	8_2_00007FF67EC5DA50
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC94260	8_2_00007FF67EC94260

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\iScrPaint.exe 46AFBF1CBD2E1B5E108C133D4079FADDC7347231B0C48566FD967A3070745E7F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: String function: 0040243B appears 37 times

Source: lvHost_v4.exe.4.dr

Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: xgxgnfo.16.dr	Static PE information: Number of sections : 12 > 10
Source: ondkpifasfpiuy.4.dr	Static PE information: Number of sections : 12 > 10

Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LegalTrademarks OriginalFileName vs vV5EOx0ipU.exe
Source: vV5EOx0ipU.exe, 00000001.00000003.2641364890.0000000002401000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs vV5EOx0ipU.exe
Source: vV5EOx0ipU.exe, 00000001.00000000.2640348884.000000000041A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs vV5EOx0ipU.exe
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiScrPaint.exeJ vs vV5EOx0ipU.exe
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebUI.dll, vs vV5EOx0ipU.exe

Source: vV5EOx0ipU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.cmd.exe.32507f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.lvHost_v4.exe.26286ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.52886cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.cmd.exe.562cacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.5287acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.lvHost_v4.exe.2627aed.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.50e8acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.lvHost_v4.exe.27b26ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.lvHost_v4.exe.276ca20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.cmd.exe.55e7a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.5242a00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.lvHost_v4.exe.27b1aed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.50e96cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.50a3a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.lvHost_v4.exe.25e2a20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.cmd.exe.562d6cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.expl.evad.winEXE@20/15@2/0

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

1_2_00407776

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

1_2_0040118A

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

1_2_004034C1

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

1_2_00401BDF

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe

File created: C:\Users\user\AppData\Roaming\bgsystem_test

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

File created: C:\Users\user\AppData\Local\Temp\bulk.iso

Jump to behavior

Source: Yara match	File source: 2.0.iScrPaint.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe, type: DROPPED

Source: vV5EOx0ipU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vV5EOx0ipU.exe

ReversingLabs: Detection: 36%

Source: lvHost_v4.exe	String found in binary or memory: -install -runas
Source: lvHost_v4.exe	String found in binary or memory: -install
Source: lvHost_v4.exe	String found in binary or memory: -install -nolisense

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

File read: C:\Users\user\Desktop\vV5EOx0ipU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vV5EOx0ipU.exe "C:\Users\user\Desktop\vV5EOx0ipU.exe"
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Process created: C:\Users\user\AppData\Local\Temp\iScrPaint.exe "C:\Users\user\AppData\Local\Temp\iScrPaint.exe"
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Process created: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe C:\Users\user\AppData\Local\Temp\lvHost_v4.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe "C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe"
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe "C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe"
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe C:\Users\user\AppData\Local\Temp\lvHost_v4.exe
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Process created: C:\Users\user\AppData\Local\Temp\iScrPaint.exe "C:\Users\user\AppData\Local\Temp\iScrPaint.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Process created: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Jump to behavior

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: webui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: webui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: webui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: webui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: seukanjejhxc.4.dr

LNK file: ..\..\Roaming\bgsystem_test\iScrPaint.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: vV5EOx0ipU.exe

Static file information: File size 7480499 > 1048576

Source:	Binary string: ntdll.pdb source: lvHost_v4.exe, 00000008.00000002.3102124081.0000000004334000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106590330.0000000006932000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104779550.0000000005D3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102784686.0000000004B38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105984046.000000000653C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107284723.0000000006F34000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101463436.0000000003F3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104018972.0000000005738000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101289098.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103367885.000000000513F000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102947734.0000000004D35000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103107493.0000000004F31000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3100994144.0000000003B3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103810517.0000000005531000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099208641.0000000002318000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101955475.0000000004135000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104516106.0000000005B33000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102613241.0000000004933000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107062406.0000000006D3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105012121.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103601072.000000000533C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104231085.0000000005931000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102453423.0000000004730000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106834191.0000000006B30000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105733026.0000000006339000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102294459.0000000004530000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105455567.0000000006131000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107577502.000000000713B000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099999615.0000000002CA0000.00000004.00001000.00020000.00000000.s
Source:	Binary string: wntdll.pdbUGP source: iScrPaint.exe, 00000002.00000002.2700347108.00000000098E1000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2701262061.0000000009C40000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990396766.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2989966381.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190419576.0000000004E9F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190937313.0000000005770000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: lvHost_v4.exe, 00000008.00000002.3102124081.0000000004334000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106590330.0000000006932000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104779550.0000000005D3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102784686.0000000004B38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105984046.000000000653C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107284723.0000000006F34000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101463436.0000000003F3E000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104018972.0000000005738000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101289098.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103367885.000000000513F000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102947734.0000000004D35000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103107493.0000000004F31000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3100994144.0000000003B3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103810517.0000000005531000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099208641.0000000002318000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3101955475.0000000004135000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104516106.0000000005B33000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102613241.0000000004933000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107062406.0000000006D3D000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105012121.0000000005F3A000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3103601072.000000000533C000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3104231085.0000000005931000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102453423.0000000004730000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3106834191.0000000006B30000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105733026.0000000006339000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3102294459.0000000004530000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3105455567.0000000006131000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3107577502.000000000713B000.00000004.00000001.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099999615.0000000002CA0000.00000004.00001000.00020000.0000000
Source:	Binary string: c:\Qt\WebUI2\Release\WebUI.pdb source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C326000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CBB6000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdb source: iScrPaint.exe, 00000002.00000002.2700347108.00000000098E1000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2701262061.0000000009C40000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990396766.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2989966381.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190419576.0000000004E9F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190937313.0000000005770000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

1_2_00406D5D

Source: xgxgnfo.16.dr	Static PE information: real checksum: 0x2891c5 should be: 0x292139
Source: ondkpifasfpiuy.4.dr	Static PE information: real checksum: 0x2891c5 should be: 0x292139
Source: WebUI.dll.2.dr	Static PE information: real checksum: 0x7a6eb0 should be: 0x7a4d2c
Source: WebUI.dll.1.dr	Static PE information: real checksum: 0x7a6eb0 should be: 0x7a4d2c

Source: WebUI.dll.1.dr	Static PE information: section name: .unwante
Source: WebUI.dll.2.dr	Static PE information: section name: .unwante
Source: lvHost_v4.exe.4.dr	Static PE information: section name: Shared
Source: ondkpifasfpiuy.4.dr	Static PE information: section name: .xdata
Source: ondkpifasfpiuy.4.dr	Static PE information: section name: gsiu
Source: xgxgnfo.16.dr	Static PE information: section name: .xdata
Source: xgxgnfo.16.dr	Static PE information: section name: gsiu

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_00411C20 push eax; ret	1_2_00411C4E
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6CC36120 push ecx; ret	2_2_6CC36133
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6CC27B5D push ecx; ret	2_2_6CC27B70
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Code function: 3_2_6C127B5D push ecx; ret	3_2_6C127B70
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001282D push 8B480014h; retf	8_2_0000000140012832
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014001D949 push rsp; ret	8_2_000000014001D94B
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140013D4C pushfq ; ret	8_2_0000000140013D4D
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140013DE5 pushfq ; ret	8_2_0000000140013DE6
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140013F26 pushfq ; ret	8_2_0000000140013F27
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC5597B push 0107B841h; ret	8_2_00007FF67EC55984

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	File created: C:\Users\user\AppData\Local\Temp\WebUI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	File created: C:\Users\user\AppData\Roaming\bgsystem_test\WebUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	File created: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	File created: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xgxgnfo	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ondkpifasfpiuy	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ondkpifasfpiuy			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xgxgnfo			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_00000001400853D4 GetPrivateProfileStringW,lstrlenW,

8_2_00000001400853D4

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\ONDKPIFASFPIUY
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\XGXGNFO

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	API/Special instruction interceptor: Address: 6C467C44
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	API/Special instruction interceptor: Address: 6C467C44
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	API/Special instruction interceptor: Address: 6C467945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C463B54
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	API/Special instruction interceptor: Address: 6C1F7C44
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	API/Special instruction interceptor: Address: 6C1F7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C1F3B54
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	API/Special instruction interceptor: Address: 6C9A7C44
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	API/Special instruction interceptor: Address: 6C9A7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C9A3B54

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xgxgnfo			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ondkpifasfpiuy			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_2-11647

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-12181

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	API coverage: 4.0 %
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	API coverage: 1.3 %

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe TID: 6028	Thread sleep time: -37596s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe TID: 6492	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe TID: 4116	Thread sleep time: -37596s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe TID: 3676	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	1_2_0040301A
Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: 1_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	1_2_00402B79
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6C97D46D FindFirstFileW,FindClose,	2_2_6C97D46D
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,	8_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,	8_2_0000000140007628

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

8_2_000000014000D848

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe

Code function: 2_2_6C977613 GetSystemInfo,

2_2_6C977613

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: iScrPaint.exe, 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000009.00000002.3142233373.000000006CC18000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: l.?AVQEmulationPaintEngine@@
Source: iScrPaint.exe, 00000003.00000002.2772938017.000000006C388000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: /l.?AVQEmulationPaintEngine@@
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2772938017.000000006C388000.00000008.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3142233373.000000006CC18000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@
Source: lvHost_v4.exe, 00000008.00000002.3098687914.000000000046E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

API call chain: ExitProcess graph end node

graph_8-21034

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe

Code function: 2_2_6CC1B4E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_6CC1B4E4

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

1_2_00406D5D

Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6CC1B4E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6CC1B4E4
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: 2_2_6CC265B3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6CC265B3
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Code function: 3_2_6C11B4E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C11B4E4
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Code function: 8_2_00007FF67EC511B5 Sleep,exit,SetUnhandledExceptionFilter,exit,	8_2_00007FF67EC511B5

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF67ECFAEEF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtOpenKeyEx: Direct from: 0x7FF67ED2AEF2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateThreadEx: Direct from: 0x7FF7E7654F47	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E765E074	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationProcess: Direct from: 0x7FF7E770E140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	NtQuerySystemInformation: Direct from: 0x6BC72560	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateThreadEx: Direct from: 0x7FF67EC54C41	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67EC5C3AB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateFile: Direct from: 0x7FF67EE99DD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationProcess: Direct from: 0x7FF67ED0F688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF67ED92D77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E765BC65	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	NtQuerySystemInformation: Direct from: 0x6BA42560	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67EE9D8BC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateFile: Direct from: 0x7FF67ED0829B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF67EE9EB31
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E77619BB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E76644F6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateFile: Direct from: 0x7FF7E7899DD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67ED09D1A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF7E78ADAAE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF7E7792D77	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtOpenKeyEx: Direct from: 0x7FF7E772AEF2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationProcess: Direct from: 0x7FF7E76FAEEF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	NtProtectVirtualMemory: Direct from: 0x77387B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF67EEADAAE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	NtProtectVirtualMemory: Direct from: 0x6C43308F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF7E770ECF3
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF67ECF07BE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF7E789EB31
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtReadFile: Direct from: 0x7FF67ECFF1E9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67EC5BC65	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E789D8BC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67ED038B3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationProcess: Direct from: 0x7FF7E76FAB03	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF7E789EB23
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF67ECFF5DD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E775E1ED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF67ED2C1DE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtReadFile: Direct from: 0x7FF7E76FF1E9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationToken: Direct from: 0x7FF67ED27F13	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtMapViewOfSection: Direct from: 0x7FF7E789D48E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67EC54AE2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	NtQuerySystemInformation: Direct from: 0x6C502560	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF67ED0E8D7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF7E789EB0F
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	NtQuerySystemInformation: Direct from: 0x6C772560	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF7E78ADB86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtReadVirtualMemory: Direct from: 0x7FF67EE999B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF67ED2BC32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF67EEABBCF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF67EEA5622	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E77038B3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF67ED2B613	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67ED076A9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateFile: Direct from: 0x7FF67EE9C496	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF67ED2BF14	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateThreadEx: Direct from: 0x7FF7E7654C41	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF67EE9C4AD
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtReadVirtualMemory: Direct from: 0x7FF7E78999B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationProcess: Direct from: 0x7FF67ED0E140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	NtProtectVirtualMemory: Direct from: 0x6C93295C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationProcess: Direct from: 0x7FF7E770F688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E77076A9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF67ED65AA4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF7E772C1DE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E7654AE2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E7727F13	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateThreadEx: Direct from: 0x7FF67EC54F47	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF7E789C4AD
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF7E770E8D7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationToken: Direct from: 0x7FF67ED5E1ED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateFile: Direct from: 0x7FF7E770829B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF7E772BB00
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateFile: Direct from: 0x7FF7E789C496	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF67EE9EB23
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7E7709D1A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF67ECFAB03	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FFEA3DE26A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF67ED619BB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF7E772BF14	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF67ED0ECF3
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF7E772BC32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF7E76FF5DD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FFEA3E04B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationProcess: Direct from: 0x7FF7E76F07BE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF67ED0C984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtSetInformationThread: Direct from: 0x7FF7E78ABBCF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF67EE9D48E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	NtProtectVirtualMemory: Direct from: 0x6FCF2DFA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtClose: Direct from: 0x7FF67EE9EB0F
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF7E78A5622	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF67EEADB86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	NtQueryValueKey: Direct from: 0x7FF7E772B613	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe base: 3EF010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe base: 2F4010	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_000000014000BFFC CharLowerW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrcmpiW,lstrcmpW,lstrlenW,GetActiveWindow,GetTempPathW,lstrlenW,GetModuleFileNameW,CopyFileW,MessageBoxW,lstrlenW,ShellExecuteW,GetModuleFileNameW,CharLowerW,lstrlenW,

8_2_000000014000BFFC

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Process created: C:\Users\user\AppData\Local\Temp\iScrPaint.exe "C:\Users\user\AppData\Local\Temp\iScrPaint.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	Jump to behavior

Source: iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: vV5EOx0ipU.exe, 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: ProgmanU

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_0040D72E cpuid

1_2_0040D72E

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,		1_2_00401F9D
Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Code function: GetLocaleInfoA,		2_2_6CC37110

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

1_2_00401626

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_000000014000EE50 GetDlgItem,GetUserNameW,wsprintfW,GetDlgItem,SetWindowTextW,GetDlgItem,SetWindowTextW,

8_2_000000014000EE50

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Code function: 8_2_0000000140026184 GetTimeZoneInformation,

8_2_0000000140026184

Source: C:\Users\user\Desktop\vV5EOx0ipU.exe

Code function: 1_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

1_2_00404FAA

Source: C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	11 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Masquerading	11 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	Boot or Logon Initialization Scripts	212 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	212 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	4 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	146 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vV5EOx0ipU.exe	37%	ReversingLabs	Win32.Adware.RedCap

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\ondkpifasfpiuy	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\xgxgnfo	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WebUI.dll	13%	ReversingLabs
C:\Users\user\AppData\Local\Temp\iScrPaint.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\bgsystem_test\WebUI.dll	13%	ReversingLabs
C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
http://www.softwareok.de/?Download=Find.Same.Images.OK	0%	Avira URL Cloud	safe
https://plerukilo0.site/jaron-rush-documentary-debuts-monday-night-on-metro-sports	0%	Avira URL Cloud	safe
http://www.???.xx/?search=%s	0%	Avira URL Cloud	safe
https://plerukilo0.site:443/jaron-rush-documentary-debuts-monday-night-on-metro-sports?ms7qd64jdhcdp	0%	Avira URL Cloud	safe
https://plerukilo0.site:443.dllt;	0%	Avira URL Cloud	safe
https://plerukilo0.site/	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	0%	Avira URL Cloud	safe
https://stats.itopupdate.com/multi_app_new.php	0%	Avira URL Cloud	safe
https://plerukilo0.site/jaron-rush-documentary-debuts-monday-night-on-metro-sports?ms7qd64jdhcdp=4L0	0%	Avira URL Cloud	safe
http://epscd.catcert.net/crl/ec-acc.crl0.	0%	Avira URL Cloud	safe
https://plerukilo0.site:443	0%	Avira URL Cloud	safe
https://www.catcert.cat/verCIT-10	0%	Avira URL Cloud	safe
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	0%	Avira URL Cloud	safe
https://plerukilo0.site:443Q:	0%	Avira URL Cloud	safe
http://ocsp.catcert.cat0	0%	Avira URL Cloud	safe
http://www.catcert.cat/descarrega/acc.crt0#	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	0%	Avira URL Cloud	safe
https://plerukilo0.site:443/	0%	Avira URL Cloud	safe
http://www.softwareok.de	0%	Avira URL Cloud	safe
http://www.surfok.de/	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
plerukilo0.site	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stats.itopupdate.com/multi_app_new.php	vV5EOx0ipU.exe, 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/jaron-rush-documentary-debuts-monday-night-on-metro-sports	lvHost_v4.exe, 00000008.00000002.3099063854.0000000000A42000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-/W3C/DTD	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EA5000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C2C4000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CB54000.00000002.00000001.01000000.00000009.sdmp	false		high
https://plerukilo0.site:443.dllt;	lvHost_v4.exe, 00000008.00000003.3087124152.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3094364331.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3097354681.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3092450440.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3095891609.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Download=Find.Same.Images.OK	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002EA5000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C2C4000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CB54000.00000002.00000001.01000000.00000009.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	vV5EOx0ipU.exe, 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp	false		high
http://www.vmware.com/0/	iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/	lvHost_v4.exe, 00000008.00000002.3098687914.00000000004B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/jaron-rush-documentary-debuts-monday-night-on-metro-sports?ms7qd64jdhcdp=4L0	lvHost_v4.exe, 00000008.00000002.3098687914.000000000050E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://epscd.catcert.net/crl/ec-acc.crl0.	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.???.xx/?search=%s	iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000000.2926710967.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site:443/jaron-rush-documentary-debuts-monday-night-on-metro-sports?ms7qd64jdhcdp	lvHost_v4.exe, 00000008.00000003.3079480723.00000000004E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://epscd2.catcert.net/crl/ec-acc.crl0	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:443	lvHost_v4.exe, 00000008.00000003.3094364331.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3097354681.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3092450440.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3082273805.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3095891609.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3084116335.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.catcert.cat/verCIT-10	iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:443Q:	lvHost_v4.exe, 00000008.00000003.3080820458.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000000.2926710967.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:443/	lvHost_v4.exe, 00000008.00000003.3087124152.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000003.3084116335.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	iScrPaint.exe, 00000002.00000002.2697973370.000000000924E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.0000000005054000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.000000000271D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.catcert.cat/descarrega/acc.crt0#	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.catcert.cat0	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2680878060.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Download=Find.Same.Images.OK	cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C1EC000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CA7C000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.surfok.de/	cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreports.qt-project.org/	vV5EOx0ipU.exe, 00000001.00000003.2662688127.0000000002855000.00000004.00000020.00020000.00000000.sdmp, iScrPaint.exe, 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmp, iScrPaint.exe, 00000003.00000002.2771280269.000000006C1EC000.00000002.00000001.01000000.00000009.sdmp, iScrPaint.exe, 00000009.00000002.3139544420.000000006CA7C000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com	iScrPaint.exe, 00000002.00000002.2697973370.00000000092A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, lvHost_v4.exe, 00000008.00000000.2926710967.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, lvHost_v4.exe, 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586716
Start date and time:	2025-01-09 14:42:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vV5EOx0ipU.exe renamed because original name is a hash value
Original Sample Name:	c0aed7042e2ac3344c4ccc0bd7d5b04825538f1302074b021f80afdca8747668.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@20/15@2/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 53% Number of executed functions: 58 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: vV5EOx0ipU.exe

Simulations

Behavior and APIs

Time	Type	Description
08:44:07	API Interceptor	2x Sleep call for process: cmd.exe modified
08:44:18	API Interceptor	40x Sleep call for process: lvHost_v4.exe modified
14:44:02	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITF055.tmp
14:44:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BackupFirefox.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\lvHost_v4.exe	8Rmoal0v85.exe	Get hash	malicious	Unknown	Browse
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	upgrade.hta	Get hash	malicious	DarkVision Rat	Browse
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\iScrPaint.exe	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse
	de7s.txt.ps1	Get hash	malicious	LummaC	Browse
	ofsetvideofre.click.ps1	Get hash	malicious	LummaC	Browse
	NPKpnpi8wd.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5a28ba07

Download File

Process:	C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
File Type:	data
Category:	dropped
Size (bytes):	5745707
Entropy (8bit):	7.729428227492773
Encrypted:	false
SSDEEP:	98304:4Y1ahq3GSXMkFRInYBulYIEBWFT3ndlF+WF874Ct2cYpYYgB4sKLAdXxP2:SmGSXXIyu2zBe3nEK+k9+Lqt4Y
MD5:	56D7C212B5739AB6E1E8493588C4C6D7
SHA1:	FA33DB00945FBE7745190503EF9723519B2B859C
SHA-256:	617FF84AAC33912F4538E23D8CF9A5DF37EC28705E30EC17F096B1AEF580F76F
SHA-512:	A771A52CF3E5464120F722C96032C25A26E728271B462FEDD54C37AF4E1A97323E4D8289C7F24AFF43AAA3ABFCB197E4E1B598B422EFD21CF8BB2047173629CB
Malicious:	false
Preview:	..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..U^...........7..;-.. ...::..'...5,...;......3,..'...5,..$^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...0..=?...;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...,.. ;..'*..7;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^.......{..==..'1..z.......9;..&5..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..zn..di..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^

C:\Users\user\AppData\Local\Temp\7066ed96

Download File

Process:	C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
File Type:	data
Category:	dropped
Size (bytes):	5745707
Entropy (8bit):	7.729428174551588
Encrypted:	false
SSDEEP:	98304:HY1ahq3GSXMkFRInYBulYIEBWFT3ndlF+WF874Ct2cYpYYgB4sKLAdXxP2:nmGSXXIyu2zBe3nEK+k9+Lqt4Y
MD5:	7F704FA8167312E1154048CA4ED8AC6D
SHA1:	3C3333DEA49BC28FF36792FC9F6AB674B4C594BD
SHA-256:	0CC423E4F74D8D61E2D77AD8101E73110B85D5566F0B034401B0978B70DC51F1
SHA-512:	99D060FC893A46E0DC8DFB4FA5C5BA4B6BD7C44F2041593485D72ECE93BCB9431A6F00DBFF018983C01AE93951A12797F89F0783FB80EC4AF343FA4E2D2EC7B5
Malicious:	false
Preview:	..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..U^...........7..;-.. ...::..'...5,...;......3,..'...5,..$^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...0..=?...;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...,.. ;..'*..7;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^.......{..==..'1..z.......9;..&5..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..zn..di..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^

C:\Users\user\AppData\Local\Temp\77fafd11

Download File

Process:	C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
File Type:	data
Category:	dropped
Size (bytes):	5745707
Entropy (8bit):	7.729428008802699
Encrypted:	false
SSDEEP:	98304:9Y1ahq3GSXMkFRInYBulYIEBWFT3ndlF+WF874Ct2cYpYYgB4sKLAdXxP2:tmGSXXIyu2zBe3nEK+k9+Lqt4Y
MD5:	1449AC3E2D89DF3303DE847E49368A3C
SHA1:	B900BE5ADFFD790B230727C0DEDEC0EB7597DF4D
SHA-256:	89B951E267EC7C44A32C77120D763E83327510E725D67ACA3FCEC864395C7275
SHA-512:	B78700DC602F2BDFD2D406BCBF8EBCDF76CD9FA2B34F99530FBC41C4E7BBFD4915347176A634B9A9E50B74AFB5525E16F63F3D79DC4828B8E2DCE23E285805C8
Malicious:	false
Preview:	..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..U^...........7..;-.. ...::..'...5,...;......3,..'...5,..$^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...0..=?...;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...,.. ;..'*..7;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^.......{..==..'1..z.......9;..&5..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..zn..di..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^

C:\Users\user\AppData\Local\Temp\WebUI.dll

Download File

Process:	C:\Users\user\Desktop\vV5EOx0ipU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7994880
Entropy (8bit):	6.703469580004814
Encrypted:	false
SSDEEP:	196608:639zxBBmYeZ1bU8Blc/OwDlcXus9n0SJsv6tWKFdu9CZ:Ozx6YeZ1bTBlc/OwDlitJsv6tWKFdu9C
MD5:	4B208AEE511C0FFEB6BADA9615E24AF0
SHA1:	87ACCC4F47F037F7C9C4AA340D0B1ECB13D0A00F
SHA-256:	233567F86B706B7026E6B6D0C0B58AF434A925743D14DA86CD7E4FB95A7380E7
SHA-512:	6ED9DEE7B407590C5EF43D2B4163CA14AAA16004A1E4158C1CEA35D744EFAB6CA93C31EB2622C6A8C5CFCFDC290F57E0EF63608ED106A4AEE751FB319D6EF22F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uF.uF.uFs..F.uF...F..uF.c.F.uF.c.F.uF.tF..uF...F..uF...F.uF...F.uF...F.uF...F.uF...F.uFRich.uF........................PE..L...A..R...........!.....^U..@%.......J......pU...............................z......nz...@..........................vq......Tq.......t.......................t..E...wU..............................gn.@............pU.D............................text...`]U......^U................. ..`.rdata..+....pU......bU.............@..@.data...H.....q..z...lq.............@....unwanted.....t.......s.............@..@.rsrc.........t.......s.............@..@.reloc........t.......s.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bulk.iso

Download File

Process:	C:\Users\user\Desktop\vV5EOx0ipU.exe
File Type:	data
Category:	dropped
Size (bytes):	60580
Entropy (8bit):	4.548043343389377
Encrypted:	false
SSDEEP:	768:RYxlZFSbjKuvdm+o5Y1JFjngRbSOW7apXMTJMKfFDCnv86OuRSMhO05ZtYCh1O2q:Ocj3e1eMKps7Ou1htZrh1S
MD5:	759049AC234EBFBA85BED51DD876BCB4
SHA1:	C263C8334FD5C3006364BC7E7CE95DD362CC868E
SHA-256:	BE08C5A07DA545376818F317BB55BF704ECA95E7D2F503F1A462660AA9B6A904
SHA-512:	BBD090DD2A1F27179904DDD958148BE82C536F5CD25FF3032D8A98C3DC641D346F3418566827A45B0B6A9DF034747F7AA637BCA20E568395066A0F86553C8784
Malicious:	false
Preview:	...RF...MB.p..`.bk.^.e.Igy...PdD.Z....f..HV...f^e..s.L..V...`c..j....k`n..XqEQ.IIEhC.vv..c...wOwO...yX.nmvgQg.q.qNeb`.Ge...H...Vp.AQ..G.Dks.Sl....voy.....a.D.o...bDxxE.t..D..Ut..DW_.aK.Ec.ipn..[.m..PQ...B.[.X.o...J..RrRv.L..].\..s....rR....`^...[n....c.^....R]..X..Qa..M.yChlB.l......_.....QWO...Qu.p.F..^gL.Z..Js.....U.I.....C...g...Q..^..kR.AIt....Ap..e.J.JibTSl..sr.p...pe.l\T.u.v_.[..I....JORDxe...r.....Jbf\.t...JvKKQaN.XE]..r...R.v..y.\.wF`...FE^.f.po[.uXyVWLj....L.V..Ho_..A.EeZME...V.C_.p....L.St[.N..Js..OyO....F.oZ......jwds...OaHEe.ge.Fl...pn......b.oE.KH..._K....apxAem....hqSG..]..Lf.Jw.w...LYG....Mp.mp..Y....Ip.T...[qqnd....my.ARk...j....Yr.sT..Uy.X....JF...n.cw.[PJ..J.......GOmI..GF.HQWeExG..a.....qFJ.splf.].djhwV.u...t_.cTR.Owy.^jH.OH....u..QfGsv.o`.ll.k...e..wumX..yMMBd_k....bqf.`.^N.A..]o[AnJHv.K.GDE.`........f..wb.UdC.WKj.tsW...KXZU..x...rmo..^.O......U..N.b.`.NE......L.R.D.c.U..[t...O...wK..a.e...e.Ewc...J.JQQOo...e.o.T.....O......fj.oIY..q.uSu.x...Cffn.Mp.P\.r.w..OE..w.O.

C:\Users\user\AppData\Local\Temp\iScrPaint.exe

Download File

Process:	C:\Users\user\Desktop\vV5EOx0ipU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1909504
Entropy (8bit):	6.730805689885005
Encrypted:	false
SSDEEP:	49152:GpjwrP6yVgBd39sUUzFti4aTotmIT3SxLmNKbx:GpjwrP6yKTOUmi4aTo1NK9
MD5:	098AC4621EE0E855E0710710736C2955
SHA1:	CE7B88657C3449D5D05591314AAA43BD3E32BDAA
SHA-256:	46AFBF1CBD2E1B5E108C133D4079FADDC7347231B0C48566FD967A3070745E7F
SHA-512:	3042785B81BD18B641F0A2B5D8AEC8EF86F9BF1269421FB96D1DB35A913E744EAFF16D9DA7A02C8001435D59BEFB9F26BC0BBFA6E794811ABF4282ED68B185FE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Rechnung736258.pdf.lnk, Detection: malicious, Browse Filename: de7s.txt.ps1, Detection: malicious, Browse Filename: ofsetvideofre.click.ps1, Detection: malicious, Browse Filename: NPKpnpi8wd.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...s..d..................................... ....@...........................!..................@......................P....@...F......8................;......8"...................................................L...............................text............................... ..`.itext..P........................... ..`.data........ ......................@....bss.....g...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..8".......$..................@..B.rsrc...8............*..............@..@....................."..............@..@........................................................

C:\Users\user\AppData\Local\Temp\lough.log

Download File

Process:	C:\Users\user\Desktop\vV5EOx0ipU.exe
File Type:	data
Category:	dropped
Size (bytes):	4617077
Entropy (8bit):	7.960198767058773
Encrypted:	false
SSDEEP:	98304:LkDHIjqSnvbYjvvxOtX8BD1WkZmTn4Uof9XnE1hlDE:G8vAhcNcG49XnEdDE
MD5:	B94E5D29D3B971702DAA46E1DB419154
SHA1:	A62D23DDED2A6FE2351DC57434B31B0488DE8D1C
SHA-256:	5ACE4891083344F091D45BDDEB8DE52E4AD022E6041F1B146526FA70E2D44F76
SHA-512:	3EDE06F7DD3294D659E5489FF1DAD3482E0A7A8A45340D0E9387E72579E87091BEF8C091F7F6410E51ABE5F0A904C9C0AF1555543D1325C7AC3D29317A716182
Malicious:	false
Preview:	.]...F.Z...N..[.N.A..F...sr..oCg.qPN..p.B.jRMl.........p.P.....tqA.np.J._.s.HDS..y..Q....y..m..k.q..a...U.\.DE.^.\....hj.P....D.s..SyO\...^..`...Yf...H.I[.E.....V^.s\.D..V.o....EqIq...._.TA.[..B.B.P.q..j...]qc[..aIi..LUg.[...OF.w.BBA^.Pn.JX.cw[.l.e.........q.[.O...UktM\.BIvf..b..Z..LD...VRmjR..psKpO.\.duIF.X^..o.aMv...HxdlJgTK.^..S.EOb.C....UvfeVpq.Fr...U.y....ORfUIJ..A..l.`RS.[nS.....[..uWs...d..Y.P...^.....N.t.l..d.SJM..[^.Innewt....m.A..Mgc..u...pjb[NN...`.].V._Rp.TX.n.X...\o.VO.L..x.._..sg..w.e.L...f...F`aPAV.....D...KV.NOm[siu......V]....A.RD.g.....PQjh.d.k.^.M.G\....i...W.....[r...Zt...I...PlX.e....f..Oe...Md.......CmRG..e...ucx.u.J.HsVc...nX...........i...rj...CS]L.i...].SO..Fm...C...NS.[s..........h..b..gI.oWq..`.P.......M.o..J.grC..RS.QG.pR...s[.b.RC....I....oV..iGE.fW]wT...aaC..sC`.Vh.f.c..a.d..luo.jm...is.....Mr....K.......UvbY.....T.g.....qrR.d.g..O.iv...l.SN..[..Pt.VltC..p.[....vfl.or.ew......K.Sk.al.[.Q.wqx.IyhL..\..A....dJ.\.k.L.xp.B...ac.c...A.Nj...Z\Ja.Z.\W.MCUh[qJw.d`

C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8Rmoal0v85.exe, Detection: malicious, Browse Filename: cLm7ThwEvh.msi, Detection: malicious, Browse Filename: LVkAi4PBv6.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: 9mauyKC3JW.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: upgrade.hta, Detection: malicious, Browse Filename: MiJZ3z4t5K.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ondkpifasfpiuy

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2648576
Entropy (8bit):	6.732410609526973
Encrypted:	false
SSDEEP:	49152:SaHV/KjMHPo5YAYW3z+z2Mf9mQea+N5nXlb73J62RBOx0j4W3+F8cI:fcjD0WCMnMs
MD5:	ACBA1EB2F3E31969467015C7D15A7657
SHA1:	D1E37796661BC41BDC89DBEEDC872025C5889889
SHA-256:	CFF6DEB6E4856A1046E624D0D178E7F706B32F588978435CD89C1F4C6AFE154E
SHA-512:	C86ED87E5F2B0BCDE86DC0AD740FF3E4AE34EB2270E2AEF6A0F08F42DC1714BAF23688ED8812E932AB3FFD5054E7B761FE17683955970E198F33A95F3358D89F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....JS..................%..V(..f..W..........@.............................P/......(...`... ...................................................... /.8.....'..j...........0/.............................@.'.(...................p................................text...(.%.......%.................`..`.data.........%.......%.............@....rdata..p.....'.......&.............@..@.pdata...j....'..l....'.............@..@.xdata...R... (..T....'.............@..@.bss....`e....(..........................idata...............J(.............@....CRT....0...../......P(.............@....tls........../......R(.............@....rsrc...8.... /......T(.............@..@.reloc.......0/......V(.............@..Bgsiu.........@/......Z(.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\seukanjejhxc

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 9 12:43:45 2025, mtime=Thu Jan 9 12:43:45 2025, atime=Sat Dec 21 11:24:54 2024, length=1909504, window=hide
Category:	dropped
Size (bytes):	916
Entropy (8bit):	4.995123071544681
Encrypted:	false
SSDEEP:	12:8NvA1B64ESPe8Chh9bY//AtQMPKjLI2G+0xWt129AjAgHZ7iwJvn92IzVmV:8m08aakPK3PGCt12KA0VB92IzVm
MD5:	EC975B9EFEB2A1DEA1E34DD2D870A491
SHA1:	6770593EC0E9BA7903E3EDB4E44CD87951DD10EB
SHA-256:	2382BAFCB1A79FC2248D2EA8305B550FAF47F0BBE1C47AB055FE853A31444C70
SHA-512:	7D2EBEA1953CF4B2E4153455FAF2BEF4C2A00EB53C5854A9FA99B132C132E3F9C3E041C88DC33BB11987BF81C9EC43BCC987E6650159FB1934FDC742A3E83EC3
Malicious:	false
Preview:	L..................F.... ...m..b....7..b.../.V.S...#........................:..DG..Yr?.D..U..k0.&...&......X..)......e.b.......b......t...CFSF..1.....EW.`..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.`)Zcm............................F.A.p.p.D.a.t.a...B.V.1.....)Zwm..Roaming.@......EW.`)Zxm..........................D.Y.R.o.a.m.i.n.g.....d.1.....)Zwm..BGSYST~1..L......)Zwm)Zxm...........................W .b.g.s.y.s.t.e.m._.t.e.s.t.....h.2..#...Y.c .ISCRPA~1.EXE..L......)Zwm)Zwm....p.........................i.S.c.r.P.a.i.n.t...e.x.e.......i...............-.......h............A.......C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe..).....\.....\.R.o.a.m.i.n.g.\.b.g.s.y.s.t.e.m._.t.e.s.t.\.i.S.c.r.P.a.i.n.t...e.x.e.`.......X.......376483...........hT..CrF.f4... .7@y.zc...,...E...hT..CrF.f4... .7@y.zc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\xgxgnfo

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2648576
Entropy (8bit):	6.732410609526973
Encrypted:	false
SSDEEP:	49152:SaHV/KjMHPo5YAYW3z+z2Mf9mQea+N5nXlb73J62RBOx0j4W3+F8cI:fcjD0WCMnMs
MD5:	ACBA1EB2F3E31969467015C7D15A7657
SHA1:	D1E37796661BC41BDC89DBEEDC872025C5889889
SHA-256:	CFF6DEB6E4856A1046E624D0D178E7F706B32F588978435CD89C1F4C6AFE154E
SHA-512:	C86ED87E5F2B0BCDE86DC0AD740FF3E4AE34EB2270E2AEF6A0F08F42DC1714BAF23688ED8812E932AB3FFD5054E7B761FE17683955970E198F33A95F3358D89F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....JS..................%..V(..f..W..........@.............................P/......(...`... ...................................................... /.8.....'..j...........0/.............................@.'.(...................p................................text...(.%.......%.................`..`.data.........%.......%.............@....rdata..p.....'.......&.............@..@.pdata...j....'..l....'.............@..@.xdata...R... (..T....'.............@..@.bss....`e....(..........................idata...............J(.............@....CRT....0...../......P(.............@....tls........../......R(.............@....rsrc...8.... /......T(.............@..@.reloc.......0/......V(.............@..Bgsiu.........@/......Z(.............@...................................................................................................................................

C:\Users\user\AppData\Roaming\bgsystem_test\WebUI.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\iScrPaint.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7994880
Entropy (8bit):	6.703469580004814
Encrypted:	false
SSDEEP:	196608:639zxBBmYeZ1bU8Blc/OwDlcXus9n0SJsv6tWKFdu9CZ:Ozx6YeZ1bTBlc/OwDlitJsv6tWKFdu9C
MD5:	4B208AEE511C0FFEB6BADA9615E24AF0
SHA1:	87ACCC4F47F037F7C9C4AA340D0B1ECB13D0A00F
SHA-256:	233567F86B706B7026E6B6D0C0B58AF434A925743D14DA86CD7E4FB95A7380E7
SHA-512:	6ED9DEE7B407590C5EF43D2B4163CA14AAA16004A1E4158C1CEA35D744EFAB6CA93C31EB2622C6A8C5CFCFDC290F57E0EF63608ED106A4AEE751FB319D6EF22F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uF.uF.uFs..F.uF...F..uF.c.F.uF.c.F.uF.tF..uF...F..uF...F.uF...F.uF...F.uF...F.uF...F.uFRich.uF........................PE..L...A..R...........!.....^U..@%.......J......pU...............................z......nz...@..........................vq......Tq.......t.......................t..E...wU..............................gn.@............pU.D............................text...`]U......^U................. ..`.rdata..+....pU......bU.............@..@.data...H.....q..z...lq.............@....unwanted.....t.......s.............@..@.rsrc.........t.......s.............@..@.reloc........t.......s.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\bgsystem_test\bulk.iso

Download File

Process:	C:\Users\user\AppData\Local\Temp\iScrPaint.exe
File Type:	data
Category:	dropped
Size (bytes):	60580
Entropy (8bit):	4.548043343389377
Encrypted:	false
SSDEEP:	768:RYxlZFSbjKuvdm+o5Y1JFjngRbSOW7apXMTJMKfFDCnv86OuRSMhO05ZtYCh1O2q:Ocj3e1eMKps7Ou1htZrh1S
MD5:	759049AC234EBFBA85BED51DD876BCB4
SHA1:	C263C8334FD5C3006364BC7E7CE95DD362CC868E
SHA-256:	BE08C5A07DA545376818F317BB55BF704ECA95E7D2F503F1A462660AA9B6A904
SHA-512:	BBD090DD2A1F27179904DDD958148BE82C536F5CD25FF3032D8A98C3DC641D346F3418566827A45B0B6A9DF034747F7AA637BCA20E568395066A0F86553C8784
Malicious:	false
Preview:	...RF...MB.p..`.bk.^.e.Igy...PdD.Z....f..HV...f^e..s.L..V...`c..j....k`n..XqEQ.IIEhC.vv..c...wOwO...yX.nmvgQg.q.qNeb`.Ge...H...Vp.AQ..G.Dks.Sl....voy.....a.D.o...bDxxE.t..D..Ut..DW_.aK.Ec.ipn..[.m..PQ...B.[.X.o...J..RrRv.L..].\..s....rR....`^...[n....c.^....R]..X..Qa..M.yChlB.l......_.....QWO...Qu.p.F..^gL.Z..Js.....U.I.....C...g...Q..^..kR.AIt....Ap..e.J.JibTSl..sr.p...pe.l\T.u.v_.[..I....JORDxe...r.....Jbf\.t...JvKKQaN.XE]..r...R.v..y.\.wF`...FE^.f.po[.uXyVWLj....L.V..Ho_..A.EeZME...V.C_.p....L.St[.N..Js..OyO....F.oZ......jwds...OaHEe.ge.Fl...pn......b.oE.KH..._K....apxAem....hqSG..]..Lf.Jw.w...LYG....Mp.mp..Y....Ip.T...[qqnd....my.ARk...j....Yr.sT..Uy.X....JF...n.cw.[PJ..J.......GOmI..GF.HQWeExG..a.....qFJ.splf.].djhwV.u...t_.cTR.Owy.^jH.OH....u..QfGsv.o`.ll.k...e..wumX..yMMBd_k....bqf.`.^N.A..]o[AnJHv.K.GDE.`........f..wb.UdC.WKj.tsW...KXZU..x...rmo..^.O......U..N.b.`.NE......L.R.D.c.U..[t...O...wK..a.e...e.Ewc...J.JQQOo...e.o.T.....O......fj.oIY..q.uSu.x...Cffn.Mp.P\.r.w..OE..w.O.

C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\iScrPaint.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1909504
Entropy (8bit):	6.730805689885005
Encrypted:	false
SSDEEP:	49152:GpjwrP6yVgBd39sUUzFti4aTotmIT3SxLmNKbx:GpjwrP6yKTOUmi4aTo1NK9
MD5:	098AC4621EE0E855E0710710736C2955
SHA1:	CE7B88657C3449D5D05591314AAA43BD3E32BDAA
SHA-256:	46AFBF1CBD2E1B5E108C133D4079FADDC7347231B0C48566FD967A3070745E7F
SHA-512:	3042785B81BD18B641F0A2B5D8AEC8EF86F9BF1269421FB96D1DB35A913E744EAFF16D9DA7A02C8001435D59BEFB9F26BC0BBFA6E794811ABF4282ED68B185FE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...s..d..................................... ....@...........................!..................@......................P....@...F......8................;......8"...................................................L...............................text............................... ..`.itext..P........................... ..`.data........ ......................@....bss.....g...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..8".......$..................@..B.rsrc...8............*..............@..@....................."..............@..@........................................................

C:\Users\user\AppData\Roaming\bgsystem_test\lough.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iScrPaint.exe
File Type:	data
Category:	dropped
Size (bytes):	4617077
Entropy (8bit):	7.960198767058773
Encrypted:	false
SSDEEP:	98304:LkDHIjqSnvbYjvvxOtX8BD1WkZmTn4Uof9XnE1hlDE:G8vAhcNcG49XnEdDE
MD5:	B94E5D29D3B971702DAA46E1DB419154
SHA1:	A62D23DDED2A6FE2351DC57434B31B0488DE8D1C
SHA-256:	5ACE4891083344F091D45BDDEB8DE52E4AD022E6041F1B146526FA70E2D44F76
SHA-512:	3EDE06F7DD3294D659E5489FF1DAD3482E0A7A8A45340D0E9387E72579E87091BEF8C091F7F6410E51ABE5F0A904C9C0AF1555543D1325C7AC3D29317A716182
Malicious:	false
Preview:	.]...F.Z...N..[.N.A..F...sr..oCg.qPN..p.B.jRMl.........p.P.....tqA.np.J._.s.HDS..y..Q....y..m..k.q..a...U.\.DE.^.\....hj.P....D.s..SyO\...^..`...Yf...H.I[.E.....V^.s\.D..V.o....EqIq...._.TA.[..B.B.P.q..j...]qc[..aIi..LUg.[...OF.w.BBA^.Pn.JX.cw[.l.e.........q.[.O...UktM\.BIvf..b..Z..LD...VRmjR..psKpO.\.duIF.X^..o.aMv...HxdlJgTK.^..S.EOb.C....UvfeVpq.Fr...U.y....ORfUIJ..A..l.`RS.[nS.....[..uWs...d..Y.P...^.....N.t.l..d.SJM..[^.Innewt....m.A..Mgc..u...pjb[NN...`.].V._Rp.TX.n.X...\o.VO.L..x.._..sg..w.e.L...f...F`aPAV.....D...KV.NOm[siu......V]....A.RD.g.....PQjh.d.k.^.M.G\....i...W.....[r...Zt...I...PlX.e....f..Oe...Md.......CmRG..e...ucx.u.J.HsVc...nX...........i...rj...CS]L.i...].SO..Fm...C...NS.[s..........h..b..gI.oWq..`.P.......M.o..J.grC..RS.QG.pR...s[.b.RC....I....oV..iGE.fW]wT...aaC..sC`.Vh.f.c..a.d..luo.jm...is.....Mr....K.......UvbY.....T.g.....qrR.d.g..O.iv...l.SN..[..Pt.VltC..p.[....vfl.or.ew......K.Sk.al.[.Q.wqx.IyhL..\..A....dJ.\.k.L.xp.B...ac.c...A.Nj...Z\Ja.Z.\W.MCUh[qJw.d`

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998248057889052
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vV5EOx0ipU.exe
File size:	7'480'499 bytes
MD5:	bdb812b2a360c206c5ab9de2acd75435
SHA1:	2c888c5ef480d02aa6a972906c29d2c498fd430a
SHA256:	c0aed7042e2ac3344c4ccc0bd7d5b04825538f1302074b021f80afdca8747668
SHA512:	7765c60c7aeff0c9530c58cf52fa8c3cb37b9435fbd9da08dface95ffb82cc118ae6f0bf1463741f9a76a66d4ccdcc798d82de9eb19360c486a30e50819fb713
SSDEEP:	196608:Vpb+BS6/kf/XRVp9J5oIV8eUFZcCdsUFzEW4NUafxRpgci71zKrJr6h9:Vpq7knTJ5os8jgksEgfNL5dEKrJ2n
TLSH:	A67633167AD3843BD313023A488A6DEAB8BCEF714700545657AB3D172EBB723E11E9D1
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@.................................R.r......................................P..........H_.................

File Icon


Icon Hash:	a9e8e8e9e8e8e8a9

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007FE1FCDA09C2h
cmp dword ptr [00417710h], ebx
jne 00007FE1FCDA08AEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007FE1FCDA0994h
push 00417048h
push 00417044h
call 00007FE1FCDA097Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007FE1FCDA094Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x15f48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x15f48	0x16000	58c3a21bc434e97296ae9e0d1765d247	False	0.6494584517045454	data	7.1334992117723095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a280	0xaf05	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.00046869768999
RT_ICON	0x25188	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	Russian	Russia	0.2670642418516769
RT_ICON	0x293b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Russian	Russia	0.3201244813278008
RT_ICON	0x2b958	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	Russian	Russia	0.3479289940828402
RT_ICON	0x2d3c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Russian	Russia	0.3897748592870544
RT_ICON	0x2e468	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Russian	Russia	0.4389344262295082
RT_ICON	0x2edf0	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	Russian	Russia	0.45290697674418606
RT_ICON	0x2f4a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Russian	Russia	0.6338652482269503
RT_GROUP_ICON	0x2f910	0x76	data	Russian	Russia	0.7203389830508474
RT_VERSION	0x2f988	0x350	data	English	United States	0.47523584905660377
RT_MANIFEST	0x2fcd8	0x270	ASCII text, with very long lines (624), with no line terminators	English	United States	0.5144230769230769

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:43:52.342576981 CET	52457	53	192.168.2.12	162.159.36.2
Jan 9, 2025 14:43:52.348476887 CET	53	52457	162.159.36.2	192.168.2.12
Jan 9, 2025 14:43:52.348664045 CET	52457	53	192.168.2.12	162.159.36.2
Jan 9, 2025 14:43:52.354182005 CET	53	52457	162.159.36.2	192.168.2.12
Jan 9, 2025 14:43:52.808123112 CET	52457	53	192.168.2.12	162.159.36.2
Jan 9, 2025 14:43:52.813426971 CET	53	52457	162.159.36.2	192.168.2.12
Jan 9, 2025 14:43:52.813669920 CET	52457	53	192.168.2.12	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:43:52.341939926 CET	53	53264	162.159.36.2	192.168.2.12
Jan 9, 2025 14:43:52.817553043 CET	53	50001	1.1.1.1	192.168.2.12
Jan 9, 2025 14:44:27.158468962 CET	58883	53	192.168.2.12	1.1.1.1
Jan 9, 2025 14:44:27.167355061 CET	53	58883	1.1.1.1	192.168.2.12
Jan 9, 2025 14:45:14.092813015 CET	57834	53	192.168.2.12	1.1.1.1
Jan 9, 2025 14:45:14.102183104 CET	53	57834	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 14:44:27.158468962 CET	192.168.2.12	1.1.1.1	0x1fc5	Standard query (0)	plerukilo0.site	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:45:14.092813015 CET	192.168.2.12	1.1.1.1	0x6108	Standard query (0)	plerukilo0.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 14:44:27.167355061 CET	1.1.1.1	192.168.2.12	0x1fc5	Name error (3)	plerukilo0.site	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:45:14.102183104 CET	1.1.1.1	192.168.2.12	0x6108	Name error (3)	plerukilo0.site	none	none	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	08:43:41
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\vV5EOx0ipU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vV5EOx0ipU.exe"
Imagebase:	0x400000
File size:	7'480'499 bytes
MD5 hash:	BDB812B2A360C206C5AB9DE2ACD75435
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000003.2662688127.000000000268B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:43:44
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\iScrPaint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\iScrPaint.exe"
Imagebase:	0x400000
File size:	1'909'504 bytes
MD5 hash:	098AC4621EE0E855E0710710736C2955
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2697973370.00000000094EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000000.2666457888.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\iScrPaint.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:43:45
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
Imagebase:	0x400000
File size:	1'909'504 bytes
MD5 hash:	098AC4621EE0E855E0710710736C2955
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:43:47
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2990081458.000000000509D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:43:47
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:44:10
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\lvHost_v4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\lvHost_v4.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.3099430526.0000000002766000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:44:24
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe"
Imagebase:	0x400000
File size:	1'909'504 bytes
MD5 hash:	098AC4621EE0E855E0710710736C2955
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:44:24
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.3190555284.000000000523C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.3190324611.0000000003250000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:44:24
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:44:36
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe"
Imagebase:	0x400000
File size:	1'909'504 bytes
MD5 hash:	098AC4621EE0E855E0710710736C2955
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:44:37
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.3459279888.00000000055E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:44:37
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:44:54
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\lvHost_v4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\lvHost_v4.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.3565366108.00000000025DC000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1474
Total number of Limit Nodes:	20

Executed Functions

Function 00404FAA Relevance: 251.9, APIs: 103, Strings: 40, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

MiscFlags, xrefs: 0040573F
Delete, xrefs: 00406352
XpA, xrefs: 00405581
FinishMessage, xrefs: 00406399
OverwriteMode, xrefs: 004056BB
amd64, xrefs: 00405FE4
nowait, xrefs: 00405F03
;!@InstallEnd@!, xrefs: 00405431
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
HelpText, xrefs: 0040595E
4DA, xrefs: 00406034
Px], xrefs: 004052E5
SetEnvironment, xrefs: 0040586E, 0040591F
GUIMode, xrefs: 004056FF
GUIFlags, xrefs: 0040571F
7-Zip SFX, xrefs: 00406490
forcenowait, xrefs: 00405F25
i386, xrefs: 00405FD1
7zSfxString%d, xrefs: 0040558F
x86, xrefs: 00405FBE
SelfDelete, xrefs: 0040577C, 0040640B
hidcon, xrefs: 00405E5E
sfxconfig, xrefs: 0040527C, 00405488
@DA, xrefs: 00405699
InstallPath, xrefs: 004059F3
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
del, xrefs: 00405F9A
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
;!@Install@!UTF-8!, xrefs: 00405436
ExecuteParameters, xrefs: 0040605D
7ZipSfx.%03x, xrefs: 00405C77
sfxversion, xrefs: 004050D6
Shortcut, xrefs: 0040632A
x64, xrefs: 00405FF7
IA, xrefs: 004055D2, 004058FB
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
shc, xrefs: 00405F7A
4AA, xrefs: 0040504C
BeginPrompt, xrefs: 00405A71

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$Px]$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-2048743833
Opcode ID: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

IA, xrefs: 0040447B
7zSfxFolder%02d, xrefs: 004044A1

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409225
IA, xrefs: 00409391

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

HKA, xrefs: 00410CE9
$KA, xrefs: 00410CF7
\KA, xrefs: 00410CE2
4KA, xrefs: 00410CF0

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000020,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
Opcode Fuzzy Hash: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,Px],00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF
Px], xrefs: 00403565

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk$Px]
API String ID: 408529070-2818861444
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

7zSfxString%d, xrefs: 00401FF7
XpA, xrefs: 00401FB4
\3A, xrefs: 00401FDB

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
SetProcessPreferredUILanguages, xrefs: 00401C58
SetThreadPreferredUILanguages, xrefs: 00401CA4
%04X%c%04X%c, xrefs: 00401C8F

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

uxtheme, xrefs: 00406D5E
\EA, xrefs: 00406D98
SetWindowTheme, xrefs: 00406D70

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

open, xrefs: 00404C63
if exist ", xrefs: 00404BC7
:Repeat, xrefs: 00404B92
del ", xrefs: 00404B9F, 00404BA4, 00404BED
" goto Repeat, xrefs: 00404BE0
", xrefs: 00404BB9, 00404BBE, 00404C02
7ZSfx%03x.cmd, xrefs: 00404B58

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

MiscFlags, xrefs: 00404771, 00404776, 00404792
|wA, xrefs: 0040464B
ExtractPathTitle, xrefs: 00404801
ErrorTitle, xrefs: 0040467F
ExtractPathText, xrefs: 00404819
ExtractDialogWidth, xrefs: 004047BE
CancelPrompt, xrefs: 00404831
ExtractCancelText, xrefs: 004047A1
WarningTitle, xrefs: 00404697
OverwriteMode, xrefs: 00404721
ExtractTitle, xrefs: 004046AF
Progress, xrefs: 004046C7
ExtractDialogText, xrefs: 004047AD
ExtractPathWidth, xrefs: 004047E5
Title, xrefs: 00404611
GUIMode, xrefs: 004046F4
GUIFlags, xrefs: 0040473E, 00404743, 0040475F

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,76E1E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

STATIC, xrefs: 00402DDD
RichEdit20W, xrefs: 00402E8C
{\rtf, xrefs: 00402E09
riched20, xrefs: 00402E3D

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

IMAGES, xrefs: 00401E4E
STATIC, xrefs: 00401E13

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

MiscFlags, xrefs: 004032C0
SetEnvironment, xrefs: 0040326B
hAA, xrefs: 0040309E
GUIFlags, xrefs: 004032B2
{\rtf, xrefs: 004031D6, 004031EB

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,76E20E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C4D9
IA, xrefs: 0040C4AF
IA, xrefs: 0040C74D
IA, xrefs: 0040C65E
IA, xrefs: 0040C66E
IA, xrefs: 0040C4C6

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

ErrorTitle, xrefs: 00408511
HelpText, xrefs: 00408598
FinishMessage, xrefs: 00408417, 00408433
SetEnvironment, xrefs: 004083BC
WarningTitle, xrefs: 0040853A
BeginPrompt, xrefs: 004084A4, 004084A9

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,76E1E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@InstallEnd@!, xrefs: 00404D73
03A, xrefs: 00404CCF
;!@Install@!UTF-8!, xrefs: 00404D59

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000290), ref: 004075CD
ResumeThread.KERNEL32(00000290), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@InstallEnd@!, xrefs: 00404E59
;!@Install@!UTF-8!, xrefs: 00404E4A
:Language:%u!, xrefs: 00404EB6

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T\, xrefs: 004038A6
%%T/, xrefs: 004038E4

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S/, xrefs: 0040399F
%%S\, xrefs: 00403961

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M\, xrefs: 00403A1C
%%M/, xrefs: 00403A5A

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

TJA, xrefs: 0040E4A1
hJA, xrefs: 0040E49A
DJA, xrefs: 0040E4A8
xJA, xrefs: 0040E493
4JA, xrefs: 0040E4AF
$JA, xrefs: 0040E4B6

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C0EC
IA, xrefs: 0040C11B
IA, xrefs: 0040C12D

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 00402F10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,Px],00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

Px], xrefs: 00402F16
?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@$Px]
API String ID: 1431749950-3563725403
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

kernel32, xrefs: 00402205
GetNativeSystemInfo, xrefs: 00402200

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

Wow64RevertWow64FsRedirection, xrefs: 0040218E
kernel32, xrefs: 00402193

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

Wow64DisableWow64FsRedirection, xrefs: 004021C0
kernel32, xrefs: 004021C5

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,76E1E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00404EDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00403880: ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
Part of subcall function 00403880: ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
Part of subcall function 00403880: ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
Part of subcall function 00403880: ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Part of subcall function 0040393B: ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
Part of subcall function 0040393B: ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
Part of subcall function 0040393B: ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
Part of subcall function 0040393B: ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Part of subcall function 004039F6: ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
Part of subcall function 004039F6: ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
Part of subcall function 004039F6: ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
Part of subcall function 004039F6: ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00404F9E

Part of subcall function 00402F10: GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,Px],00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
Part of subcall function 00402F10: GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Part of subcall function 004027C7: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
Part of subcall function 004027C7: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,Px],?,00417794,?,00417788,?,?,?,?,?,?), ref: 00404F82

Strings

Px], xrefs: 00404F10, 00404F18, 00404F63

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: ??3@$Environment$Variable$ExpandStrings
String ID: Px]
API String ID: 2352103411-1640048917
Opcode ID: 23aa743563bdf204dfaa2000382405d6fd06a32ce5dc3ae18421ac109a8763f0
Instruction ID: 5029ffa206f344f8a73b48d155bf74a85afcc1550fc664b48d157c037572b74a
Opcode Fuzzy Hash: 23aa743563bdf204dfaa2000382405d6fd06a32ce5dc3ae18421ac109a8763f0
Instruction Fuzzy Hash: 502112B1D0410E7ACF00EBE5DC86CDF7BBCEA44709B40457BBA10B3092D678A6459BA8

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 00000001.00000002.2708242191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2708226028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708263118.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708279136.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2708305725.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_vV5EOx0ipU.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Analysis Process: iScrPaint.exePID: 6776, Parent PID: 6404COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	1542
Total number of Limit Nodes:	15

Executed Functions

Function 6C7721CB Relevance: 10.8, APIs: 7, Instructions: 318
memoryfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 6C7721EA
LocalAlloc.KERNELBASE(6C921F05,?), ref: 6C772242
CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000), ref: 6C772327
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 6C77239E
LoadLibraryA.KERNELBASE(?), ref: 6C772458
VirtualProtect.KERNELBASE(?,?,00000001,?), ref: 6C7724C9
VirtualProtect.KERNELBASE(?,?,?,?), ref: 6C7724F0

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: FileProtectVirtual$AllocCreateHandleLibraryLoadLocalModuleRead
String ID:
API String ID: 1028030788-0
Opcode ID: 05bc1005d9a7a71d15a7eb900e4d62e01fefbeaa5ebc941a13375332998bf681
Instruction ID: 2dcc1074f4a9f7c8d12fb6f6049d2707f996db463fa0fe502b64429c7295d11a
Opcode Fuzzy Hash: 05bc1005d9a7a71d15a7eb900e4d62e01fefbeaa5ebc941a13375332998bf681
Instruction Fuzzy Hash: 53E18BB5A00248DFCB58CFA8C994A9E7BB5BF88304F248259FD2987355D731E945CFA0

Non-executed Functions

Function 6CC1B4E4 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 6CC2692C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CC26941
UnhandledExceptionFilter.KERNEL32(6CDF08B4), ref: 6CC2694C
GetCurrentProcess.KERNEL32(C0000409), ref: 6CC26968
TerminateProcess.KERNEL32(00000000), ref: 6CC2696F

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0aa11fd2feef42192829d16dcca317d581cdbd4ba9a2fbeec0c104bc5065872b
Instruction ID: 10c1a719af6da97be7144bbfb9532381cda828f5ed653ce1ef1671e7d5119726
Opcode Fuzzy Hash: 0aa11fd2feef42192829d16dcca317d581cdbd4ba9a2fbeec0c104bc5065872b
Instruction Fuzzy Hash: BB21FFB8B11205CFCF51DF25D684A647BB5FB0A314F10546AE409E7F90E7B09A80CF69

Function 6C97E72A Relevance: 4.7, APIs: 3, Instructions: 217fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,00000008,00000007,00000000,00000003,02200000,00000000), ref: 6C97E764
DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,00000040,00000000), ref: 6C97E7B1
CloseHandle.KERNEL32(000000FF,00010000,00000001,00000000,00000000,00000008,00000007,00000000,00000003,02200000,00000000), ref: 6C97E86E

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a52d959dff912986fb20e584fcbeddc23a72aa29658f107f4da29d03a8004f6f
Instruction ID: 873501d38581b81b91b4b0fcb12a6595e378bb5064787471b70dbf4b291fa028
Opcode Fuzzy Hash: a52d959dff912986fb20e584fcbeddc23a72aa29658f107f4da29d03a8004f6f
Instruction Fuzzy Hash: EB719571911104AFDB15DBA9CC81DEEB7BCEF15318F100299F152E7AA0EB34DA48DBA0

Function 6C977613 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,6C9504FB,00000004), ref: 6C97761D

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 942ac2bb0e7b2143cc17d233f7c2176543147785e36ab9be803eca66eca40177
Instruction ID: ce0f66c24dc9ce01cafe28fd83d32e425ba4a24f479e155558217643e5b4bb23
Opcode Fuzzy Hash: 942ac2bb0e7b2143cc17d233f7c2176543147785e36ab9be803eca66eca40177
Instruction Fuzzy Hash: 7FB092B090820E97CA00E6EA99968CEB3FCAA08208B400461D511A3A40F660F94E8BA1

Function 6C97E49A Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000001,00000004,00000000,00000000,00000000), ref: 6C97E566
OpenProcessToken.ADVAPI32(00000000,00000008,00000004,00000000,00000001,00000004,00000000,00000000,00000000), ref: 6C97E57C
GetTokenInformation.ADVAPI32(00000004,00000001(TokenIntegrityLevel),00000000,00000000,6CD80168,00000000,00000008,00000004,00000000,00000001,00000004,00000000,00000000,00000000), ref: 6C97E597
GetTokenInformation.ADVAPI32(00000004,00000001(TokenIntegrityLevel),00000000,6CD80168,6CD80168,00000000,00000004,TokenIntegrityLevel,00000000,00000000,6CD80168,00000000,00000008,00000004,00000000,00000001), ref: 6C97E5BA
GetLengthSid.ADVAPI32(00000000,00000004,TokenIntegrityLevel,00000000,6CD80168,6CD80168,00000000,00000004,TokenIntegrityLevel,00000000,00000000,6CD80168,00000000,00000008,00000004,00000000), ref: 6C97E5C6
CopySid.ADVAPI32(?,00000000,00000000,00000000,00000004,TokenIntegrityLevel,00000000,6CD80168,6CD80168,00000000,00000004,TokenIntegrityLevel,00000000,00000000,6CD80168,00000000), ref: 6C97E5DF
CloseHandle.KERNEL32(00000004,00000004,TokenIntegrityLevel,00000000,00000000,6CD80168,00000000,00000008,00000004,00000000,00000001,00000004,00000000,00000000,00000000), ref: 6C97E604

Strings

GetVolumePathNamesForVolumeNameW, xrefs: 6C97E6EE
GetNamedSecurityInfoW, xrefs: 6C97E511
GetEffectiveRightsFromAclW, xrefs: 6C97E542
BuildTrusteeWithSidW, xrefs: 6C97E530
GetUserProfileDirectoryW, xrefs: 6C97E69A
LookupAccountSidW, xrefs: 6C97E51E
AllocateAndInitializeSid, xrefs: 6C97E609

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: Token$InformationProcess$CloseCopyCurrentHandleLengthOpen
String ID: AllocateAndInitializeSid$BuildTrusteeWithSidW$GetEffectiveRightsFromAclW$GetNamedSecurityInfoW$GetUserProfileDirectoryW$GetVolumePathNamesForVolumeNameW$LookupAccountSidW
API String ID: 822300113-2386193802
Opcode ID: fb279e7fc72dae361bd1b1a7e8bcc92bd4a9041c747cbc003ea1d67c8a25fbed
Instruction ID: 7ba919776214ebb3ae8a51e3001f3ae00aff16d8e85eeed784c237ba2ccb9b3e
Opcode Fuzzy Hash: fb279e7fc72dae361bd1b1a7e8bcc92bd4a9041c747cbc003ea1d67c8a25fbed
Instruction Fuzzy Hash: B371D472803248AEDF05DBE4CE989FD7B78AF15358F10015AE11173A90EB349A4DCB64

Function 6C9504ED Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C977613: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,6C9504FB,00000004), ref: 6C97761D

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C950561
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9505A4

Part of subcall function 6C98B3E5: WaitForSingleObject.KERNEL32(?,00000000,00000004,6C9505EA,000000FF,00000000,00000000,00000004,?,?,?,?,?,?,?,6C950732), ref: 6C98B406

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C950637
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C95069B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9506BB

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InfoObjectSingleSystemWait
String ID:
API String ID: 3021801052-0
Opcode ID: f76c41796b7a6b0b11e941f8870cca06adc2ca22d5b603c515ef333db7904032
Instruction ID: a4977ca27e1148dbb248ec74181bf0147dbee3da54d5c98cf505c764b75dec82
Opcode Fuzzy Hash: f76c41796b7a6b0b11e941f8870cca06adc2ca22d5b603c515ef333db7904032
Instruction Fuzzy Hash: 9F613CB1A002199FDB24CFA5D881AEEB7F9BF58318F10452EE515E7B80DB30E9458F50

Function 6C97D33F Relevance: 6.1, APIs: 4, Instructions: 114
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(6CDF05D0,00000000,00000001,6CDF0560,?,08000000,00000004,00000000), ref: 6C97D374
CoInitialize.OLE32 ref: 6C97D385
CoCreateInstance.OLE32(6CDF05D0,00000000,00000001,6CDF0560,?), ref: 6C97D393
CoUninitialize.OLE32(6CDF0560,?,08000000,00000004,00000000), ref: 6C97D463

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: CreateInstance$InitializeUninitialize
String ID:
API String ID: 1701838895-0
Opcode ID: d5a144eae8ba8102c3453d92f6c0dd6af90baaeeb18b00f8b0361d7ec913033c
Instruction ID: 55f66f28f9870b1c53708af517e0cb06c5b67ea3b3aaa38a1ff1d1d4fc615b4b
Opcode Fuzzy Hash: d5a144eae8ba8102c3453d92f6c0dd6af90baaeeb18b00f8b0361d7ec913033c
Instruction Fuzzy Hash: 19418071901248AFDB00CBA8CC84EDEB7BCAF55318F004599F525E7BA0DB31A949CB60

Function 6CC2D8E5 Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 6CC2D8F1

Part of subcall function 6CC26D22: __amsg_exit.LIBCMT ref: 6CC26D32

__amsg_exit.LIBCMT ref: 6CC2D911
InterlockedDecrement.KERNEL32(?), ref: 6CC2D93E
InterlockedIncrement.KERNEL32(024E2808), ref: 6CC2D969

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd
String ID:
API String ID: 2662827482-0
Opcode ID: 281ac685035a7b14fad8f6f414480fc2e59289fd796718a248821925e583d2eb
Instruction ID: 257b3c13179689352ee9f9ea3666b808d46b2a2539b2a46aa858a43b8cd1885f
Opcode Fuzzy Hash: 281ac685035a7b14fad8f6f414480fc2e59289fd796718a248821925e583d2eb
Instruction Fuzzy Hash: 90016D32E056159BCB21AF698445B9977B0BF16728F200146F814A7A80EF38AA45EBD1

Function 6CC1E3BB Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___sbh_find_block.LIBCMT ref: 6CC1E3E4
___sbh_free_block.LIBCMT ref: 6CC1E3F3
HeapFree.KERNEL32(00000000,00000208,6CE84948,Function_004AE3BB,6CC1E083,00000208,6CE84908,Function_004AE055,6C950D5A,00000000,00000208,00000000,?,00000000,?,00000105), ref: 6CC1E423
GetLastError.KERNEL32 ref: 6CC1E434

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 4b52a80e5c62c4f98c35a06934ce0096109b7cd4174a74b1efea2248a8f7f401
Instruction ID: 46ea8f8601eda04a7e64af1efeaf23ab7c515f862d3ef3726bd4cf71db87015c
Opcode Fuzzy Hash: 4b52a80e5c62c4f98c35a06934ce0096109b7cd4174a74b1efea2248a8f7f401
Instruction Fuzzy Hash: 5B0167319092169ADF109BB3DC0D78D3774EF02729F54451DE414E6E80FB389544BB95

Function 6C7718E8 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QStringCreate.WEBUI(?,?,?,6C771AD2,00000000,webkitcreate,?), ref: 6C7718F1
QStringSet.WEBUI(00000000,?,?,?,?,6C771AD2,00000000,webkitcreate,?), ref: 6C7718FD

Part of subcall function 6C771338: __EH_prolog3.LIBCMT ref: 6C77133F

QStringCreate.WEBUI(00000000,?,?,?,?,6C771AD2,00000000,webkitcreate,?), ref: 6C771902
QStringSet.WEBUI(00000000,00000000,00000000,?,?,?,?,6C771AD2,00000000,webkitcreate,?), ref: 6C77190C

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: String$Create$H_prolog3
String ID:
API String ID: 3317808019-0
Opcode ID: 41c36625daddd9fcc9ea73059fc412f6f277c4e1b5fc4c204e455b60cc4c75ab
Instruction ID: 81a97c2dbdbc949f77488c97f9c4791a43706b905bcdba2c65836f2cef371229
Opcode Fuzzy Hash: 41c36625daddd9fcc9ea73059fc412f6f277c4e1b5fc4c204e455b60cc4c75ab
Instruction Fuzzy Hash: AFE0CD722002087BDF211BA04D9DFFF766CDFD5A59F000419F64466F408714CC196776

Function 6C952942 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getenv.LIBCMT ref: 6C9529EF

Part of subcall function 6C950CDD: GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 6C950CF6

LoadLibraryW.KERNEL32(00000000,6C96DAFC,?,00000001,00000000,00000000,?,00000000), ref: 6C952B0D

Strings

PATH, xrefs: 6C9529EA

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: FileLibraryLoadModuleName_getenv
String ID: PATH
API String ID: 44517052-1036084923
Opcode ID: 0b07390100a701bb1647b711e2e62c654cac7be9b76be61029c3fb58b75ab05a
Instruction ID: 2fd1bcd28bf43ba3c9f93ada4f9b705e5c7a608dd50adab6e7ee4cd31f799e01
Opcode Fuzzy Hash: 0b07390100a701bb1647b711e2e62c654cac7be9b76be61029c3fb58b75ab05a
Instruction Fuzzy Hash: 17819F71900109AFCF05CF98D994DEEB7B8AF25329F550069E416A77A0DB34DE58CFA0

Function 6C96DB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C96DAAB: QueryPerformanceFrequency.KERNEL32(6C96DBD2,GetTickCount64,00000001,00000004,6C950516,?,?,?,6C96DBD2,00000004), ref: 6C96DB16

QueryPerformanceCounter.KERNEL32(6C950516,?,?,?,6C96DBD2,00000004,6C950516,00000004,?,?,?,?,?,?,?,6C950732), ref: 6C96DB6E

Strings

QueryPerformanceCounter failed, although QueryPerformanceFrequency succeeded., xrefs: 6C96DB7F

Memory Dump Source

Source File: 00000002.00000002.2702449853.000000006C771000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C770000, based on PE: true

Associated: 00000002.00000002.2702390667.000000006C770000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CDB8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2706010171.000000006CE07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707247108.000000006CE88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707284677.000000006CE8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707310668.000000006CE8F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707355574.000000006CE9A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707389691.000000006CE9C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707467551.000000006CEB2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707513049.000000006CEB7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2707538818.000000006CEBA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c770000_iScrPaint.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID: QueryPerformanceCounter failed, although QueryPerformanceFrequency succeeded.
API String ID: 774501991-4065940233
Opcode ID: 96b0fab153d13e8d256e2f914cf95b2b44eae1f113f7a27eb3884d8bb3611d0b
Instruction ID: 5b4676cbdedf423cd92504795e770d02bffcf3446482384a2d8bb41ad7af317c
Opcode Fuzzy Hash: 96b0fab153d13e8d256e2f914cf95b2b44eae1f113f7a27eb3884d8bb3611d0b
Instruction Fuzzy Hash: DF01A433705145ABFF04DBB2D940A6A33BDAB8724CF308559C815D6FC8EBB0D5448B54

Analysis Process: iScrPaint.exePID: 5992, Parent PID: 6776COMMON

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	22
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Non-executed Functions

Function 6C11B4E4 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 6C12692C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C126941
UnhandledExceptionFilter.KERNEL32(6C2F08B4), ref: 6C12694C
GetCurrentProcess.KERNEL32(C0000409), ref: 6C126968
TerminateProcess.KERNEL32(00000000), ref: 6C12696F

Memory Dump Source

Source File: 00000003.00000002.2765253542.000000006C0C6000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BC70000, based on PE: true

Associated: 00000003.00000002.2765232826.000000006BC70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BC71000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BCB3000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BCD2000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BD09000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BD2F000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BD64000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BD87000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BDA8000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BDD7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BE30000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BE7A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BEA0000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BEA6000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BEA8000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BEAE000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BED4000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BED7000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BEFB000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF00000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF08000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF0A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF0D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF19000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF1C000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF1E000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF5D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BF7F000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BFDD000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BFEF000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BFF9000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006BFFF000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C018000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C021000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C024000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C05A000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C066000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C08E000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C093000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C095000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C145000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C147000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C14F000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2765253542.000000006C15B000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C1C7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C1C9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C1D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C1EC000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C223000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C227000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C268000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C26F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C272000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C27F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C287000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C2B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C2C4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C2FB000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C2FD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C30A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C317000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2771280269.000000006C326000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2772938017.000000006C388000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2772987378.000000006C38D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2773030675.000000006C38F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2773093774.000000006C39A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2773134800.000000006C39C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2773262101.000000006C3B2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2773326240.000000006C3B7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2773437610.000000006C3BA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc70000_iScrPaint.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3c0e3ca484a3955501b80fc4e73916e2fd32bd651e3184e344e95854ab9584ab
Instruction ID: fbf1b234037a31f822e4332a9400bfd321a41c96ed9cf9fd5cd88ce191c2b6f4
Opcode Fuzzy Hash: 3c0e3ca484a3955501b80fc4e73916e2fd32bd651e3184e344e95854ab9584ab
Instruction Fuzzy Hash: EB21AEB8B152089FDF41DF65C484A447BB8FB2B314F10545AE409DBB90E7B89A81CFA9

Analysis Process: lvHost_v4.exePID: 5640, Parent PID: 5768COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	34.8%
Signature Coverage:	2.8%
Total number of Nodes:	287
Total number of Limit Nodes:	3

Executed Functions

Function 000000014011FF38 Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 000000014011FF77
malloc.MSVCRT ref: 000000014011FFAB

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CreateFilemalloc
String ID:
API String ID: 3010914732-0
Opcode ID: 08291fb8f84a33b773d04131f42d1229c88b2589c06dea98ea13bb42374a242d
Instruction ID: 2d00926db45b5a94333cbffaf12b2d1fc501933b49b87ad3f4aa4d041c57759c
Opcode Fuzzy Hash: 08291fb8f84a33b773d04131f42d1229c88b2589c06dea98ea13bb42374a242d
Instruction Fuzzy Hash: F921C536218B8482D761DF16E44475EBBB1F3C9B94F204219EB9D47BA8DF7AD4449B00

Function 00007FF67EC511B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

exit.MSVCRT ref: 00007FF67EC51257
exit.MSVCRT ref: 00007FF67EC51333

Strings

0, xrefs: 00007FF67EC511C5

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: exit
String ID: 0
API String ID: 2483651598-4108050209
Opcode ID: 47e819206137d4ac6da146edce70c4bdf60c26c5c5ff5ac6bc07e642c1bb8936
Instruction ID: 2422e7d3a050729c6e1325b92cd86316ff6224cca000b40a1c792cca32cb44a5
Opcode Fuzzy Hash: 47e819206137d4ac6da146edce70c4bdf60c26c5c5ff5ac6bc07e642c1bb8936
Instruction Fuzzy Hash: 7241C67AB24B1689FB008B95E88436837B0BB94B98F504835EE1DD77A4CFBCD8448740

Function 00007FF67EC5C070 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pqC=, xrefs: 00007FF67EC5C2EC

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID:
String ID: pqC=
API String ID: 0-2624859440
Opcode ID: 1a67f2e54d72da71d6003820c9f4e5abcec1c6741b6053d53ce0b2fb158ffd53
Instruction ID: 92efe3665d8568ff8609e6be986c692dbd9abb2acd7015b9add6df38bd0a9f85
Opcode Fuzzy Hash: 1a67f2e54d72da71d6003820c9f4e5abcec1c6741b6053d53ce0b2fb158ffd53
Instruction Fuzzy Hash: 78810977F2464189FB08CBB598526BD27B1A7A47A4F20463AEE3ED77D4CE2CD1918700

Function 00007FF67EC5BC43 Relevance: 1.5, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF67EC5BC60

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: b8b41f4fd6ca89d32c12c971d407b76c3aa693578191e34d7ff83a2474acf318
Instruction ID: 916821de92ac54db2f24456a3d1b468db46d670b977ad675d4bea8f240fb5a01
Opcode Fuzzy Hash: b8b41f4fd6ca89d32c12c971d407b76c3aa693578191e34d7ff83a2474acf318
Instruction Fuzzy Hash: 298127E7B28B4542EC04C6F768717B66662AB66BF0E209735FE3E9B3D9CE1C91014600

Function 000000014011D758 Relevance: 6.1, APIs: 4, Instructions: 65
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140123371), ref: 000000014011D7A1

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fa702a1818ffb6b8e9e1b8e5fb94fe68093c190d33758d34eb9046929484e72f
Instruction ID: a872d6ac15e49e81bcb6e402cc2fdf8fedc509efffe6e503cca0c791e6531545
Opcode Fuzzy Hash: fa702a1818ffb6b8e9e1b8e5fb94fe68093c190d33758d34eb9046929484e72f
Instruction Fuzzy Hash: B3319336608B4487EB60CF2AE49435EBBB4F7C9B94F604115EB9947BA8DF39C5458F00

Function 000000014011FE28 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 000000014011FE6D
CreateFileMappingW.KERNELBASE ref: 000000014011FECC
MapViewOfFile.KERNELBASE ref: 000000014011FEEE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: File$Create$MappingView
String ID:
API String ID: 1299149932-0
Opcode ID: adc7ce85746f15b18e302e3d6d9fbbf35a76bdbe9ac71d6ff60923e7ba8727e8
Instruction ID: 820315da7b4020408db1b1cc614476c0a1407536e4ab1f95ad091a2a37da56bc
Opcode Fuzzy Hash: adc7ce85746f15b18e302e3d6d9fbbf35a76bdbe9ac71d6ff60923e7ba8727e8
Instruction Fuzzy Hash: 1621A376218B8082EBA0DB56F45575EBBA0F3C9B84F209115EBCD87B68DF7DC4598B00

Function 00007FF67EEAD850 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF67EEADAAC

Strings

@, xrefs: 00007FF67EEADA1B

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 1ee2fb690ed4846a8645586928a4fbdb26446c2100cce16632af6ccc271c9d34
Instruction ID: e1c751916c0ad6935b42b991e861dec1bee79d2819ee9a60d193d924cc249960
Opcode Fuzzy Hash: 1ee2fb690ed4846a8645586928a4fbdb26446c2100cce16632af6ccc271c9d34
Instruction Fuzzy Hash: 7D6126A3F157498BEB54CB55D5852A833B1FB68B88B148835EA1DC7714EF3CEA45D300

Function 00007FF67EC54BB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67EC54AC0: VirtualAlloc.KERNEL32 ref: 00007FF67EC54ADC

CreateThread.KERNELBASE ref: 00007FF67EC54C3F

Strings

%[<, xrefs: 00007FF67EC54D3E

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: AllocCreateThreadVirtual
String ID: %[<
API String ID: 3065189322-2541391821
Opcode ID: 21758bb11c112705ee1ec073bcbb7c9faf1ce1bfa67398d85c94dd84d3e4a1a2
Instruction ID: d2f0bbf958ba2b391c189b5c78c3331b41c904eec8f029f37617c37de103aba9
Opcode Fuzzy Hash: 21758bb11c112705ee1ec073bcbb7c9faf1ce1bfa67398d85c94dd84d3e4a1a2
Instruction Fuzzy Hash: 6541C037A28B4186D748CF28E84026A77B1FBA5744F60463AFA8ECB764DF7CD4498740

Function 000000014011D934 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 000000014011D93C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 8aa76fb0e6ea81a43412a6e4ce3e67ee4a0c44f8450056c290c247b20c5f490d
Instruction ID: 3d613ac56ecaa76a4e7d91ee78244c06fa0071a276e7ba6f2ac5590dae2c62da
Opcode Fuzzy Hash: 8aa76fb0e6ea81a43412a6e4ce3e67ee4a0c44f8450056c290c247b20c5f490d
Instruction Fuzzy Hash: 3931B272218A848AC774CB29E48075EB7A1F7CCB58F444216E6CE87B69DA3CCA45CF04

Function 00007FF67EEADACC Relevance: 1.6, APIs: 1, Instructions: 61
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?,?,00007FF67EEADFAD,?,?,?,?,?,00007FF67EC512E5), ref: 00007FF67EEADB84

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 131621e4005552d7fd18f5b1666d2410f6c071a6ab3073cbc9e42cd67da8f2f7
Instruction ID: 6697c2d00150f2f33c05fd96dae5cc26bc89f6848d6fa9dfb25fa428989d8208
Opcode Fuzzy Hash: 131621e4005552d7fd18f5b1666d2410f6c071a6ab3073cbc9e42cd67da8f2f7
Instruction Fuzzy Hash: DC113DA3F1534A8BEF04CB65E58627863A1ABA8BC5B158435EE1DC7714EE2CEB059700

Function 00007FF67EC54EC4 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67EC54AC0: VirtualAlloc.KERNEL32 ref: 00007FF67EC54ADC

CreateThread.KERNELBASE ref: 00007FF67EC54F45

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: AllocCreateThreadVirtual
String ID:
API String ID: 3065189322-0
Opcode ID: 6a058c7e5b27de97289d6ee5a90bff0a7e69e95256b4b8ade4ef7c58a6fcd866
Instruction ID: 81283adeb7ab29316cac5299403e6e0e046d7e3c6b89e0b0195cd7bd8c8f306f
Opcode Fuzzy Hash: 6a058c7e5b27de97289d6ee5a90bff0a7e69e95256b4b8ade4ef7c58a6fcd866
Instruction Fuzzy Hash: 6C212A36629B4586D7408B58E8403A977B4FB98B48F604635FA8E87764DF7CC15AC740

Function 000000014011F888 Relevance: 1.5, APIs: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

realloc.MSVCRT ref: 000000014011F8F3

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 3f1eb1290eb503b2145d9c0e382a8b9ab882b585fb38e67f0ecac83848e7f568
Instruction ID: 561e48d5a86c5783f5dc688081665245eb1983b796079a5d4baa60a9d0ab499f
Opcode Fuzzy Hash: 3f1eb1290eb503b2145d9c0e382a8b9ab882b585fb38e67f0ecac83848e7f568
Instruction Fuzzy Hash: 84119736604B4886DA44DB0AE48025E77B4F3D9B80F614026EF8D57B68DF3AC946DB40

Function 0000000140120018 Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE ref: 0000000140120074

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5fdda1b636b50f9fc504353daad9641b4c9c534a50ade388255728a4b60dc926
Instruction ID: d573d171b4691707fc38c9ddb05e420b9f30bf651de66fe43147e61a49fc26ed
Opcode Fuzzy Hash: 5fdda1b636b50f9fc504353daad9641b4c9c534a50ade388255728a4b60dc926
Instruction Fuzzy Hash: AF01D672218B88C2E6219B16E45436EB7B0F3CDB88F504625EBCD47B69CF3DC9448B04

Function 00007FF67EC5C37A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF67EC5C3A6

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 8987f05d07c6f91804d3ea28e0450f3a33fec2cb30592d01f9fe987dc296c81a
Instruction ID: c43acd54e646aed246190f344c2b995fff6746ce9e0a622b4d2d5316f94c3a7d
Opcode Fuzzy Hash: 8987f05d07c6f91804d3ea28e0450f3a33fec2cb30592d01f9fe987dc296c81a
Instruction Fuzzy Hash: 54F0807A52CB8581DA50DB45F48046EB7B4FBE9BD0F601425FA8E87B29CF7CD0948B40

Function 00007FF67ED92D00 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00007FF67ED93FBC), ref: 00007FF67ED92D75

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 759ac02cd1155738cbb2816376f03f5343e83c8cfe163886f608533154076069
Instruction ID: 28fd32f6bafbadcd69a0622a5f9bedb7bb92ffd82969621a0606cd72da971be8
Opcode Fuzzy Hash: 759ac02cd1155738cbb2816376f03f5343e83c8cfe163886f608533154076069
Instruction Fuzzy Hash: 6BF06237B3EB4582DA90C705F49116AB7A0F798784F405531FA8F83764EE6CD0448B40

Function 00000001401209F8 Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,0000000140120B85), ref: 0000000140120A36

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6bcd8b487a366c1c59843c47b777b3e1da3161276deb4923ee1d31ae147b4254
Instruction ID: 666a9bba36a8258ab6c1abd1cc1a10056bbc9ec2a7f906673a408a3f03c71112
Opcode Fuzzy Hash: 6bcd8b487a366c1c59843c47b777b3e1da3161276deb4923ee1d31ae147b4254
Instruction Fuzzy Hash: A541B776219B8486DB61CF0AE08075EBBA0F388F94F405156EB8E97B69DB79C545CB00

Function 00007FF67EC54AC0 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF67EC54ADC

Memory Dump Source

Source File: 00000008.00000002.3108844767.00007FF67EC51000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67EC50000, based on PE: true

Associated: 00000008.00000002.3108809846.00007FF67EC50000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109060685.00007FF67EEAF000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109095782.00007FF67EEC0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EED8000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EEDC000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109124713.00007FF67EF3E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109216692.00007FF67EF42000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.3109242748.00007FF67EF44000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff67ec50000_lvHost_v4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aa109c9e8b356161c3d06490bd9e554d9ed1f16f4d6a7cbfcb837ab162aa4fd9
Instruction ID: 846e3d957378f9cd08252d00d0a76ef6162a60b2d65a81069600ba2a716c9229
Opcode Fuzzy Hash: aa109c9e8b356161c3d06490bd9e554d9ed1f16f4d6a7cbfcb837ab162aa4fd9
Instruction Fuzzy Hash: 90012837729B8586DB60CB55F45022AA7E0FB89B84F200534FA8ECBB58EE3DC1508B00

Non-executed Functions

Function 000000014000E214 Relevance: 75.6, APIs: 38, Strings: 5, Instructions: 343windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014000E247

Part of subcall function 000000014000204C: GetWindowLongW.USER32 ref: 0000000140002069
Part of subcall function 000000014000204C: GetParent.USER32 ref: 000000014000207F
Part of subcall function 000000014000204C: GetWindowRect.USER32 ref: 000000014000209D
Part of subcall function 000000014000204C: GetWindowLongW.USER32 ref: 00000001400020B6
Part of subcall function 000000014000204C: SystemParametersInfoW.USER32 ref: 00000001400020D7
Part of subcall function 000000014000204C: SetWindowPos.USER32 ref: 00000001400021DE

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

GetDlgItem.USER32 ref: 000000014000E3A0
SetWindowTextW.USER32 ref: 000000014000E3AC
GetDlgItem.USER32 ref: 000000014000E3B8
SetWindowTextW.USER32 ref: 000000014000E3CC
GetDlgItem.USER32 ref: 000000014000E42D
EnableWindow.USER32 ref: 000000014000E439
GetDlgItem.USER32 ref: 000000014000E45A
EnableWindow.USER32 ref: 000000014000E465
GetWindowLongW.USER32 ref: 000000014000E476
SetWindowLongW.USER32 ref: 000000014000E48F
GetDlgItem.USER32 ref: 000000014000E4A5
EnableWindow.USER32 ref: 000000014000E4B0
GetDlgItem.USER32 ref: 000000014000E4BF
EnableWindow.USER32 ref: 000000014000E4CA
GetDlgItem.USER32 ref: 000000014000E4D7
EnableWindow.USER32 ref: 000000014000E4E3
SendMessageW.USER32 ref: 000000014000E57C
SendMessageW.USER32 ref: 000000014000E59A
SendMessageW.USER32 ref: 000000014000E5B0
SendMessageW.USER32 ref: 000000014000E5C6
GetDlgItem.USER32 ref: 000000014000E5DC
GetWindowRect.USER32 ref: 000000014000E601
SendMessageW.USER32 ref: 000000014000E615
ScreenToClient.USER32 ref: 000000014000E624
ScreenToClient.USER32 ref: 000000014000E638

Part of subcall function 0000000140105E24: SendMessageW.USER32 ref: 0000000140105E5F
Part of subcall function 0000000140105E24: SendMessageW.USER32 ref: 0000000140105E7D

SetWindowPos.USER32 ref: 000000014000E690
SendMessageW.USER32 ref: 000000014000E6A4
SendMessageW.USER32 ref: 000000014000E6B8
SendMessageW.USER32 ref: 000000014000E6CC
GetSystemMetrics.USER32 ref: 000000014000E6DE
GetSystemMetrics.USER32 ref: 000000014000E6EB
LoadImageW.USER32 ref: 000000014000E70B
SendMessageW.USER32 ref: 000000014000E71D
GetSystemMetrics.USER32 ref: 000000014000E72D
GetSystemMetrics.USER32 ref: 000000014000E738
LoadImageW.USER32 ref: 000000014000E753
SendMessageW.USER32 ref: 000000014000E765

Strings

LZDE, xrefs: 000000014000E2CE
LZEN, xrefs: 000000014000E26A
lng, xrefs: 000000014000E512
LZIT, xrefs: 000000014000E32E
Lizenz, xrefs: 000000014000E3D9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$MessageSend$Item$EnableSystem$LongMetrics$ClientImageLoadParentRectScreenTextlstrlen$ByteCharInfoMultiParametersWide
String ID: LZDE$LZEN$LZIT$Lizenz$lng
API String ID: 2727863672-2363247610
Opcode ID: 174c2ef5cb3542c4634db0dd5a4240508240e34c614a04612fcd01b8688baa98
Instruction ID: 9f9485a48d6402ffa7bcfd86dcc73b779697d7fdc7c33d9dfa55754880688632
Opcode Fuzzy Hash: 174c2ef5cb3542c4634db0dd5a4240508240e34c614a04612fcd01b8688baa98
Instruction Fuzzy Hash: 93F15C72301A8082EB52DB27E8587DA7361F78CFE0F448225AB5A5B7B5DF39C845CB40

Function 000000014001F2A4 Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 243windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001F347
SendMessageW.USER32 ref: 000000014001F360
SendMessageW.USER32 ref: 000000014001F379
SendMessageW.USER32 ref: 000000014001F38F
SendMessageW.USER32 ref: 000000014001F3A3
SendMessageW.USER32 ref: 000000014001F3C9
ShowWindow.USER32 ref: 000000014001F3F3
SendMessageW.USER32 ref: 000000014001F407
ImageList_GetIcon.COMCTL32 ref: 000000014001F422
SendMessageW.USER32 ref: 000000014001F451
SendMessageW.USER32 ref: 000000014001F467
GetModuleHandleW.KERNEL32 ref: 000000014001F474
SendMessageW.USER32 ref: 000000014001F58B

Part of subcall function 000000014001E45C: GetWindowRect.USER32 ref: 000000014001E47E

CreateWindowExW.USER32 ref: 000000014001F5EC
SendMessageW.USER32 ref: 000000014001F608
SendMessageW.USER32 ref: 000000014001F61C
SendMessageW.USER32 ref: 000000014001F638
SendMessageW.USER32 ref: 000000014001F64C
SendMessageW.USER32 ref: 000000014001F669
SendMessageW.USER32 ref: 000000014001F67D

Strings

ToolbarWindow32, xrefs: 000000014001F59E
L, xrefs: 000000014001F2F7
, xrefs: 000000014001F51E
d, xrefs: 000000014001F5D5
shell32.dll, xrefs: 000000014001F46D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Window$CreateHandleIconImageList_ModuleRectShow
String ID: $L$ToolbarWindow32$d$shell32.dll
API String ID: 1744847649-4053673454
Opcode ID: ec00726696b043959fb503d2530eeb205b183dbc9545bf4d2d9651eca1e06abb
Instruction ID: 14f72573145001a94804b50c9369ed43ca5d4e3a5e1751d385d7e3ab38500a66
Opcode Fuzzy Hash: ec00726696b043959fb503d2530eeb205b183dbc9545bf4d2d9651eca1e06abb
Instruction Fuzzy Hash: 5EA15771314A8482EBA18B63B954BAA37A1F78DFC5F444025AF0A4BF74DF3DC54A8B44

Function 000000014000D848 Relevance: 58.3, APIs: 30, Strings: 3, Instructions: 556windowstringregistryCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 000000014000D8BC
GetDlgItem.USER32 ref: 000000014000D8CC
GetDriveTypeW.KERNEL32 ref: 000000014000D8FC
_cwprintf_s_l.LIBCMT ref: 000000014000D984
SendMessageW.USER32 ref: 000000014000D997
SendMessageW.USER32 ref: 000000014000D9CD
SendMessageW.USER32 ref: 000000014000DA8B
SendMessageW.USER32 ref: 000000014000DA9F
SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DB67
lstrlenW.KERNEL32 ref: 000000014000DB7F
SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DC4B
lstrlenW.KERNEL32 ref: 000000014000DC63
SendMessageW.USER32 ref: 000000014000DD2F
SendMessageW.USER32 ref: 000000014000DD4D
GetDlgItem.USER32 ref: 000000014000DD5F
SendMessageW.USER32 ref: 000000014000DD75
SendMessageW.USER32 ref: 000000014000DD8D
GetDlgItem.USER32 ref: 000000014000DD9A
SendMessageW.USER32 ref: 000000014000DDAB
RegOpenKeyExW.ADVAPI32 ref: 000000014000DE18
lstrlenW.KERNEL32 ref: 000000014000DEBA
lstrlenW.KERNEL32 ref: 000000014000DEEE
lstrlenW.KERNEL32 ref: 000000014000DF39
lstrlenW.KERNEL32 ref: 000000014000DF63
lstrlenW.KERNEL32 ref: 000000014000DF9B
lstrlenW.KERNEL32 ref: 000000014000DFC5
SendMessageW.USER32 ref: 000000014000DFF9
SendMessageW.USER32 ref: 000000014000E01A
SendMessageW.USER32 ref: 000000014000E02E
RegCloseKey.ADVAPI32 ref: 000000014000E092

Strings

SoftwareOK\, xrefs: 000000014000D9D3
UninstallString, xrefs: 000000014000DE94
%C:\, xrefs: 000000014000D978

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$lstrlen$Item$DriveFolderPathSpecial$CloseLogicalOpenStringsType_cwprintf_s_l
String ID: %C:\$SoftwareOK\$UninstallString
API String ID: 423617-1242695785
Opcode ID: ce4a602b15cb63e03b6c9d7a59fa3f4c24bcbb6a3fbfdff46da888468d75f5d0
Instruction ID: 1213c6fbc6b11f0d7670e3afec7627d9e251dbf8b966614931f2d1ab06e0adb4
Opcode Fuzzy Hash: ce4a602b15cb63e03b6c9d7a59fa3f4c24bcbb6a3fbfdff46da888468d75f5d0
Instruction Fuzzy Hash: BF429F72204A8082EB52DB26E8507DE73A1FB89BF4F544212E76E97AF5DF38C485C740

Function 0000000140013390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 254windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140013429
SendMessageW.USER32 ref: 000000014001343B
GetDlgItem.USER32 ref: 000000014001344D
SendMessageW.USER32 ref: 000000014001345E
GetDlgItem.USER32 ref: 000000014001346D
SendMessageW.USER32 ref: 0000000140013484
GetDlgItem.USER32 ref: 0000000140013493
SendMessageW.USER32 ref: 00000001400134A5
GetDlgItem.USER32 ref: 00000001400134CC
SendMessageW.USER32 ref: 00000001400134DD
GetDlgItem.USER32 ref: 00000001400134EC
SendMessageW.USER32 ref: 0000000140013500
GetDlgItem.USER32 ref: 0000000140013510
SendMessageW.USER32 ref: 0000000140013524
GetDlgItem.USER32 ref: 000000014001355B
SendMessageW.USER32 ref: 000000014001356C
GetDlgItem.USER32 ref: 0000000140013578
SendMessageW.USER32 ref: 0000000140013589
GetDlgItem.USER32 ref: 0000000140013598
SendMessageW.USER32 ref: 00000001400135A9
GetDlgItem.USER32 ref: 00000001400135B8
SendMessageW.USER32 ref: 00000001400135C9
EndDialog.USER32 ref: 00000001400135D8
PostQuitMessage.USER32 ref: 00000001400135E1
GetDlgItem.USER32 ref: 00000001400135F5
SendMessageW.USER32 ref: 0000000140013606
GetDlgItem.USER32 ref: 0000000140013625
SendMessageW.USER32 ref: 0000000140013639
GetDlgItem.USER32 ref: 000000014001365F
SendMessageW.USER32 ref: 0000000140013675
GetDlgItem.USER32 ref: 000000014001373D
SendMessageW.USER32 ref: 0000000140013751

Strings

forall , xrefs: 000000014001352A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Message$ItemSend$DialogPostQuit
String ID: forall
API String ID: 3324692860-1056140417
Opcode ID: f6947c149669c0dbfbf2dbbacbf94d7a9bfeb96a041f4d752126100307eba41c
Instruction ID: 87455486c33b27b8cf29d0c37acd839ce203718a171ce02a85bea06c2aac402e
Opcode Fuzzy Hash: f6947c149669c0dbfbf2dbbacbf94d7a9bfeb96a041f4d752126100307eba41c
Instruction Fuzzy Hash: 70B19E72700A8182FB66DB37EC55BAA73A1E78DFD5F4481209B5A4BBB4CF39C8458740

Function 000000014000BFFC Relevance: 55.1, APIs: 19, Strings: 12, Instructions: 837stringfilewindowCOMMON

Download Yara Rule

APIs

CharLowerW.USER32 ref: 000000014000C07A
lstrcmpiW.KERNEL32 ref: 000000014000C0DB
lstrcmpiW.KERNEL32 ref: 000000014000C10D
lstrlenW.KERNEL32 ref: 000000014000C164
lstrlenW.KERNEL32 ref: 000000014000C1F6
lstrcmpiW.KERNEL32 ref: 000000014000C269
lstrcmpW.KERNEL32 ref: 000000014000C29A
lstrlenW.KERNEL32 ref: 000000014000C2D0
GetActiveWindow.USER32 ref: 000000014000C32C
GetTempPathW.KERNEL32 ref: 000000014000C3E4
lstrlenW.KERNEL32 ref: 000000014000C3F9

Part of subcall function 000000014000998C: LoadStringW.USER32 ref: 00000001400099C9
Part of subcall function 000000014000998C: lstrlenW.KERNEL32 ref: 00000001400099ED

Part of subcall function 000000014000AC04: lstrlenW.KERNEL32 ref: 000000014000AC4C

Part of subcall function 000000014000AB88: lstrlenW.KERNEL32 ref: 000000014000ABCF

GetModuleFileNameW.KERNEL32 ref: 000000014000C5E7
CopyFileW.KERNEL32 ref: 000000014000C609
MessageBoxW.USER32 ref: 000000014000C753
lstrlenW.KERNEL32 ref: 000000014000C879
ShellExecuteW.SHELL32 ref: 000000014000C939
GetModuleFileNameW.KERNEL32 ref: 000000014000CB1E
CharLowerW.USER32 ref: 000000014000CB9E
lstrlenW.KERNEL32 ref: 000000014000CC57

Strings

forall, xrefs: 000000014000C106
inst_all, xrefs: 000000014000CBCF
for_all_install, xrefs: 000000014000C8A2
-uninstall, xrefs: 000000014000C262, 000000014000C293
-runas -uninstall+", xrefs: 000000014000C8DB
-install, xrefs: 000000014000C0D4
open, xrefs: 000000014000C912
install, xrefs: 000000014000CBAA
_uninstall.ini, xrefs: 000000014000C51D
runas, xrefs: 000000014000C90B
setup, xrefs: 000000014000CBF8
_uninstall.exe, xrefs: 000000014000C458

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$Filelstrcmpi$CharLowerModuleName$ActiveCopyExecuteLoadMessagePathShellStringTempWindowlstrcmp
String ID: -install$-runas -uninstall+"$-uninstall$_uninstall.exe$_uninstall.ini$for_all_install$forall$inst_all$install$open$runas$setup
API String ID: 2504411763-1341484687
Opcode ID: 8562d175aedde86520c8cd2ec8d3d0bc397fb097088fd8139ba27f20c5951f99
Instruction ID: cf43a6124aa4e3bb155e5ad45821fdca4f14204c7f904ce3f0e914a877faeb3c
Opcode Fuzzy Hash: 8562d175aedde86520c8cd2ec8d3d0bc397fb097088fd8139ba27f20c5951f99
Instruction Fuzzy Hash: 87826272312A8082EA62DB6AE8517DA63A1F7897B4F584311E77E876F5CF3CC485C740

Function 000000014001AE88 Relevance: 49.5, APIs: 18, Strings: 10, Instructions: 496windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32 ref: 000000014001AF03
GetUserNameW.ADVAPI32 ref: 000000014001AF7C
GetDlgItem.USER32 ref: 000000014001B25C
SetWindowTextW.USER32 ref: 000000014001B268
GetDlgItem.USER32 ref: 000000014001B277
SendMessageW.USER32 ref: 000000014001B28E
SendMessageW.USER32 ref: 000000014001B2C5
SendMessageW.USER32 ref: 000000014001B2FD
SendMessageW.USER32 ref: 000000014001B330
SendMessageW.USER32 ref: 000000014001B343
GetDlgItem.USER32 ref: 000000014001B535
SetWindowTextW.USER32 ref: 000000014001B541
GetDlgItem.USER32 ref: 000000014001B5B4
SendMessageW.USER32 ref: 000000014001B5C8
GetDlgItem.USER32 ref: 000000014001B5D7
EnableWindow.USER32 ref: 000000014001B5E7
GetDlgItem.USER32 ref: 000000014001B62B
SendMessageW.USER32 ref: 000000014001B63F

Strings

(HKCR) , xrefs: 000000014001B124
] (HKCU) , xrefs: 000000014001AF82
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}, xrefs: 000000014001B4A5
CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}, xrefs: 000000014001B478
*.qdr, xrefs: 000000014001B4C3
Directory, xrefs: 000000014001B469
Folder, xrefs: 000000014001B4B4
CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}, xrefs: 000000014001B487
CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}, xrefs: 000000014001B496
(HKLM) , xrefs: 000000014001B1AF

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Item$Window$Text$EnableNameUser
String ID: (HKCR) $ (HKLM) $*.qdr$CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}$CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}$CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}$CLSID\{645FF040-5081-101B-9F08-00AA002F954E}$Directory$Folder$] (HKCU)
API String ID: 2733348308-1270919712
Opcode ID: 5b7df7088cd7fd202b9b4ad1358d47c508a0866ecfc250b8f376fc300af9f182
Instruction ID: d78f68b6f60c0c02d0dd8fcb4c0d7b7098eafab5eb59487035eb8d48594ed72f
Opcode Fuzzy Hash: 5b7df7088cd7fd202b9b4ad1358d47c508a0866ecfc250b8f376fc300af9f182
Instruction Fuzzy Hash: B2328272205A8086EB62DB6AE8503DA73A0FBC97B4F444311A77D8BAE5DF7DC445CB40

Function 000000014001048C Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 314filewindowCOMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400104E2

Part of subcall function 00000001400852AC: _cwprintf_s_l.LIBCMT ref: 00000001400852E4

SetFileAttributesW.KERNEL32 ref: 0000000140010569
GetDlgItem.USER32 ref: 000000014001059C
SendMessageW.USER32 ref: 00000001400105B2
_cwprintf_s_l.LIBCMT ref: 00000001400105DB
CopyFileW.KERNEL32 ref: 00000001400105F0
GetDlgItem.USER32 ref: 00000001400105FF
SendMessageW.USER32 ref: 0000000140010610
_cwprintf_s_l.LIBCMT ref: 000000014001064D
CopyFileW.KERNEL32 ref: 00000001400106AA
GetDlgItem.USER32 ref: 00000001400106B9
SendMessageW.USER32 ref: 00000001400106CA
_cwprintf_s_l.LIBCMT ref: 00000001400106EB
CopyFileW.KERNEL32 ref: 0000000140010700
ShellExecuteW.SHELL32 ref: 0000000140010724

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0000000140010623
.\Favoriten\, xrefs: 000000014001050D
m_lang_id, xrefs: 00000001400104F6
Favoriten, xrefs: 000000014001051B
Link, xrefs: 0000000140010531
.\Favoriten\Quick-Link\, xrefs: 000000014001052A
Ordner, xrefs: 0000000140010514
Program, xrefs: 0000000140010555
open, xrefs: 000000014001071B
m_lang_id=%d, xrefs: 00000001400104D3
portable_install, xrefs: 000000014001054E
%s\%s.lnk, xrefs: 000000014001057E

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: _cwprintf_s_l$File$CopyItemMessageSend$AttributesExecuteShell
String ID: %s\%s.lnk$.\Favoriten\$.\Favoriten\Quick-Link\$Favoriten$Link$Ordner$Program$\Microsoft\Internet Explorer\Quick Launch$m_lang_id$m_lang_id=%d$open$portable_install
API String ID: 865069665-912432381
Opcode ID: 09fd3be6d87d3314e842234ac9bfaaf60286fd91aaa6fe79aa6a6f993e03e53e
Instruction ID: f5fd568eb4fa89ef09741f301376edfd5dbb115e4928b6f7acd597c23f9de95b
Opcode Fuzzy Hash: 09fd3be6d87d3314e842234ac9bfaaf60286fd91aaa6fe79aa6a6f993e03e53e
Instruction Fuzzy Hash: 56E1B633205A8086E7628B7AE8553DD33A0F789BB4F444302E7A99B6F2DE7DD4858740

Function 0000000140021A00 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 320windowstringCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140021A43
SendMessageW.USER32 ref: 0000000140021A79
SendMessageW.USER32 ref: 0000000140021AFE
SendMessageW.USER32 ref: 0000000140021B68
lstrlenW.KERNEL32 ref: 0000000140021BE0
lstrlenW.KERNEL32 ref: 0000000140021C3B
SendMessageW.USER32 ref: 0000000140021C8E
SetWindowPos.USER32 ref: 0000000140021CF0
SendMessageW.USER32 ref: 0000000140021D22
SendMessageW.USER32 ref: 0000000140021D64
SetWindowPos.USER32 ref: 0000000140021D9E
_cwprintf_s_l.LIBCMT ref: 0000000140021DCF
SendMessageW.USER32 ref: 0000000140021DEE
SendMessageW.USER32 ref: 0000000140021E0F
SendMessageW.USER32 ref: 0000000140021E26
ImageList_GetIconSize.COMCTL32 ref: 0000000140021E3F
SendMessageW.USER32 ref: 0000000140021E70
SendMessageW.USER32 ref: 0000000140021E8A
SendMessageW.USER32 ref: 0000000140021E9F
SetWindowPos.USER32 ref: 0000000140021EDC
SendMessageW.USER32 ref: 0000000140021F0A
SetWindowPos.USER32 ref: 0000000140021F51

Strings

0, xrefs: 0000000140021AA0
@, xrefs: 0000000140021D3A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Window$lstrlen$ClientIconImageList_RectSize_cwprintf_s_l
String ID: 0$@
API String ID: 3730665866-1545510068
Opcode ID: 11cc51ba024c335070304a6cd7586fed144db14e9716be4ba93d075a169ea3cb
Instruction ID: f515dbf1d49814e9e3407b6919e0efcb9013ed6d199b989b111f9ff7d72fbfb8
Opcode Fuzzy Hash: 11cc51ba024c335070304a6cd7586fed144db14e9716be4ba93d075a169ea3cb
Instruction Fuzzy Hash: AFE16B722146C48BE765CF66E8447DEB7A0F3C8B84F548115EB8957B68CB39D865CF00

Function 000000014002267C Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 306windowCOMMON

Download Yara Rule

APIs

SetClassLongW.USER32 ref: 000000014002271D
GetVersionExW.KERNEL32 ref: 000000014002272A
GetWindowLongW.USER32 ref: 000000014002273A
SetWindowLongW.USER32 ref: 0000000140022754
SendMessageW.USER32 ref: 00000001400227C5
SendMessageW.USER32 ref: 00000001400227E1
SendMessageW.USER32 ref: 0000000140022802
SendMessageW.USER32 ref: 0000000140022823
SendMessageW.USER32 ref: 0000000140022841
CreateWindowExW.USER32 ref: 000000014002288B
ImageList_Create.COMCTL32 ref: 00000001400228DD
SendMessageW.USER32 ref: 00000001400228F9
GetLogicalDrives.KERNEL32 ref: 00000001400228FF
ImageList_ReplaceIcon.COMCTL32 ref: 0000000140022982
SendMessageW.USER32 ref: 0000000140022A6F
GetWindowLongW.USER32 ref: 0000000140022A84
SetWindowLongW.USER32 ref: 0000000140022AA1
SendMessageW.USER32 ref: 0000000140022ABA
SetWindowPos.USER32 ref: 0000000140022B09
ShowWindow.USER32 ref: 0000000140022B1C
SendMessageW.USER32 ref: 0000000140022B35
ScreenToClient.USER32 ref: 0000000140022B43
ScreenToClient.USER32 ref: 0000000140022B56

Strings

ToolbarWindow32, xrefs: 0000000140022882

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Window$Long$ClientCreateImageList_Screen$ClassDrivesIconLogicalReplaceShowVersion
String ID: ToolbarWindow32
API String ID: 842631731-4104838417
Opcode ID: ba84337135d303bd3799ef85bb0cb54951ebc0608bbc2ff809f3092e0c3ffe06
Instruction ID: a663587379c71f0d67b58061b540d5e2aae6d204183f87e6aeff41e5a4a8a6a9
Opcode Fuzzy Hash: ba84337135d303bd3799ef85bb0cb54951ebc0608bbc2ff809f3092e0c3ffe06
Instruction Fuzzy Hash: B2E19472214A9087E761DF26E858B9E77A5F788BD0F414226EB9947BB5CF38C845CB00

Function 000000014000909C Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 287windowregistrystringCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00000001400090F7
lstrcmpiW.KERNEL32 ref: 0000000140009114
GetWindowLongW.USER32 ref: 0000000140009127
SetWindowLongW.USER32 ref: 0000000140009140
GetWindowLongW.USER32 ref: 000000014000914C
CreateCursor.USER32 ref: 00000001400091C5
GetParent.USER32 ref: 00000001400091E6
SendMessageW.USER32 ref: 00000001400091F9
GetStockObject.GDI32 ref: 000000014000920C
GetObjectW.GDI32 ref: 0000000140009244
CreateFontIndirectW.GDI32 ref: 0000000140009283
GetWindowTextLengthW.USER32 ref: 00000001400092D3
GetWindowTextW.USER32 ref: 0000000140009351
SendMessageW.USER32 ref: 00000001400093DA
SendMessageW.USER32 ref: 000000014000945B
RegOpenKeyExW.ADVAPI32 ref: 000000014000949D
RegCloseKey.ADVAPI32 ref: 000000014000956D

Strings

Software\Microsoft\Internet Explorer\Settings, xrefs: 000000014000948F
Anchor Color Visited, xrefs: 0000000140009539
Anchor Color, xrefs: 00000001400094F8
H, xrefs: 00000001400093F8
tooltips_class32, xrefs: 00000001400092B2
static, xrefs: 0000000140009105

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$LongMessageSend$CreateObjectText$ClassCloseCursorFontIndirectLengthNameOpenParentStocklstrcmpi
String ID: Anchor Color$Anchor Color Visited$H$Software\Microsoft\Internet Explorer\Settings$static$tooltips_class32
API String ID: 4016893531-15458338
Opcode ID: 212ea544e0e226f010af4f5bfcc0c737a4f562a775f8519822f56687e2b46025
Instruction ID: 85be3385342c9aca68e5758e7a1ed4048d160111e8e1d2afd3ed2a036945b3fd
Opcode Fuzzy Hash: 212ea544e0e226f010af4f5bfcc0c737a4f562a775f8519822f56687e2b46025
Instruction Fuzzy Hash: 44E16172204B8186EB72DF26F4847DEB3A1F788B90F544126EB9A47AB4DF78D545CB00

Function 000000014000A378 Relevance: 39.1, APIs: 26, Instructions: 141windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000998C: LoadStringW.USER32 ref: 00000001400099C9
Part of subcall function 000000014000998C: lstrlenW.KERNEL32 ref: 00000001400099ED

GetDlgItem.USER32 ref: 000000014000A3B5
SendMessageW.USER32 ref: 000000014000A3C9
GetDlgItem.USER32 ref: 000000014000A3E2
SendMessageW.USER32 ref: 000000014000A3FA
GetDlgItem.USER32 ref: 000000014000A40B
SendMessageW.USER32 ref: 000000014000A420
GetDlgItem.USER32 ref: 000000014000A42F
EnableWindow.USER32 ref: 000000014000A443
GetDlgItem.USER32 ref: 000000014000A452
EnableWindow.USER32 ref: 000000014000A466
GetDlgItem.USER32 ref: 000000014000A475
EnableWindow.USER32 ref: 000000014000A489
GetDlgItem.USER32 ref: 000000014000A498
EnableWindow.USER32 ref: 000000014000A4AC
GetDlgItem.USER32 ref: 000000014000A4BB
EnableWindow.USER32 ref: 000000014000A4CF
GetDlgItem.USER32 ref: 000000014000A4DE
EnableWindow.USER32 ref: 000000014000A4F2
GetDlgItem.USER32 ref: 000000014000A501
SendMessageW.USER32 ref: 000000014000A520
GetDlgItem.USER32 ref: 000000014000A52F
SendMessageW.USER32 ref: 000000014000A54E
GetDlgItem.USER32 ref: 000000014000A55D
SendMessageW.USER32 ref: 000000014000A57C
GetDlgItem.USER32 ref: 000000014000A58B
SendMessageW.USER32 ref: 000000014000A5AA

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Item$MessageSend$EnableWindow$LoadStringlstrlen
String ID:
API String ID: 1173643101-0
Opcode ID: 7c7d513955768bfae79e3a188177268da00716552af1d794ceb65d20afd4135a
Instruction ID: 6dabcdcea65f6328270f3a14a4be7ba257ce24461f4ee2d6b5f721c516a55c37
Opcode Fuzzy Hash: 7c7d513955768bfae79e3a188177268da00716552af1d794ceb65d20afd4135a
Instruction Fuzzy Hash: 09512F71602A9182F766DF76ED1479A3361EBCDFA5F1881219B050BAB8CF3DC885C740

Function 000000014001A9B8 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 310windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014001AA20
SendMessageW.USER32 ref: 000000014001AA34
GetDlgItem.USER32 ref: 000000014001AA4E
SendMessageW.USER32 ref: 000000014001AA62
_cwprintf_s_l.LIBCMT ref: 000000014001AA95
GetDlgItem.USER32 ref: 000000014001AAE5
SendMessageW.USER32 ref: 000000014001AAF9
GetDlgItem.USER32 ref: 000000014001AB0E
SendMessageW.USER32 ref: 000000014001AB22
GetDlgItem.USER32 ref: 000000014001AB31
SendMessageW.USER32 ref: 000000014001AB45
GetDlgItem.USER32 ref: 000000014001AB54
EnableWindow.USER32 ref: 000000014001AB65
GetDlgItem.USER32 ref: 000000014001ABC9
SendMessageW.USER32 ref: 000000014001ABDD
MessageBoxW.USER32 ref: 000000014001ACF6

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

GetDlgItem.USER32 ref: 000000014001AC38
SendMessageW.USER32 ref: 000000014001AC4C
GetDlgItem.USER32 ref: 000000014001AE40
SendMessageW.USER32 ref: 000000014001AE5B

Strings

%d, xrefs: 000000014001AA86
Folder, xrefs: 000000014001ABE9, 000000014001AC0A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ItemMessage$Send$lstrlen$ByteCharEnableMultiWideWindow_cwprintf_s_l
String ID: %d$Folder
API String ID: 1125211564-3146767445
Opcode ID: d5c5b766d43663587aaf605c0f3c775f4b55a46af071f10d0a1cd3309bd6e41c
Instruction ID: 21c51c626c70cd87c04718b6dab06da61f7cb9eb7a6040d354ccdd7e0e2232fa
Opcode Fuzzy Hash: d5c5b766d43663587aaf605c0f3c775f4b55a46af071f10d0a1cd3309bd6e41c
Instruction Fuzzy Hash: 73D1707230198082EA52DB6AE8547DA63A1F7C9BF4F544712AB2E4BBF5DE3DC8418740

Function 0000000140008C3C Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 275COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 0000000140008C94
LoadResource.KERNEL32 ref: 0000000140008CAE

Strings

ToolbarWindow32, xrefs: 0000000140008E56
@ , xrefs: 0000000140008F67

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Resource$FindLoad
String ID: @ $ToolbarWindow32
API String ID: 2619053042-323118299
Opcode ID: ba8c7da73fdf4611577f9cc5b69f03cab2a023da74b4aa09a77eb4ab799658c9
Instruction ID: 86fd8192aee64fd393b297de248f850f55717a7b1b35142793763b7c302a9f68
Opcode Fuzzy Hash: ba8c7da73fdf4611577f9cc5b69f03cab2a023da74b4aa09a77eb4ab799658c9
Instruction Fuzzy Hash: E0C1BE72215BD086E7A1CB26F8147AE77A1F38CBD4F548125EB8A47BA4DB3DC480CB00

Function 0000000140022E30 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 0000000140022E9D
SetWindowLongW.USER32 ref: 0000000140022EB7
SendMessageW.USER32 ref: 0000000140022F3F
SendMessageW.USER32 ref: 0000000140022F54
SendMessageW.USER32 ref: 0000000140022F69
SendMessageW.USER32 ref: 0000000140022F9C
SendMessageW.USER32 ref: 0000000140022FB3
SetWindowPos.USER32 ref: 0000000140022FE2
GetWindowLongW.USER32 ref: 0000000140022FEF
SetWindowLongW.USER32 ref: 0000000140023008
SendMessageW.USER32 ref: 0000000140023087
SendMessageW.USER32 ref: 00000001400230A6
ShowWindow.USER32 ref: 00000001400230B5
CreateWindowExW.USER32 ref: 000000014002310C
CreateWindowExW.USER32 ref: 0000000140023158
SendMessageW.USER32 ref: 0000000140023197

Part of subcall function 0000000140105C3C: GetWindowsDirectoryW.KERNEL32 ref: 0000000140105CA3
Part of subcall function 0000000140105C3C: SHGetFileInfoW.SHELL32 ref: 0000000140105CCB
Part of subcall function 0000000140105C3C: SHGetFileInfoW.SHELL32 ref: 0000000140105CF6

Strings

ToolbarWindow32, xrefs: 0000000140023103, 000000014002314F
EDIT, xrefs: 0000000140023050
0, xrefs: 0000000140022EF3

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSendWindow$Long$CreateFileInfo$DirectoryShowWindows
String ID: 0$EDIT$ToolbarWindow32
API String ID: 1204497882-763659013
Opcode ID: 834bd5d7253893d8378540521d87bfc067c0ff6e5eb3ea9cc8ff4f094263d16a
Instruction ID: a7e7e59726aa6b583e4861d0486cd2d186bfd6f2536b9c675329a7200f04048f
Opcode Fuzzy Hash: 834bd5d7253893d8378540521d87bfc067c0ff6e5eb3ea9cc8ff4f094263d16a
Instruction Fuzzy Hash: BAA12C72214B808AE761CF26E8807CE7BA1F788B94F54412AEB8D57F68DF39C545CB40

Function 000000014001D000 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 323memoryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 000000014001D037
LoadResource.KERNEL32 ref: 000000014001D058
LockResource.KERNEL32 ref: 000000014001D066
FindResourceW.KERNEL32 ref: 000000014001D087
LoadResource.KERNEL32 ref: 000000014001D0A0
LockResource.KERNEL32 ref: 000000014001D0B2
GetWindow.USER32 ref: 000000014001D100
GlobalAlloc.KERNEL32 ref: 000000014001D1B0
GlobalLock.KERNEL32 ref: 000000014001D1C7
GlobalUnlock.KERNEL32 ref: 000000014001D209
CreateStreamOnHGlobal.OLE32 ref: 000000014001D21F
MapDialogRect.USER32 ref: 000000014001D2CB
SetWindowContextHelpId.USER32 ref: 000000014001D34F
SetWindowPos.USER32 ref: 000000014001D3C0
#6.OLEAUT32 ref: 000000014001D3E7
GetWindow.USER32 ref: 000000014001D413

Part of subcall function 0000000140015570: GetLastError.KERNEL32 ref: 0000000140015574

#6.OLEAUT32 ref: 000000014001D489

Strings

AtlAxWinLic90, xrefs: 000000014001D320

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Resource$GlobalWindow$Lock$FindLoad$AllocContextCreateDialogErrorHelpLastRectStreamUnlock
String ID: AtlAxWinLic90
API String ID: 3889352284-3795641830
Opcode ID: de0d6f08919c3052e159f00e3193dda42f239365d0447abbbd27013998200e8d
Instruction ID: 51d079df90b8a02c2a86cf8d9dc758cc88ac7561a0772db8427750d37b632643
Opcode Fuzzy Hash: de0d6f08919c3052e159f00e3193dda42f239365d0447abbbd27013998200e8d
Instruction Fuzzy Hash: 13D16F3620469086EB65DF62E4503EA73A1F78CBC4F188526FB5A4FBB4DB7AD844C740

Function 0000000140024A78 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 218windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140105C3C: GetWindowsDirectoryW.KERNEL32 ref: 0000000140105CA3
Part of subcall function 0000000140105C3C: SHGetFileInfoW.SHELL32 ref: 0000000140105CCB
Part of subcall function 0000000140105C3C: SHGetFileInfoW.SHELL32 ref: 0000000140105CF6

Part of subcall function 0000000140020DC0: SendMessageW.USER32 ref: 0000000140020E75
Part of subcall function 0000000140020DC0: SendMessageW.USER32 ref: 0000000140020EFB

Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F58B
Part of subcall function 000000014001F2A4: CreateWindowExW.USER32 ref: 000000014001F5EC
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F608
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F61C
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F638
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F64C
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F669
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F67D

SetParent.USER32 ref: 0000000140024AE9

Part of subcall function 000000014001E45C: GetWindowRect.USER32 ref: 000000014001E47E

CreateWindowExW.USER32 ref: 0000000140024B49
SendMessageW.USER32 ref: 0000000140024B6B
SendMessageW.USER32 ref: 0000000140024B80
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140024BE4
SendMessageW.USER32 ref: 0000000140024C82
SendMessageW.USER32 ref: 0000000140024C9C
GetWindowLongW.USER32 ref: 0000000140024CD4
SetWindowLongW.USER32 ref: 0000000140024CF0
SendMessageW.USER32 ref: 0000000140024D05
SendMessageW.USER32 ref: 0000000140024D35
GetSystemMetrics.USER32 ref: 0000000140024D3E
SendMessageW.USER32 ref: 0000000140024D67
SendMessageW.USER32 ref: 0000000140024D7C
SetWindowPos.USER32 ref: 0000000140024DD5
ShowWindow.USER32 ref: 0000000140024DE7

Strings

d, xrefs: 0000000140024B25
ToolbarWindow32, xrefs: 0000000140024B40

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Window$CreateFileInfoLong$DirectoryFolderLocationMetricsParentRectShowSpecialSystemWindows
String ID: ToolbarWindow32$d
API String ID: 3673439606-1364537291
Opcode ID: da462dc776a07fecd68a21ef27e8583de3242e8132480acd492de46ce9948398
Instruction ID: 9830e13c2f5f986fa01b6c7e6cdaa0575e950eba642a179dc9f7cec8fa218f83
Opcode Fuzzy Hash: da462dc776a07fecd68a21ef27e8583de3242e8132480acd492de46ce9948398
Instruction Fuzzy Hash: 15A16C7620468087E765DF26E8507DEB3A1F78CB94F544025EB8A8BB75CF39C94ACB00

Function 00000001400FF714 Relevance: 30.1, APIs: 20, Instructions: 126windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400FF75D
GetSysColor.USER32 ref: 00000001400FF768
SendMessageW.USER32 ref: 00000001400FF780
SendMessageW.USER32 ref: 00000001400FF79A
GetSysColor.USER32 ref: 00000001400FF7B2
SendMessageW.USER32 ref: 00000001400FF7CE
SendMessageW.USER32 ref: 00000001400FF7E8
SendMessageW.USER32 ref: 00000001400FF801
SendMessageW.USER32 ref: 00000001400FF73C

Part of subcall function 000000014003FD18: SystemParametersInfoW.USER32 ref: 000000014003FD8E
Part of subcall function 000000014003FD18: GetStockObject.GDI32 ref: 000000014003FDA1
Part of subcall function 000000014003FD18: GetObjectW.GDI32 ref: 000000014003FDC8
Part of subcall function 000000014003FD18: lstrcpynW.KERNEL32 ref: 000000014003FE33
Part of subcall function 000000014003FD18: CreateFontIndirectW.GDI32 ref: 000000014003FE41
Part of subcall function 000000014003FD18: DeleteObject.GDI32 ref: 000000014003FE72

SendMessageW.USER32 ref: 00000001400FF813
SendMessageW.USER32 ref: 00000001400FF835
SendMessageW.USER32 ref: 00000001400FF85D
ImageList_SetBkColor.COMCTL32(?,?,?,0000000140103F34), ref: 00000001400FF86D
SendMessageW.USER32 ref: 00000001400FF89A
SendMessageW.USER32 ref: 00000001400FF8BC
GetSysColor.USER32 ref: 00000001400FF8C7
SendMessageW.USER32 ref: 00000001400FF8DF
SendMessageW.USER32 ref: 00000001400FF8F9
GetSysColor.USER32 ref: 00000001400FF904
SendMessageW.USER32 ref: 00000001400FF919

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Color$Object$CreateDeleteFontImageIndirectInfoList_ParametersStockSystemlstrcpyn
String ID:
API String ID: 736779183-0
Opcode ID: c3f1514e4f68a04fa89be1a1f15611e863bbab2ef3d5545d52e0b845c764d121
Instruction ID: 6f0317fa6f4633671fe8009c8507364e7b93cdd0de32c02e3e1814570969f199
Opcode Fuzzy Hash: c3f1514e4f68a04fa89be1a1f15611e863bbab2ef3d5545d52e0b845c764d121
Instruction Fuzzy Hash: D051403521064082E7929BB3E865BE97362EB8CFD5F449015DF095BFB4DE39C8858B50

Function 000000014000D458 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 247windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 000000014000D49C

Part of subcall function 0000000140007FF4: GetSubMenu.USER32 ref: 0000000140008008

GetMenuItemCount.USER32 ref: 000000014000D4C1
DestroyMenu.USER32 ref: 000000014000D5F0
GetMenuItemCount.USER32 ref: 000000014000D5FE
SendMessageW.USER32 ref: 000000014000D63A
GetMenuItemInfoW.USER32 ref: 000000014000D6AB
_cwprintf_s_l.LIBCMT ref: 000000014000D6ED
SendMessageW.USER32 ref: 000000014000D781

Part of subcall function 000000014007E7A0: GetMenuItemInfoW.USER32 ref: 000000014007E82D
Part of subcall function 000000014007E7A0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000D4EE), ref: 000000014007E83E

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

SendMessageW.USER32 ref: 000000014000D79E
DestroyMenu.USER32 ref: 000000014000D805
DestroyMenu.USER32 ref: 000000014000D816

Strings

ID:%d, xrefs: 000000014000D6E1
10900, xrefs: 000000014000D4EF
P, xrefs: 000000014000D68D
InitLangCombo-ERR, xrefs: 000000014000D60B
H, xrefs: 000000014000D65F
| , xrefs: 000000014000D74F

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Menu$Item$DestroyMessageSendlstrlen$CountInfo$ByteCharLoadMultiWide_cwprintf_s_l
String ID: ID:%d$ | $10900$H$InitLangCombo-ERR$P
API String ID: 2576854577-3851071048
Opcode ID: b755c7a2f0a5b9e27a8672cc3b79c1c9fff2e32756b21b6200b3ea2545efba30
Instruction ID: 20116706675992dc0dd6a543d8b96af0499e673c97be450d8ca5d57fafb5b745
Opcode Fuzzy Hash: b755c7a2f0a5b9e27a8672cc3b79c1c9fff2e32756b21b6200b3ea2545efba30
Instruction Fuzzy Hash: 28B1A272215A4182EA62DB2AE8417EA7360FB8DBF4F444212AF6D476F5DF78C845CB40

Function 0000000140011EF4 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 400stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140011FB3
lstrlenW.KERNEL32 ref: 0000000140011FFF
FindClose.KERNEL32 ref: 000000014001206E
DeleteFileW.KERNEL32 ref: 00000001400120B8
FindClose.KERNEL32 ref: 00000001400120FF
FindNextFileW.KERNEL32 ref: 00000001400121E3
lstrlenW.KERNEL32 ref: 00000001400122C1
lstrlenW.KERNEL32 ref: 0000000140012326
DeleteFileW.KERNEL32 ref: 0000000140012358
FindClose.KERNEL32 ref: 0000000140012414
FindClose.KERNEL32 ref: 0000000140012472
RemoveDirectoryW.KERNEL32 ref: 0000000140012484
FindClose.KERNEL32 ref: 00000001400124C8

Strings

., xrefs: 000000014001220C
*.*, xrefs: 000000014001214E

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Find$Close$lstrlen$File$Delete$DirectoryNextRemove
String ID: *.*$.
API String ID: 1219767574-358234090
Opcode ID: a89af37bb8a894edc39e6472b1449ba87969c6883525ffa567b5d99f45521776
Instruction ID: 63b703b6d4bd9990a1e04bcf9a008da59e47041a9f1cfcebd5386c86394f25f3
Opcode Fuzzy Hash: a89af37bb8a894edc39e6472b1449ba87969c6883525ffa567b5d99f45521776
Instruction Fuzzy Hash: C8026472204A8086EB62DF66E8903DD73A1F78C7E4F184225F76E8B6E5DE79C495C700

Function 0000000140007274 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 110windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00000001400072A2
GetDlgItem.USER32 ref: 00000001400072B0
GetWindowRect.USER32 ref: 00000001400072C1
ScreenToClient.USER32 ref: 00000001400072CF
ScreenToClient.USER32 ref: 00000001400072DD
GetClientRect.USER32 ref: 00000001400072EE

Part of subcall function 0000000140048318: LoadLibraryW.KERNEL32 ref: 000000014004832C
Part of subcall function 0000000140048318: GetProcAddress.KERNEL32 ref: 0000000140048353

Part of subcall function 00000001400487CC: GetProcAddress.KERNEL32 ref: 0000000140048805

Part of subcall function 000000014004839C: GetProcAddress.KERNEL32 ref: 00000001400483AF

Part of subcall function 00000001400483E0: GetProcAddress.KERNEL32 ref: 00000001400483F3

CreateDIBSection.GDI32 ref: 000000014000739F
GetDC.USER32 ref: 00000001400073AA
CreateCompatibleDC.GDI32 ref: 00000001400073B3
SelectObject.GDI32 ref: 00000001400073C2
SelectObject.GDI32 ref: 000000014000741E
ReleaseDC.USER32 ref: 0000000140007429
SendMessageW.USER32 ref: 000000014000743D

Part of subcall function 0000000140048780: GetProcAddress.KERNEL32 ref: 00000001400487A5
Part of subcall function 0000000140048780: FreeLibrary.KERNEL32 ref: 00000001400487BE

Strings

PNG, xrefs: 0000000140007306
(, xrefs: 0000000140007344
bitmap9.jpg, xrefs: 000000014000730D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressProc$Client$CreateItemLibraryObjectRectScreenSelect$CompatibleFreeLoadMessageReleaseSectionSendWindow
String ID: ($PNG$bitmap9.jpg
API String ID: 730289181-2908563061
Opcode ID: 09fbaf4045a4607f18a197df20f88c37a2a963bc86c1ec830f2e47abbfd2117b
Instruction ID: e3f5f732d1241b50202e92e1289a60451ceede66af42e874af80bba1de0125b7
Opcode Fuzzy Hash: 09fbaf4045a4607f18a197df20f88c37a2a963bc86c1ec830f2e47abbfd2117b
Instruction Fuzzy Hash: 24513972218B818AE751DF26E41839EB360F788BD6F145125EB8A07BA9CF7DC449CF40

Function 000000014011B450 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 164windowCOMMON

Download Yara Rule

APIs

InitCommonControlsEx.COMCTL32 ref: 000000014011B492
CreateWindowExW.USER32 ref: 000000014011B4F2
GetStockObject.GDI32 ref: 000000014011B500
GetObjectW.GDI32 ref: 000000014011B527
CreateFontIndirectW.GDI32 ref: 000000014011B54A
SendMessageW.USER32 ref: 000000014011B55C
SendMessageW.USER32 ref: 000000014011B570
SendMessageW.USER32 ref: 000000014011B5A3
SendMessageW.USER32 ref: 000000014011B5D7
SendMessageW.USER32 ref: 000000014011B66C
SendMessageW.USER32 ref: 000000014011B6A5
SendMessageW.USER32 ref: 000000014011B6D5

Strings

ToolbarWindow32, xrefs: 000000014011B4E1
d, xrefs: 000000014011B4CF
, xrefs: 000000014011B4C4

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$CreateObject$CommonControlsFontIndirectInitStockWindow
String ID: $ToolbarWindow32$d
API String ID: 2235514304-853020219
Opcode ID: 04f20807d92875e8a941c46ab5e9a55c7c36849dd24a71f01fe2bb3f4ca10e66
Instruction ID: 81380e565916d0e3a220b6bcff18d90d1e69f70c6a8208045f8504cb5dddd19f
Opcode Fuzzy Hash: 04f20807d92875e8a941c46ab5e9a55c7c36849dd24a71f01fe2bb3f4ca10e66
Instruction Fuzzy Hash: BF61E1722146908BE761CF26F854BEA77A0F788F99F544114EF990BEA9DB3CC546CB00

Function 000000014000B824 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 203filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AB88: lstrlenW.KERNEL32 ref: 000000014000ABCF

GetTempPathW.KERNEL32 ref: 000000014000B8E2
GetTempPathW.KERNEL32 ref: 000000014000B8F1
GetModuleFileNameW.KERNEL32 ref: 000000014000B92B
CreateFileW.KERNEL32 ref: 000000014000B973
_cwprintf_s_l.LIBCMT ref: 000000014000B9A8
lstrlenW.KERNEL32 ref: 000000014000B9D7
WideCharToMultiByte.KERNEL32 ref: 000000014000BA47
WriteFile.KERNEL32 ref: 000000014000BA6A
CloseHandle.KERNEL32 ref: 000000014000BA73
ShellExecuteW.SHELL32 ref: 000000014000BA9A

Strings

:Repeat###DEL "%s"###if exist "%s" goto Repeat###DEL "%s"###, xrefs: 000000014000B867
###, xrefs: 000000014000B9B4
open, xrefs: 000000014000BA91
_selfdestruct.bat, xrefs: 000000014000B878

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: File$PathTemplstrlen$ByteCharCloseCreateExecuteHandleModuleMultiNameShellWideWrite_cwprintf_s_l
String ID: ###$:Repeat###DEL "%s"###if exist "%s" goto Repeat###DEL "%s"###$_selfdestruct.bat$open
API String ID: 526318972-2663367853
Opcode ID: e0ef0da1caaaa179e51490a716369e6204e6a809852cf07e17a30ec8e6058aa4
Instruction ID: 604c710743bc7a9a6ac54444303196fb82ccd627159c2c83cb5586e85e4cd396
Opcode Fuzzy Hash: e0ef0da1caaaa179e51490a716369e6204e6a809852cf07e17a30ec8e6058aa4
Instruction Fuzzy Hash: 8BA15F72200A848AEB21DF76E8517D933A1F789BBCF444315E7294BAE9DF39C549C740

Function 000000014000A5E0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 131windowfilestringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000A627
SendMessageW.USER32 ref: 000000014000A63B

Part of subcall function 00000001400095A0: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400095D0
Part of subcall function 00000001400095A0: SHGetPathFromIDListW.SHELL32 ref: 00000001400095F1
Part of subcall function 00000001400095A0: SHGetSpecialFolderLocation.SHELL32 ref: 0000000140009601
Part of subcall function 00000001400095A0: SHGetPathFromIDListW.SHELL32 ref: 000000014000961D
Part of subcall function 00000001400095A0: SHGetSpecialFolderLocation.SHELL32 ref: 0000000140009691
Part of subcall function 00000001400095A0: SHGetPathFromIDListW.SHELL32 ref: 00000001400096AD
Part of subcall function 00000001400095A0: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400096C0
Part of subcall function 00000001400095A0: SHGetPathFromIDListW.SHELL32 ref: 00000001400096DC
Part of subcall function 00000001400095A0: lstrlenW.KERNEL32 ref: 00000001400096EE
Part of subcall function 00000001400095A0: lstrlenW.KERNEL32 ref: 0000000140009713
Part of subcall function 00000001400095A0: lstrlenW.KERNEL32 ref: 0000000140009738
Part of subcall function 00000001400095A0: lstrlenW.KERNEL32 ref: 000000014000975C

SendMessageW.USER32 ref: 000000014000A661
SendMessageW.USER32 ref: 000000014000A675
wsprintfW.USER32 ref: 000000014000A6AB
GetClientRect.USER32 ref: 000000014000A6CD
SendMessageW.USER32 ref: 000000014000A706
FindFirstFileW.KERNEL32 ref: 000000014000A71E
lstrlenW.KERNEL32 ref: 000000014000A745
SendMessageW.USER32 ref: 000000014000A7D2
FindNextFileW.KERNEL32 ref: 000000014000A804
FindClose.KERNEL32 ref: 000000014000A815

Strings

%s\*.*, xrefs: 000000014000A69C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSendlstrlen$FolderFromListLocationPathSpecial$Find$File$ClientCloseFirstItemNextRectwsprintf
String ID: %s\*.*
API String ID: 1191195382-1013718255
Opcode ID: 3c00cfffc44c41f7e8bd55f77a1b329c62eebd74909f82033aaa9ab621b4b593
Instruction ID: e4b2a812987430f71ac264499f6ae7b7a1df3c62e0169e7262ed86d878a5f268
Opcode Fuzzy Hash: 3c00cfffc44c41f7e8bd55f77a1b329c62eebd74909f82033aaa9ab621b4b593
Instruction Fuzzy Hash: D551C372214A8082E761CB26F8547DB73A0F78DBE5F849211DB9D47AA8DF7DC149CB40

Function 00000001400238F8 Relevance: 21.2, APIs: 14, Instructions: 197windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 0000000140023A53
ShowWindow.USER32 ref: 0000000140023A67
SendMessageW.USER32 ref: 0000000140023A83
GetClientRect.USER32 ref: 0000000140023ACC
GetClientRect.USER32 ref: 0000000140023ADB
SendMessageW.USER32 ref: 0000000140023AF3
SetWindowPos.USER32 ref: 0000000140023B2D

Part of subcall function 000000014001FA20: SHGetSpecialFolderLocation.SHELL32 ref: 000000014001FB76
Part of subcall function 000000014001FA20: SHGetDesktopFolder.SHELL32 ref: 000000014001FB86

ShowWindow.USER32 ref: 0000000140023B89
SendMessageW.USER32 ref: 0000000140023BBE
GetClientRect.USER32 ref: 0000000140023C07
GetClientRect.USER32 ref: 0000000140023C16
SendMessageW.USER32 ref: 0000000140023C2E
SetWindowPos.USER32 ref: 0000000140023C68
ShowWindow.USER32 ref: 0000000140023C82

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$ClientMessageRectSendShow$Folder$DesktopLocationSpecial
String ID:
API String ID: 410288209-0
Opcode ID: 322aa77159f3c7b8964ab516e3fed0feb13d7947f0b69d87805b915b5fec351c
Instruction ID: 942626af1d8c366efc04faf1e635a78e2675706e48596580cf5a1b9c9d0c1d8e
Opcode Fuzzy Hash: 322aa77159f3c7b8964ab516e3fed0feb13d7947f0b69d87805b915b5fec351c
Instruction Fuzzy Hash: A8A12972204B8486E761DF26E4403DAB761F789F94F588129EF8D0BB69DF79C985CB00

Function 0000000140020BB8 Relevance: 19.6, APIs: 13, Instructions: 106windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140020C1F
GetWindowRect.USER32 ref: 0000000140020C3E
ScreenToClient.USER32 ref: 0000000140020C4D
ScreenToClient.USER32 ref: 0000000140020C60
ExcludeClipRect.GDI32 ref: 0000000140020C7F
MapWindowPoints.USER32 ref: 0000000140020C9F
OffsetWindowOrgEx.GDI32 ref: 0000000140020CB6
SendMessageW.USER32 ref: 0000000140020CD2
OffsetWindowOrgEx.GDI32 ref: 0000000140020CEE
SendMessageW.USER32 ref: 0000000140020D01
OffsetWindowOrgEx.GDI32 ref: 0000000140020D13
SendMessageW.USER32 ref: 0000000140020D26
SetWindowOrgEx.GDI32 ref: 0000000140020D37

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$ClientMessageOffsetRectSend$Screen$ClipExcludePoints
String ID:
API String ID: 986806451-0
Opcode ID: 8c00654a11622e0dcc756902661d98b627de24cb9cdf065ffea1d5c81ef6825d
Instruction ID: 00f282a4903dedcf0ef504674032e559c766e118f53e70da6700473c5c189a97
Opcode Fuzzy Hash: 8c00654a11622e0dcc756902661d98b627de24cb9cdf065ffea1d5c81ef6825d
Instruction Fuzzy Hash: 7E414676624A9087E7618F26F944B8ABBB0F38CFC4F545116EF4A47B28CB79C405CB80

Function 00000001400231CC Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014002326A
SendMessageW.USER32 ref: 0000000140023287

Part of subcall function 00000001400FD62C: SHGetFileInfoW.SHELL32 ref: 00000001400FD67D

SendMessageW.USER32 ref: 000000014002329C
SendMessageW.USER32 ref: 00000001400232BC
SendMessageW.USER32 ref: 0000000140023566
SendMessageW.USER32 ref: 00000001400235BF
SendMessageW.USER32 ref: 0000000140023639
GetClientRect.USER32 ref: 000000014002369B
SetWindowPos.USER32 ref: 00000001400236DE
SendMessageW.USER32 ref: 00000001400236F3

Part of subcall function 0000000140002CBC: SHGetMalloc.SHELL32 ref: 0000000140002CE8

Part of subcall function 0000000140002D3C: SHGetMalloc.SHELL32 ref: 0000000140002D81

Strings

0, xrefs: 000000014002358D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Malloc$ClientFileInfoRectWindow
String ID: 0
API String ID: 30954516-4108050209
Opcode ID: cb529b6333ca4705a5f3cca5ab3b9139987fc52c36c606cb42ce1bf2cc7aac13
Instruction ID: e8b1978d66d724abf10e59701e6cad1c3fbe022964d49da35ceb54ce9944eccd
Opcode Fuzzy Hash: cb529b6333ca4705a5f3cca5ab3b9139987fc52c36c606cb42ce1bf2cc7aac13
Instruction Fuzzy Hash: F4E1A072204A8486EB62DB26E4547DEB3A1F389BD4F444216EB6D47BF5CF38D985CB00

Function 0000000140001424 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 119windowstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001458

Part of subcall function 00000001400011C0: lstrlenW.KERNEL32 ref: 00000001400011E1

SendMessageW.USER32 ref: 000000014000148A
SendMessageW.USER32 ref: 00000001400014A1
lstrlenW.KERNEL32 ref: 00000001400014EC
lstrlenW.KERNEL32 ref: 00000001400014FC
SendMessageW.USER32 ref: 000000014000153E
SendMessageW.USER32 ref: 0000000140001564
SendMessageW.USER32 ref: 0000000140001578
wsprintfW.USER32 ref: 0000000140001596

Part of subcall function 00000001400013AC: SendMessageW.USER32 ref: 0000000140001405

Strings

last_entry, xrefs: 0000000140001466
entry_%03d, xrefs: 0000000140001587

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$lstrlen$wsprintf
String ID: entry_%03d$last_entry
API String ID: 2298119551-2593065581
Opcode ID: 008a9c5fa7d62b771aece80f0896661768ff2290b8738e3542514f7c33eedfca
Instruction ID: 86b7992cb3d53b04f29448162b060c05a39dc93cda4563d4c974ff5a86073e78
Opcode Fuzzy Hash: 008a9c5fa7d62b771aece80f0896661768ff2290b8738e3542514f7c33eedfca
Instruction Fuzzy Hash: 4B41707231099192FB65DB63F895BDA6291EBCDBC5F844021EF4A4BE66DE38C1058B40

Function 000000014000EE50 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 285COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000EE99

Part of subcall function 000000014000D458: LoadMenuW.USER32 ref: 000000014000D49C
Part of subcall function 000000014000D458: GetMenuItemCount.USER32 ref: 000000014000D4C1
Part of subcall function 000000014000D458: DestroyMenu.USER32 ref: 000000014000D5F0
Part of subcall function 000000014000D458: GetMenuItemCount.USER32 ref: 000000014000D5FE

GetUserNameW.ADVAPI32 ref: 000000014000EF08
wsprintfW.USER32 ref: 000000014000EF7C
GetDlgItem.USER32 ref: 000000014000EF8B
SetWindowTextW.USER32 ref: 000000014000EF9C
GetDlgItem.USER32 ref: 000000014000EFE9
SetWindowTextW.USER32 ref: 000000014000EFF5

Part of subcall function 000000014000AB88: lstrlenW.KERNEL32 ref: 000000014000ABCF

Strings

(%s), xrefs: 000000014000EF26
: , xrefs: 000000014000F24E
: , xrefs: 000000014000F134

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Item$Menu$CountTextWindow$DestroyLoadNameUserlstrlenwsprintf
String ID: (%s)$ : $ :
API String ID: 2736554328-3115013952
Opcode ID: 8bea115dbcc29a40e9f58431ff469bb674405865f8bc93ee5614254e6215e2c4
Instruction ID: e5e2c9bbcaf9d65b956141474eec2938d927ba4a8729c901ff62d07cde69ad73
Opcode Fuzzy Hash: 8bea115dbcc29a40e9f58431ff469bb674405865f8bc93ee5614254e6215e2c4
Instruction Fuzzy Hash: 92C181713155C083EA52E726E8617EB6351E7C9BE0F504321B76E87AEADF3CC9468780

Function 000000014001DF44 Relevance: 16.6, APIs: 11, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001DF85
SendMessageW.USER32 ref: 000000014001DF9E
SendMessageW.USER32 ref: 000000014001DFB4
SendMessageW.USER32 ref: 000000014001DFCF
SendMessageW.USER32 ref: 000000014001DFE5
SendMessageW.USER32 ref: 000000014001E000
SendMessageW.USER32 ref: 000000014001E019
SendMessageW.USER32 ref: 000000014001E02F
GetWindowLongW.USER32 ref: 000000014001E041
SetWindowLongW.USER32 ref: 000000014001E05B
SendMessageW.USER32 ref: 000000014001E074

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 629fe9a901e9e4e3983290e0bba541c7e3961e35d00cdc6b188e1ac93bd33edb
Instruction ID: f096e6b5f0a2cd21c5e5c735ad634d3faffd7a5d715f354c575d3811cd53caa3
Opcode Fuzzy Hash: 629fe9a901e9e4e3983290e0bba541c7e3961e35d00cdc6b188e1ac93bd33edb
Instruction Fuzzy Hash: 8A314E36314A5082EB719B62F8A5B9A7760E7CCBE9F445111AF4D0BF75CE3DC1858B00

Function 0000000140007628 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84stringfileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32 ref: 000000014000765C
lstrlenW.KERNEL32 ref: 000000014000767C
lstrcpyW.KERNEL32 ref: 0000000140007690
FindFirstFileW.KERNEL32 ref: 000000014000769C
GetFullPathNameW.KERNEL32 ref: 00000001400076C4
FindClose.KERNEL32 ref: 00000001400076E6
SetLastError.KERNEL32 ref: 00000001400076F8
lstrlenW.KERNEL32 ref: 0000000140007703

Strings

*.*, xrefs: 0000000140007672

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Find$Closelstrlen$ErrorFileFirstFullLastNamePathlstrcpy
String ID: *.*
API String ID: 3592433370-438819550
Opcode ID: d7caec423a6b86632392b46f711556e635fc092a3b313932cd0b667e2973d7b2
Instruction ID: 6639bd9ae3950c3fc4ce81febd3fa46d1e6c52afffb5cbacca2b2e4680caa3b1
Opcode Fuzzy Hash: d7caec423a6b86632392b46f711556e635fc092a3b313932cd0b667e2973d7b2
Instruction Fuzzy Hash: E93181B1604A4081EA51DF26E6487A93391E74DFE4F580324EB2E4BBF4DF7EC4828355

Function 00000001400041C8 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 294COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014000420D

Part of subcall function 0000000140001A70: LoadLibraryW.KERNEL32 ref: 0000000140001A93
Part of subcall function 0000000140001A70: GetProcAddress.KERNEL32 ref: 0000000140001ABB

GetClientRect.USER32 ref: 0000000140004260
SHGetSpecialFolderLocation.SHELL32 ref: 00000001400042E9
#190.SHELL32 ref: 0000000140004345

Strings

d, xrefs: 0000000140004617
d, xrefs: 0000000140004607
d, xrefs: 000000014000460F

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClientRect$#190AddressFolderLibraryLoadLocationProcSpecial
String ID: d$d$d
API String ID: 2660539279-1898527202
Opcode ID: 71c33372302f916ebc354bbbe30eccb46d4915fba6f3a10c20ba7567cc0c0410
Instruction ID: a6f3bc1b3df756f0986c1d608cc1a7eeb1e4ca896bd857a2471bc125daaf5835
Opcode Fuzzy Hash: 71c33372302f916ebc354bbbe30eccb46d4915fba6f3a10c20ba7567cc0c0410
Instruction Fuzzy Hash: 52E16C76205A8482EB21DF26E4907DEB361F789FD4F448126EB9E47BA5DF39C548CB00

Function 00000001400FC53C Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 270windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00000001400FC79D

Strings

B:\, xrefs: 00000001400FC71F
A:\, xrefs: 00000001400FC708

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CreateMenuPopup
String ID: A:\$B:\
API String ID: 3826294624-1009255891
Opcode ID: 10cbcbbae597c01d781b4ad2bf177acf0c66034345fd2a8dc4432be5cca0da1f
Instruction ID: 604ee408bf97461fa7ae356aabdbf716d6fd73ca5e4ce1517ef24e6503e624d5
Opcode Fuzzy Hash: 10cbcbbae597c01d781b4ad2bf177acf0c66034345fd2a8dc4432be5cca0da1f
Instruction Fuzzy Hash: B9C1C172218A8082EB62DB26E9507DEA361F78CBD4F444116EF8D57BB9DF78C545CB00

Function 0000000140021068 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400210B3
SendMessageW.USER32 ref: 0000000140021190
lstrcatW.KERNEL32 ref: 00000001400211A5

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 00000001400FE27C: SHGetFileInfoW.SHELL32 ref: 00000001400FE2F8
Part of subcall function 00000001400FE27C: lstrlenW.KERNEL32 ref: 00000001400FE308

Strings

o, xrefs: 000000014002122A
p, xrefs: 00000001400212B6
0, xrefs: 0000000140021133

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$MessageSend$ByteCharFileInfoMultiWidelstrcat
String ID: 0$o$p
API String ID: 2028529823-2855627637
Opcode ID: 1b963002c905acdd9e4b1c3cbb92eebd2488d5de023baa553beeb7a623ec9a00
Instruction ID: 3be114c49241565be9ad57c24d918b27290463d7114049797c8fd31369fbb42a
Opcode Fuzzy Hash: 1b963002c905acdd9e4b1c3cbb92eebd2488d5de023baa553beeb7a623ec9a00
Instruction Fuzzy Hash: 77719D32204A8181EA52EB2BE8513EA6361FBDDBF4F804316BB6D476F5DE38C945C700

Function 0000000140007860 Relevance: 9.1, APIs: 6, Instructions: 66clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00000001400078A7
EmptyClipboard.USER32 ref: 00000001400078B1
GlobalAlloc.KERNEL32 ref: 00000001400078C9
GlobalLock.KERNEL32 ref: 00000001400078EF
SetClipboardData.USER32 ref: 000000014000790B
CloseClipboard.USER32 ref: 0000000140007911

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpen
String ID:
API String ID: 1872618283-0
Opcode ID: 594cd973ebf979aee4e0bde8c44eb27d035c6e478d97713dde4b44e7a8cf85c9
Instruction ID: be190ecb7c61bb58360671a9dd132366ebcc16387152280a04eaceafb3a8eab2
Opcode Fuzzy Hash: 594cd973ebf979aee4e0bde8c44eb27d035c6e478d97713dde4b44e7a8cf85c9
Instruction Fuzzy Hash: 6C216032201A4085EA62EB36E8553EA6761EB88FF4F480335AB6D477F6DF38C545C744

Function 0000000140026184 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140003AE4: lstrlenA.KERNEL32 ref: 0000000140003B08
Part of subcall function 0000000140003AE4: MultiByteToWideChar.KERNEL32 ref: 0000000140003B86
Part of subcall function 0000000140003AE4: lstrlenW.KERNEL32 ref: 0000000140003BA2

GetTimeZoneInformation.KERNEL32 ref: 00000001400262AF

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Strings

http, xrefs: 00000001400263B9
https, xrefs: 00000001400263CD
com, xrefs: 0000000140026322, 0000000140026368

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide$InformationTimeZone
String ID: com$http$https
API String ID: 1891917992-1205338474
Opcode ID: 7f8d9ded14d1b2e1fbde5ff34204a7be8db8e8b6ccaffbc52d971124b6693e83
Instruction ID: 7e7559996cf9e42fc57bdc9444302e077bc977e404b3c2ff2fd3f9c16d10a7aa
Opcode Fuzzy Hash: 7f8d9ded14d1b2e1fbde5ff34204a7be8db8e8b6ccaffbc52d971124b6693e83
Instruction Fuzzy Hash: F3918332309680C1EB02DB7AD8497ED37A0A749BE4F580219E7AD472F6CB7ACD45C761

Function 00000001400853D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000A9E8: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140001249), ref: 000000014000AA2C

GetPrivateProfileStringW.KERNEL32 ref: 0000000140085466
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,for_all_install,Program,0000000140085790), ref: 0000000140085478

Strings

for_all_install, xrefs: 00000001400853DC
Program, xrefs: 00000001400853DB

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$PrivateProfileString
String ID: Program$for_all_install
API String ID: 2516951217-68737091
Opcode ID: ccdaf7ac6400ac0d2139999ccba3a0792c53768118820b3a4d037f2c4a500497
Instruction ID: 80b73980f0693fcc24a34737d6480afba8fa95c67a586a6b7372958da9185dee
Opcode Fuzzy Hash: ccdaf7ac6400ac0d2139999ccba3a0792c53768118820b3a4d037f2c4a500497
Instruction Fuzzy Hash: 39213B72210A808AE741EF26E85439E6764F78DFF4F544221BF6E877E5CB78C5518740

Function 0000000140018790 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

AXWIN, xrefs: 0000000140018B76

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID:
String ID: AXWIN
API String ID: 0-1948516679
Opcode ID: 7df18f6fc35f79ed49c0cdb56dd8ed769362352c57863fe6de571a2c61cdd53e
Instruction ID: c75c99f80d397147d35b2e3c87a1350abe42652442c41f81fb8e6d27de36be4a
Opcode Fuzzy Hash: 7df18f6fc35f79ed49c0cdb56dd8ed769362352c57863fe6de571a2c61cdd53e
Instruction Fuzzy Hash: 3FF1E476201A8582EB69CF2AE4947DEB3A0FB89F84F448112DF9E47764DF3AD548C740

Function 00000001400038A8 Relevance: 4.5, APIs: 3, Instructions: 22timekeyboardCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00000001400038BA
GetAsyncKeyState.USER32 ref: 00000001400038C5
SetTimer.USER32 ref: 00000001400038E6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Timer$AsyncKillState
String ID:
API String ID: 3065476933-0
Opcode ID: c61981b638d52854e934b5ce57fdcafba756d400136af1b0950cb53aa9c6da54
Instruction ID: 83b0dc558db1e19b8b48179a39578b0fa32cfe84b150e48cabf1ca8d5a4039f0
Opcode Fuzzy Hash: c61981b638d52854e934b5ce57fdcafba756d400136af1b0950cb53aa9c6da54
Instruction Fuzzy Hash: ACE0927170058182EB1ADB63F4213A92224E79CFD2F084020EF460B3A2CE3AC8918750

Function 00000001400147C8 Relevance: 168.2, APIs: 6, Strings: 90, Instructions: 239stringthreadwindowCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140014812
lstrlenW.KERNEL32 ref: 0000000140014824
CharLowerW.USER32 ref: 0000000140014847

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

CreateThread.KERNEL32 ref: 00000001400149B4
MessageBoxA.USER32 ref: 0000000140014C27
ExitProcess.KERNEL32 ref: 0000000140014C2F

Strings

r, xrefs: 0000000140014B28
u, xrefs: 0000000140014A18
d, xrefs: 0000000140014AF0
h, xrefs: 0000000140014B48
b, xrefs: 0000000140014BD2
!, xrefs: 0000000140014C0E
a, xrefs: 0000000140014B20
t, xrefs: 0000000140014B30
o, xrefs: 0000000140014B70
, xrefs: 00000001400149EB
e, xrefs: 0000000140014BCD
n, xrefs: 0000000140014A68
c, xrefs: 0000000140014AA8
d, xrefs: 0000000140014A30
:, xrefs: 0000000140014BA8
t, xrefs: 0000000140014B18
e, xrefs: 00000001400149D7
), xrefs: 0000000140014BB8
, xrefs: 0000000140014A09
r, xrefs: 0000000140014BEB
:, xrefs: 0000000140014881
g, xrefs: 0000000140014A58
n, xrefs: 0000000140014AE8
, xrefs: 0000000140014B38
e, xrefs: 0000000140014A38
b, xrefs: 0000000140014A40
p, xrefs: 0000000140014A90
a, xrefs: 0000000140014AB0
i, xrefs: 0000000140014AA0
e, xrefs: 0000000140014B50
c, xrefs: 00000001400149F0
o, xrefs: 00000001400149FA
_, xrefs: 000000014001486D
u, xrefs: 0000000140014BFF
d, xrefs: 0000000140014C09
l, xrefs: 0000000140014A98
u, xrefs: 0000000140014A48
m, xrefs: 0000000140014B90
e, xrefs: 0000000140014BE6
n, xrefs: 0000000140014C04
g, xrefs: 0000000140014A50
g, xrefs: 0000000140014B78
t, xrefs: 0000000140014AB8
s, xrefs: 00000001400149FF
, xrefs: 0000000140014A78
a, xrefs: 00000001400149DC
i, xrefs: 0000000140014A60
u, xrefs: 0000000140014BD7
a, xrefs: 0000000140014B88
y, xrefs: 0000000140014A0E
g, xrefs: 0000000140014A70
o, xrefs: 0000000140014BFA
" D, xrefs: 0000000140014C20
, xrefs: 0000000140014AD8
s, xrefs: 0000000140014B10
s, xrefs: 00000001400149E1
e, xrefs: 0000000140014B08
o, xrefs: 0000000140014AC8
c, xrefs: 000000014001485E
g, xrefs: 0000000140014BDC
, xrefs: 0000000140014BF0
D, xrefs: 0000000140014BC8
, xrefs: 0000000140014A28
r, xrefs: 0000000140014B68
t, xrefs: 0000000140014B40
_, xrefs: 0000000140014859
r, xrefs: 0000000140014A20
a, xrefs: 0000000140014A80
p, xrefs: 0000000140014B60
p, xrefs: 0000000140014868
r, xrefs: 0000000140014B00
i, xrefs: 0000000140014AC0
f, xrefs: 000000014001487C
m, xrefs: 0000000140014872
-, xrefs: 0000000140014BB0
, xrefs: 0000000140014B58
, xrefs: 0000000140014AF8
F, xrefs: 0000000140014BF5
r, xrefs: 0000000140014B80
o, xrefs: 0000000140014A13
n, xrefs: 0000000140014AD0
e, xrefs: 0000000140014A04
p, xrefs: 0000000140014863
l, xrefs: 00000001400149F5
a, xrefs: 0000000140014AE0
\, xrefs: 0000000140014886
p, xrefs: 0000000140014A88
e, xrefs: 00000001400149E6
g, xrefs: 0000000140014BE1
", xrefs: 0000000140014B98

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$Char$ByteCreateExitFileLowerMessageModuleMultiNameProcessThreadWide
String ID: $ $ $ $ $ $ $ $ $!$"$" D$)$-$:$:$D$F$\$_$_$a$a$a$a$a$a$b$b$c$c$c$d$d$d$e$e$e$e$e$e$e$e$f$g$g$g$g$g$g$h$i$i$i$l$l$m$m$n$n$n$n$o$o$o$o$o$p$p$p$p$p$r$r$r$r$r$r$s$s$s$t$t$t$t$u$u$u$u$y
API String ID: 1514836828-1553105431
Opcode ID: 719c199602d7c0d595f80c0376d60695d33414ffac813049b189e6f0c892736d
Instruction ID: 0000cabaad5d0256930fbd365e5a08f5630db3a31c77a4ec0ff25ac1f530c258
Opcode Fuzzy Hash: 719c199602d7c0d595f80c0376d60695d33414ffac813049b189e6f0c892736d
Instruction Fuzzy Hash: 39D1042210C7C0C9E722C739E45839BBF91E396758F084149A7D84BAEACBBFD454CB61

Function 000000014000E7B4 Relevance: 73.9, APIs: 34, Strings: 8, Instructions: 402windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400860D4: GetModuleFileNameW.KERNEL32 ref: 000000014008613E

GetParent.USER32 ref: 000000014000E7F2

Part of subcall function 000000014000204C: GetWindowLongW.USER32 ref: 0000000140002069
Part of subcall function 000000014000204C: GetParent.USER32 ref: 000000014000207F
Part of subcall function 000000014000204C: GetWindowRect.USER32 ref: 000000014000209D
Part of subcall function 000000014000204C: GetWindowLongW.USER32 ref: 00000001400020B6
Part of subcall function 000000014000204C: SystemParametersInfoW.USER32 ref: 00000001400020D7
Part of subcall function 000000014000204C: SetWindowPos.USER32 ref: 00000001400021DE

GetDlgItem.USER32 ref: 000000014000E814

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 0000000140085BB0: _cwprintf_s_l.LIBCMT ref: 0000000140085BEA

Part of subcall function 0000000140085724: GetPrivateProfileIntW.KERNEL32 ref: 0000000140085755
Part of subcall function 0000000140085724: _cwprintf_s_l.LIBCMT ref: 0000000140085776

lstrlenW.KERNEL32 ref: 000000014000E97E
GetDlgItem.USER32 ref: 000000014000E998
SendMessageW.USER32 ref: 000000014000E9AC
SetWindowTextW.USER32 ref: 000000014000E9E1
lstrlenW.KERNEL32 ref: 000000014000EA66
SetWindowTextW.USER32 ref: 000000014000EA98
GetDlgItem.USER32 ref: 000000014000EAA7
GetSystemMetrics.USER32 ref: 000000014000EAC1
GetSystemMetrics.USER32 ref: 000000014000EACE
LoadImageW.USER32 ref: 000000014000EAEF
SendMessageW.USER32 ref: 000000014000EB04
GetSystemMetrics.USER32 ref: 000000014000EB16
GetSystemMetrics.USER32 ref: 000000014000EB23
LoadImageW.USER32 ref: 000000014000EB3E
SendMessageW.USER32 ref: 000000014000EB53
GetModuleHandleW.KERNEL32 ref: 000000014000EB60
GetSystemMetrics.USER32 ref: 000000014000EB77
GetSystemMetrics.USER32 ref: 000000014000EB84
LoadImageW.USER32 ref: 000000014000EBA5
SendMessageW.USER32 ref: 000000014000EBBD
GetSystemMetrics.USER32 ref: 000000014000EBC8
GetSystemMetrics.USER32 ref: 000000014000EBD5
LoadImageW.USER32 ref: 000000014000EBF3
SendMessageW.USER32 ref: 000000014000EC07
GetDlgItem.USER32 ref: 000000014000EC18
SetWindowPos.USER32 ref: 000000014000EC3E
GetDlgItem.USER32 ref: 000000014000EC4F
SendMessageW.USER32 ref: 000000014000EC69
SendMessageW.USER32 ref: 000000014000EC97
MessageBoxW.USER32 ref: 000000014000ED29
EndDialog.USER32 ref: 000000014000EDF6
PostQuitMessage.USER32 ref: 000000014000EDFF

Strings

INI-ERROR(1), xrefs: 000000014000ED1B
/silent, xrefs: 000000014000E8CF
Start, xrefs: 000000014000E86F
m_lang_id, xrefs: 000000014000E868
lng, xrefs: 000000014000E829
/SILENT, xrefs: 000000014000E933
Uninstall , xrefs: 000000014000E9B2
shell32.dll, xrefs: 000000014000EB59

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSystem$Metrics$SendWindow$Item$ImageLoadlstrlen$LongModuleParentText_cwprintf_s_l$ByteCharDialogFileHandleInfoMultiNameParametersPostPrivateProfileQuitRectWide
String ID: /SILENT$/silent$INI-ERROR(1)$Start$Uninstall $lng$m_lang_id$shell32.dll
API String ID: 3653856717-4112181553
Opcode ID: f426cc110dd81f1611d680e901cdbaac693459b74df1e959f7455f889dac0596
Instruction ID: 752e121248e5594991b823083c66e510f566f5baf012ee6191a8888a2bbc9a33
Opcode Fuzzy Hash: f426cc110dd81f1611d680e901cdbaac693459b74df1e959f7455f889dac0596
Instruction Fuzzy Hash: 151248B2300A8086EA52DF2AE8547D933A1F78CBE4F544212EB6D6B6F5DF39C5858740

Function 000000014001463C Relevance: 63.1, APIs: 5, Strings: 31, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

LoadLibraryW.KERNEL32 ref: 00000001400146A4
GetProcAddress.KERNEL32 ref: 0000000140014741
LoadLibraryW.KERNEL32 ref: 0000000140014765
GetProcAddress.KERNEL32 ref: 000000014001477A
GetCurrentProcess.KERNEL32 ref: 0000000140014788

Strings

., xrefs: 0000000140014683
e, xrefs: 000000014001466F
b, xrefs: 00000001400146FB
s, xrefs: 0000000140014728
e, xrefs: 00000001400146F6
u, xrefs: 0000000140014700
ntdll.dll, xrefs: 000000014001475E
t, xrefs: 0000000140014737
r, xrefs: 0000000140014714
e, xrefs: 000000014001470F
n, xrefs: 000000014001466A
e, xrefs: 0000000140014723
2, xrefs: 000000014001467E
r, xrefs: 000000014001471E
K, xrefs: 000000014001465B
d, xrefs: 0000000140014688
I, xrefs: 00000001400146E7
r, xrefs: 0000000140014665
l, xrefs: 000000014001468D
n, xrefs: 0000000140014732
g, xrefs: 000000014001470A
g, xrefs: 0000000140014705
l, xrefs: 0000000140014674
s, xrefs: 00000001400146EC
l, xrefs: 0000000140014692
e, xrefs: 000000014001472D
3, xrefs: 0000000140014679
D, xrefs: 00000001400146F1
P, xrefs: 0000000140014719
e, xrefs: 0000000140014660
NtQueryInformationProcess, xrefs: 0000000140014770

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProclstrlen$ByteCharCurrentMultiProcessWide
String ID: .$2$3$D$I$K$NtQueryInformationProcess$P$b$d$e$e$e$e$e$e$g$g$l$l$l$n$n$ntdll.dll$r$r$r$s$s$t$u
API String ID: 2955559129-2032009382
Opcode ID: 83936a6e60971807bd9a841582d71c7bc9abb7deebbfde0675ab1a4d8166ddc1
Instruction ID: ebb7062b7830e2f6201c3ee88f5bab5457eb83f6b9f17b420c99f5bab9962169
Opcode Fuzzy Hash: 83936a6e60971807bd9a841582d71c7bc9abb7deebbfde0675ab1a4d8166ddc1
Instruction Fuzzy Hash: 8C41542210C7C085F752C769E40435ABFD1D796BA8F080159A7D90B6EACBFFC448CB21

Function 00000001400198D0 Relevance: 51.1, APIs: 20, Strings: 9, Instructions: 324COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140019942
IsWindow.USER32 ref: 0000000140019979
GetSysColor.USER32 ref: 00000001400199D3
GetWindowLongW.USER32 ref: 0000000140019A92

Strings

:, xrefs: 0000000140019B70
M, xrefs: 0000000140019B04
t, xrefs: 0000000140019B41
m, xrefs: 0000000140019B0B
h, xrefs: 0000000140019B2F
m, xrefs: 0000000140019B53
7, xrefs: 0000000140019AD3
s, xrefs: 0000000140019B1D
l, xrefs: 0000000140019B65

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$ColorLongRedraw
String ID: 7$:$M$h$l$m$m$s$t
API String ID: 4056730343-774144524
Opcode ID: b7f5465834f6e590c0bbed4cce9958aad9cdde72733777f65dba2b1614c7fcd9
Instruction ID: 78b4388999416cd18bfcb0f14d0a6cd4aa7666f392b8eb34da5cf203a5b0034f
Opcode Fuzzy Hash: b7f5465834f6e590c0bbed4cce9958aad9cdde72733777f65dba2b1614c7fcd9
Instruction Fuzzy Hash: 99E1B432208A8481EB62DF66E4443ED77A5F788BD4F548116EB4A5F7B8CF7AC884C741

Function 000000014001ED38 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 000000014001ED64
CreateCompatibleDC.GDI32 ref: 000000014001ED80
SaveDC.GDI32 ref: 000000014001ED8C
CreateCompatibleBitmap.GDI32 ref: 000000014001EDC0
SelectObject.GDI32 ref: 000000014001EDCF
BitBlt.GDI32 ref: 000000014001EE03
CreateCompatibleDC.GDI32 ref: 000000014001EE11
SaveDC.GDI32 ref: 000000014001EE1D
CreateCompatibleBitmap.GDI32 ref: 000000014001EE34
SelectObject.GDI32 ref: 000000014001EE43
SetBkColor.GDI32 ref: 000000014001EE53
ExtTextOutW.GDI32 ref: 000000014001EED3
AlphaBlend.MSIMG32 ref: 000000014001EF2A
BitBlt.GDI32 ref: 000000014001EF5F
CreateSolidBrush.GDI32 ref: 000000014001EF6C
FrameRect.USER32 ref: 000000014001EF88
RestoreDC.GDI32 ref: 000000014001EF98
RestoreDC.GDI32 ref: 000000014001EFA4
DeleteObject.GDI32 ref: 000000014001EFB2
DeleteObject.GDI32 ref: 000000014001EFC0
DeleteDC.GDI32 ref: 000000014001EFCE
DeleteObject.GDI32 ref: 000000014001EFDC
DeleteDC.GDI32 ref: 000000014001EFEA

Strings

, xrefs: 000000014001EF3D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CreateDeleteObject$Compatible$BitmapColorRestoreSaveSelect$AlphaBlendBrushFrameRectSolidText
String ID:
API String ID: 2299858245-3916222277
Opcode ID: d8a10fb40862b8792894005f81b4c280e102807db963039045cda572e127b124
Instruction ID: 7f65cc1d17b691afa23bbaa84f5afc78dc83da2c72959074ca907df5fa96d52b
Opcode Fuzzy Hash: d8a10fb40862b8792894005f81b4c280e102807db963039045cda572e127b124
Instruction Fuzzy Hash: 3671F6766186C18AD7658F26B8447AABBA0F7CDBD0F144129EF8A47B28DF3DC445CB40

Function 00000001400A55BC Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 350registryCOMMON

Download Yara Rule

APIs

#18.SHELL32 ref: 00000001400A561A
SHGetSettings.SHELL32 ref: 00000001400A563E
#190.SHELL32 ref: 00000001400A5667
#190.SHELL32 ref: 00000001400A56D6
#190.SHELL32 ref: 00000001400A5777

Part of subcall function 0000000140085724: GetPrivateProfileIntW.KERNEL32 ref: 0000000140085755
Part of subcall function 0000000140085724: _cwprintf_s_l.LIBCMT ref: 0000000140085776

FindWindowExW.USER32 ref: 00000001400A58E9
RevokeDragDrop.OLE32 ref: 00000001400A598B
RegisterDragDrop.OLE32 ref: 00000001400A5997
GetWindowLongW.USER32 ref: 00000001400A5A4E
SetWindowLongW.USER32 ref: 00000001400A5A67
GetWindowLongW.USER32 ref: 00000001400A5A7C
SetWindowLongW.USER32 ref: 00000001400A5A94
GetWindowLongW.USER32 ref: 00000001400A5AA0
SetWindowLongW.USER32 ref: 00000001400A5AB7
GetWindowLongW.USER32 ref: 00000001400A5ACC
SetWindowLongW.USER32 ref: 00000001400A5AE4
GetWindowLongW.USER32 ref: 00000001400A5AF2
SetWindowLongW.USER32 ref: 00000001400A5B09

Part of subcall function 00000001400FE27C: SHGetFileInfoW.SHELL32 ref: 00000001400FE2F8
Part of subcall function 00000001400FE27C: lstrlenW.KERNEL32 ref: 00000001400FE308

Strings

shell:::{323CA680-C24D-4099-B94D-446DD2D7249E}, xrefs: 00000001400A5660
shell:::{679f85cb-0220-4080-b29b-5540cc05aab6}, xrefs: 00000001400A56CF
explorer, xrefs: 00000001400A59C8
Tree_Folder, xrefs: 00000001400A57A6, 00000001400A5843
SysTreeView32, xrefs: 00000001400A58D9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$Long$#190$DragDrop$FileFindInfoPrivateProfileRegisterRevokeSettings_cwprintf_s_llstrlen
String ID: SysTreeView32$Tree_Folder$explorer$shell:::{323CA680-C24D-4099-B94D-446DD2D7249E}$shell:::{679f85cb-0220-4080-b29b-5540cc05aab6}
API String ID: 71843160-2751362909
Opcode ID: cdac5fd20af3815c5539bf1089f494692801393276e1bef8d54d18d1450fe6dc
Instruction ID: 244ed6fa58f986c0078e1fcb5a61dd850c8ccb0a1c49473f59fd0f2105532851
Opcode Fuzzy Hash: cdac5fd20af3815c5539bf1089f494692801393276e1bef8d54d18d1450fe6dc
Instruction Fuzzy Hash: 30E17C36310A4082EB62AB27E8547DA73A1F79DBD9F145315EB5A47BB0DF39C485CB00

Function 0000000140004780 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 142windowcomthreadCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00000001400047C6
#4.SHELL32 ref: 00000001400047EF
GetModuleHandleW.KERNEL32 ref: 000000014000483B
GetSystemMetrics.USER32 ref: 0000000140004849
GetSystemMetrics.USER32 ref: 0000000140004856
LoadImageW.USER32 ref: 0000000140004876
SendMessageW.USER32 ref: 000000014000488C
GetSystemMetrics.USER32 ref: 0000000140004897
GetSystemMetrics.USER32 ref: 00000001400048A4
LoadImageW.USER32 ref: 00000001400048C4
SendMessageW.USER32 ref: 00000001400048D9
GetCurrentThreadId.KERNEL32 ref: 00000001400048DF
SetTimer.USER32 ref: 0000000140004920
GetWindowLongW.USER32 ref: 00000001400049A8
SetWindowLongW.USER32 ref: 00000001400049C0

Strings

shell32.dll, xrefs: 0000000140004834
GGGGGGGGGGGGGG3333w, xrefs: 00000001400047D7

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MetricsSystem$ImageLoadLongMessageSendWindow$CreateCurrentHandleInstanceModuleThreadTimer
String ID: GGGGGGGGGGGGGG3333w$shell32.dll
API String ID: 3538168692-247136160
Opcode ID: 4bb10a95a415b1ce70e46ca354cb0b19f6a599b72350abaae7d7e4cd84a218e4
Instruction ID: effaa9e81f3de398a63732d4e63c0a9843874db65c23d4bb19153361ae8e52cb
Opcode Fuzzy Hash: 4bb10a95a415b1ce70e46ca354cb0b19f6a599b72350abaae7d7e4cd84a218e4
Instruction Fuzzy Hash: 39613771300A4086E752DB36E85479A73A0F788BE5F548221EB5A8BAB9DF39C949C740

Function 0000000140026470 Relevance: 39.2, APIs: 1, Strings: 25, Instructions: 177stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 0000000140003AE4: lstrlenA.KERNEL32 ref: 0000000140003B08
Part of subcall function 0000000140003AE4: MultiByteToWideChar.KERNEL32 ref: 0000000140003B86
Part of subcall function 0000000140003AE4: lstrlenW.KERNEL32 ref: 0000000140003BA2

lstrlenW.KERNEL32 ref: 00000001400266AB

Strings

f, xrefs: 000000014002653A
w, xrefs: 0000000140026544
w, xrefs: 000000014002651C
., xrefs: 0000000140026562
a, xrefs: 0000000140026549
/, xrefs: 0000000140026512
., xrefs: 000000014002652B
Start, xrefs: 00000001400264C9
e, xrefs: 0000000140026553
h, xrefs: 00000001400264F9
r, xrefs: 000000014002654E
t, xrefs: 00000001400264FE
t, xrefs: 000000014002653F
auto_update_domain, xrefs: 00000001400264B6
t, xrefs: 0000000140026503
p, xrefs: 0000000140026508
o, xrefs: 0000000140026535
o, xrefs: 0000000140026558
:, xrefs: 000000014002650D
/, xrefs: 0000000140026517
w, xrefs: 0000000140026526
s, xrefs: 0000000140026530
k, xrefs: 000000014002655D
w, xrefs: 0000000140026521
com, xrefs: 0000000140026598

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide
String ID: .$.$/$/$:$Start$a$auto_update_domain$com$e$f$h$k$o$o$p$r$s$t$t$t$w$w$w$w
API String ID: 477651035-1038781873
Opcode ID: 652a20e7a2572e4ecdc1d2d50a95e814720ad845413677b369cbd449c423dca3
Instruction ID: 605818b88a422d67cb553fba9621f2b72a2fa53064d5ecd022150907ca5edf59
Opcode Fuzzy Hash: 652a20e7a2572e4ecdc1d2d50a95e814720ad845413677b369cbd449c423dca3
Instruction Fuzzy Hash: 5481913220868086E752CB3AE8487DD77A5F389BD8F584215F79C476BACB7DC949CB10

Function 0000000140009E3C Relevance: 37.7, APIs: 25, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140009ECE
SetBkMode.GDI32 ref: 0000000140009EDE
SelectObject.GDI32 ref: 0000000140009EF0
DrawTextW.USER32 ref: 0000000140009F20
IsWindowEnabled.USER32 ref: 0000000140009F2A
SetTextColor.GDI32 ref: 0000000140009F67
SelectObject.GDI32 ref: 0000000140009F9A
DrawTextW.USER32 ref: 0000000140009FC1
SetTextColor.GDI32 ref: 0000000140009FD1
SelectObject.GDI32 ref: 0000000140009FE3
DrawTextW.USER32 ref: 000000014000A02E
GetFocus.USER32 ref: 000000014000A034
DrawFocusRect.USER32 ref: 000000014000A04C
SetBkMode.GDI32 ref: 000000014000A05F
IsWindowEnabled.USER32 ref: 000000014000A069
SetTextColor.GDI32 ref: 000000014000A0A8
SelectObject.GDI32 ref: 000000014000A0DC
GetWindowLongW.USER32 ref: 000000014000A0FB
DrawTextW.USER32 ref: 000000014000A128
GetFocus.USER32 ref: 000000014000A12E
DrawFocusRect.USER32 ref: 000000014000A146
SetTextColor.GDI32 ref: 000000014000A157
SelectObject.GDI32 ref: 000000014000A168

Part of subcall function 0000000140007068: lstrlenW.KERNEL32 ref: 00000001400070CA
Part of subcall function 0000000140007068: CompareStringW.KERNEL32 ref: 0000000140007124
Part of subcall function 0000000140007068: CompareStringW.KERNEL32 ref: 0000000140007173

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Text$Draw$ObjectSelect$ColorFocus$RectWindow$CompareEnabledModeString$ClientLonglstrlen
String ID:
API String ID: 2647594523-0
Opcode ID: 3f8b05972cd6593dca4c03298b517c35b8d4a0e53a8c6a34df1d6091895320e8
Instruction ID: b8d4a4a28b2fd228c5ce2ab35eb3cdbf29f8c14fc72cabab91998f43d8c5e881
Opcode Fuzzy Hash: 3f8b05972cd6593dca4c03298b517c35b8d4a0e53a8c6a34df1d6091895320e8
Instruction Fuzzy Hash: E4A14D76604B8486EBA1DF26E44479E73A1F789F94F044022EF8D4B768CF79C889C780

Function 00000001400FEC0C Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 185windowmemoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 00000001400FEC7A
SetWindowLongW.USER32 ref: 00000001400FEC94
GetWindowLongW.USER32 ref: 00000001400FECAA
SetWindowLongW.USER32 ref: 00000001400FECC3
GetWindowLongW.USER32 ref: 00000001400FECE2
GetWindowLongW.USER32 ref: 00000001400FECF1
SetWindowLongW.USER32 ref: 00000001400FED0A
SHGetSettings.SHELL32 ref: 00000001400FED3A
#18.SHELL32 ref: 00000001400FED5F
#17.SHELL32 ref: 00000001400FED6B
#16.SHELL32 ref: 00000001400FED7D
#18.SHELL32 ref: 00000001400FED86
SendMessageW.USER32 ref: 00000001400FEDE8
SendMessageW.USER32 ref: 00000001400FEDFE
SHGetSpecialFolderLocation.SHELL32 ref: 00000001400FEE10
GlobalAlloc.KERNEL32 ref: 00000001400FEE2F
#18.SHELL32 ref: 00000001400FEE3F
SendMessageW.USER32 ref: 00000001400FEEA7
SendMessageW.USER32 ref: 00000001400FEEE8

Strings

g, xrefs: 00000001400FEE24

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: LongWindow$MessageSend$AllocFolderGlobalLocationSettingsSpecial
String ID: g
API String ID: 1528256793-30677878
Opcode ID: 9d70cd2dfe3b08ff4a48f132ec8a9e10b75704701d64df2a7dac44062355b066
Instruction ID: 3535d59f8bcc30ae388a77284d4861c99e2a340e566c5f91dd2fabfe10c68ed7
Opcode Fuzzy Hash: 9d70cd2dfe3b08ff4a48f132ec8a9e10b75704701d64df2a7dac44062355b066
Instruction Fuzzy Hash: 0C81C336200B9096E7659F63E8147D9B3A1F38CBA4F184225EF5A47BA4CF79C495C740

Function 0000000140016700 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32 ref: 000000014001674A
GetClientRect.USER32 ref: 0000000140016765
CreateSolidBrush.GDI32 ref: 0000000140016771
FillRect.USER32 ref: 000000014001678A
DeleteObject.GDI32 ref: 0000000140016793
EndPaint.USER32 ref: 00000001400167A2
BeginPaint.USER32 ref: 00000001400167CD
GetClientRect.USER32 ref: 00000001400167E8
CreateCompatibleBitmap.GDI32 ref: 0000000140016803
CreateCompatibleDC.GDI32 ref: 0000000140016814
SelectObject.GDI32 ref: 000000014001682C
CreateSolidBrush.GDI32 ref: 0000000140016844
FillRect.USER32 ref: 0000000140016861
DeleteObject.GDI32 ref: 000000014001686A
BitBlt.GDI32 ref: 00000001400168E3
SelectObject.GDI32 ref: 00000001400168EF
DeleteDC.GDI32 ref: 00000001400168F8

Strings

, xrefs: 00000001400168C0

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CreateObjectRect$DeletePaint$BeginBrushClientCompatibleFillSelectSolid$Bitmap
String ID:
API String ID: 2927874120-3916222277
Opcode ID: cd3790e350a686f5605ec883355a0ac94a9e3c6f6c0e2ca7b725501f9cc9a2d6
Instruction ID: a5e84ae98cffd5e6033d0197016375aed9d9d0d7b093881bcabc453147b6fcf2
Opcode Fuzzy Hash: cd3790e350a686f5605ec883355a0ac94a9e3c6f6c0e2ca7b725501f9cc9a2d6
Instruction Fuzzy Hash: 1A513B32215B84C6EB51CB26E85879973A0F78CFD9F184125EF490BB68DF3AD849CB40

Function 00000001400244B0 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 215windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140024503
ClientToScreen.USER32 ref: 000000014002451B
SendMessageW.USER32 ref: 000000014002455B

Part of subcall function 00000001400C4F64: SHGetMalloc.SHELL32 ref: 00000001400C4F84

Part of subcall function 00000001400FA040: SHGetMalloc.SHELL32 ref: 00000001400FA0A0

Part of subcall function 00000001400C4C68: #18.SHELL32 ref: 00000001400C4C8C
Part of subcall function 00000001400C4C68: #17.SHELL32 ref: 00000001400C4C98

#18.SHELL32 ref: 0000000140024633
GetMenuItemCount.USER32 ref: 0000000140024678
AppendMenuW.USER32 ref: 0000000140024695
AppendMenuW.USER32 ref: 00000001400246AE
SendMessageW.USER32 ref: 000000014002470B
GetParent.USER32 ref: 0000000140024717
GetParent.USER32 ref: 00000001400247EB
SendMessageW.USER32 ref: 0000000140024801
SendMessageW.USER32 ref: 000000014002472D

Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 000000014002326A
Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 0000000140023287
Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 000000014002329C
Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 00000001400232BC

SendMessageW.USER32 ref: 0000000140024787
GetParent.USER32 ref: 00000001400247A7
SendMessageW.USER32 ref: 00000001400247BD

Strings

0, xrefs: 000000014002475E
0, xrefs: 000000014002453B

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$MenuParent$AppendMalloc$ClientCountItemScreen
String ID: 0$0
API String ID: 3922845531-203156872
Opcode ID: 7ce9dacb1bc64561837ac27299ddedabc1a54e358a56596400871af15922fa3b
Instruction ID: 7f67bf3373ce3a456f9989ec7ffe31b5fd478d69111acfe88976eef59cd645a9
Opcode Fuzzy Hash: 7ce9dacb1bc64561837ac27299ddedabc1a54e358a56596400871af15922fa3b
Instruction Fuzzy Hash: 67A14A72215A8082EB66DF23E8547DAB3A1F389BC0F444526EB9A47BB4CF78C945C740

Function 000000014001C80C Relevance: 28.8, APIs: 19, Instructions: 271comCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014001C895
GetWindowLongW.USER32 ref: 000000014001C8AA
SetWindowLongW.USER32 ref: 000000014001C8BC
GetWindowLongPtrW.USER32 ref: 000000014001C8CF
OleUninitialize.OLE32 ref: 000000014001C8E3
OleInitialize.OLE32 ref: 000000014001C8F0
GetWindowTextLengthW.USER32 ref: 000000014001C8F9
DefWindowProcW.USER32 ref: 000000014001CBB9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$Long$InitializeLengthProcTextUninitialize
String ID:
API String ID: 2434527812-0
Opcode ID: 82c245bcf7b4fbf843697dfbe54cce4bd7381970a776bb4d117c168738b632a9
Instruction ID: 8cf8d774629b1b792a8639e8062def99c3f65678199ee207a8be0d27a644c741
Opcode Fuzzy Hash: 82c245bcf7b4fbf843697dfbe54cce4bd7381970a776bb4d117c168738b632a9
Instruction Fuzzy Hash: 63B16D32210B4486EB169F76D8957EC23A1FB4DFE9F444616EB6A4B7E4CF3AC4058341

Function 0000000140003BD0 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 425stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000140003C4E
CharNextW.USER32 ref: 0000000140003CA6
CharNextW.USER32 ref: 0000000140003CE5
CharNextW.USER32 ref: 0000000140003D03
CharNextW.USER32 ref: 0000000140003D1D
CharNextW.USER32 ref: 0000000140003D4C
CharNextW.USER32 ref: 0000000140003DA4
CharNextW.USER32 ref: 0000000140003DB7
lstrlenW.KERNEL32 ref: 0000000140003E2D
CharNextW.USER32 ref: 000000014000410A
CharNextW.USER32 ref: 000000014000411F
lstrlenW.KERNEL32 ref: 000000014000417B

Strings

%*.*f, xrefs: 0000000140004001

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CharNext$lstrlen
String ID: %*.*f
API String ID: 2675299387-4192566172
Opcode ID: 3fe3da11784543e7d843720205ee1903bdd7cf345871e15eea4f6f606d473c2e
Instruction ID: b4c1326da23ca97ccb6389a22e72082814a40bd792c4521e559d803615b2f45d
Opcode Fuzzy Hash: 3fe3da11784543e7d843720205ee1903bdd7cf345871e15eea4f6f606d473c2e
Instruction Fuzzy Hash: D6F1F0B660058086FB67EB2BB4183FD62A5F78CBD4F584125EB4A57AF5DB39C881C304

Function 0000000140002F70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140002FA0
GetClientRect.USER32 ref: 0000000140002FBF
FindWindowExW.USER32 ref: 0000000140003009
EnumChildWindows.USER32 ref: 000000014000302A
FindWindowExW.USER32 ref: 0000000140003070
EnumChildWindows.USER32 ref: 00000001400030AA
FindWindowExW.USER32 ref: 00000001400030CD
EnumChildWindows.USER32 ref: 00000001400030EE
GetClientRect.USER32 ref: 0000000140003101
SendMessageW.USER32 ref: 000000014000316D
SendMessageW.USER32 ref: 00000001400031A2
SendMessageW.USER32 ref: 00000001400031B9

Strings

SHELLDLL_DefView, xrefs: 00000001400030B4
DirectUIHWND, xrefs: 0000000140003049
ExplorerBrowserControl, xrefs: 0000000140002FF0

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ChildClientEnumFindMessageRectSendWindowWindows
String ID: DirectUIHWND$ExplorerBrowserControl$SHELLDLL_DefView
API String ID: 2244855869-1440848835
Opcode ID: 2db28bb5557562a58c2644c040114c9b314b45ed66c8f42ec6329950f32d5d23
Instruction ID: 19e13b132ccd2bc1de6f136affa5222679d2e3b2ef6ec66a0a3b391420adb10d
Opcode Fuzzy Hash: 2db28bb5557562a58c2644c040114c9b314b45ed66c8f42ec6329950f32d5d23
Instruction Fuzzy Hash: 03717B76205B8586E721CF2AF4447DEB7A1F38CB94F588116EB8947B68CF38D545CB40

Function 00000001401026F4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

#18.SHELL32 ref: 0000000140102725
#17.SHELL32 ref: 0000000140102731
#16.SHELL32 ref: 0000000140102746
#18.SHELL32 ref: 000000014010274F
#16.SHELL32 ref: 00000001401027C8
#18.SHELL32 ref: 00000001401027D1
SendMessageW.USER32 ref: 000000014010284B

Strings

@, xrefs: 0000000140102827

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend
String ID: @
API String ID: 3850602802-2766056989
Opcode ID: 506a9e84d50b33111a1198a0e148b46ceb310e651111313180a6cc95f79cd3ed
Instruction ID: 0d5ae8482496c7f196bcce93c5f7b0b60ed7bc0d716a224a47e07afa40e4b180
Opcode Fuzzy Hash: 506a9e84d50b33111a1198a0e148b46ceb310e651111313180a6cc95f79cd3ed
Instruction Fuzzy Hash: 75915F72301A8185EAA6DB27D8143DA63A1FB8DFE4F588221EF5E47BF5DE38C4458740

Function 000000014000CFDC Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32 ref: 000000014000D00C
GetDlgItem.USER32 ref: 000000014000D072
SetWindowTextW.USER32 ref: 000000014000D07E
GetDlgItem.USER32 ref: 000000014000D10E
SetWindowTextW.USER32 ref: 000000014000D11A
GetDlgItem.USER32 ref: 000000014000D195
SetWindowTextW.USER32 ref: 000000014000D1A1
GetDlgItem.USER32 ref: 000000014000D1EE
SetWindowTextW.USER32 ref: 000000014000D1FA
GetDlgItem.USER32 ref: 000000014000D217
SetWindowTextW.USER32 ref: 000000014000D223
GetDlgItem.USER32 ref: 000000014000D23B
SetWindowTextW.USER32 ref: 000000014000D247

Strings

, xrefs: 000000014000D052, 000000014000D0EE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: TextWindow$Item
String ID:
API String ID: 1634842743-399585960
Opcode ID: d0eb64c64491e78d806cf463c01866d714f33d2d6f22bc7205a40fdb4f28b78c
Instruction ID: b98239d54e89be5522a862e65fcfb4c44f4c28e5a87ac5a149d5a7240b3af8cb
Opcode Fuzzy Hash: d0eb64c64491e78d806cf463c01866d714f33d2d6f22bc7205a40fdb4f28b78c
Instruction Fuzzy Hash: B671FD72301A4082EA52DB6BEC543997361FB89BF0F544312AB7E876F5DF38C8468750

Function 000000014001CBF0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 99registrywindowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC0B
RegisterWindowMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC18
RegisterWindowMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC2B
GetClassInfoExW.USER32 ref: 000000014001CC56
LoadCursorW.USER32 ref: 000000014001CC9E
RegisterClassExW.USER32 ref: 000000014001CCC6
GetClassInfoExW.USER32 ref: 000000014001CD1A
LoadCursorW.USER32 ref: 000000014001CD62
RegisterClassExW.USER32 ref: 000000014001CD8A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CDC1

Strings

WM_ATLGETHOST, xrefs: 000000014001CC11
WM_ATLGETCONTROL, xrefs: 000000014001CC1E
AtlAxWin90, xrefs: 000000014001CC38
AtlAxWinLic90, xrefs: 000000014001CD07

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClassRegister$CriticalCursorInfoLoadMessageSectionWindow$EnterLeave
String ID: AtlAxWin90$AtlAxWinLic90$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 185448633-2573294316
Opcode ID: 4a4dc0a71a64f910c3efcc53002b9c8d915b523e739c08cd6505fd3f4404b1fa
Instruction ID: 7986171e3b76222582f8c06ca4b60176ae19bcc8dc82d8985c2837d70915d36b
Opcode Fuzzy Hash: 4a4dc0a71a64f910c3efcc53002b9c8d915b523e739c08cd6505fd3f4404b1fa
Instruction Fuzzy Hash: 0951E635208B8596E761DF12F88039AB7A4F78CB84F95011AE68E47A78DF7DC549CB40

Function 00000001400095A0 Relevance: 24.1, APIs: 16, Instructions: 126stringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 00000001400095D0
SHGetPathFromIDListW.SHELL32 ref: 00000001400095F1
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140009601
SHGetPathFromIDListW.SHELL32 ref: 000000014000961D
SHGetSpecialFolderLocation.SHELL32 ref: 000000014000962E
SHGetPathFromIDListW.SHELL32 ref: 000000014000964F
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140009662
SHGetPathFromIDListW.SHELL32 ref: 000000014000967E
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140009691
SHGetPathFromIDListW.SHELL32 ref: 00000001400096AD
SHGetSpecialFolderLocation.SHELL32 ref: 00000001400096C0
SHGetPathFromIDListW.SHELL32 ref: 00000001400096DC
lstrlenW.KERNEL32 ref: 00000001400096EE
lstrlenW.KERNEL32 ref: 0000000140009713
lstrlenW.KERNEL32 ref: 0000000140009738
lstrlenW.KERNEL32 ref: 000000014000975C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FolderFromListLocationPathSpecial$lstrlen
String ID:
API String ID: 2171393036-0
Opcode ID: 2835668d920c6853f3b9b5fbe382529ce3e10aa3ddf79edbf2245ad07d7e8bd2
Instruction ID: 3df3694dcbe8bfb052228d495dc6f9bc1892484a80861c3acf91ae587dc0808f
Opcode Fuzzy Hash: 2835668d920c6853f3b9b5fbe382529ce3e10aa3ddf79edbf2245ad07d7e8bd2
Instruction Fuzzy Hash: 13513276701A8086EA01EB23E9583EE6360FB8DFC4F444022EF0A4B729DF79C419C780

Function 000000014001C4A0 Relevance: 22.7, APIs: 15, Instructions: 240comCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014001C523
GetWindowLongW.USER32 ref: 000000014001C538
SetWindowLongW.USER32 ref: 000000014001C54A
GetWindowLongPtrW.USER32 ref: 000000014001C55D
OleUninitialize.OLE32 ref: 000000014001C571
OleInitialize.OLE32 ref: 000000014001C57E
GetWindowTextLengthW.USER32 ref: 000000014001C587
DefWindowProcW.USER32 ref: 000000014001C7DC

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$Long$InitializeLengthProcTextUninitialize
String ID:
API String ID: 2434527812-0
Opcode ID: 227c9dd65ee7533fb1e84d7316d8b4941004fe8c613ba2a53903bd98b2763ab7
Instruction ID: 76dc4582497b9bdb2348e122cf3ea98d43fabccae93ac3cae806c58874e0c8c8
Opcode Fuzzy Hash: 227c9dd65ee7533fb1e84d7316d8b4941004fe8c613ba2a53903bd98b2763ab7
Instruction Fuzzy Hash: CBA16B32210B4086EB169F67D854BE823A1FB4DFE8F544616EB2A4BBF4DF7AC4458340

Function 0000000140008260 Relevance: 21.2, APIs: 14, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014000827B
GetDC.USER32 ref: 00000001400082A3
GetClientRect.USER32 ref: 00000001400082C8
SelectObject.GDI32 ref: 000000014000835B
DrawTextW.USER32 ref: 0000000140008397
SelectObject.GDI32 ref: 00000001400083A4
DrawTextW.USER32 ref: 00000001400083E2
SelectObject.GDI32 ref: 00000001400083EE
ReleaseDC.USER32 ref: 00000001400084BD

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ObjectSelect$DrawText$ClientRectReleaseWindow
String ID:
API String ID: 1355666434-0
Opcode ID: 893e0c766cdfdd3461609f2a558485331817d1031521fe845494253acd3cdb6d
Instruction ID: 9d926bde3497d3a3371b77ea12b0fb76e1a34730dc86fc67dd60e8615cecfe53
Opcode Fuzzy Hash: 893e0c766cdfdd3461609f2a558485331817d1031521fe845494253acd3cdb6d
Instruction Fuzzy Hash: 1B615C72604A8086E761CF6AE4443AEB3A1F789FD8F444125EF8957B68DF79C489CB40

Function 000000014001E970 Relevance: 21.2, APIs: 14, Instructions: 154COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014001E9A7
GetWindowRect.USER32 ref: 000000014001E9F8
ScreenToClient.USER32 ref: 000000014001EA07
ScreenToClient.USER32 ref: 000000014001EA1B
GetWindowRect.USER32 ref: 000000014001EA41
ScreenToClient.USER32 ref: 000000014001EA50
ScreenToClient.USER32 ref: 000000014001EA64
ShowWindow.USER32 ref: 000000014001EAB0
ShowWindow.USER32 ref: 000000014001EAD4
ShowWindow.USER32 ref: 000000014001EAF8
ShowWindow.USER32 ref: 000000014001EB1F
SetWindowPos.USER32 ref: 000000014001EB6D
ShowWindow.USER32 ref: 000000014001EB81
SetWindowPos.USER32 ref: 000000014001EBC8

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$ClientShow$Screen$Rect
String ID:
API String ID: 4033864348-0
Opcode ID: 82c66f738b9c41a2d33d2497e02259bb66c8bcd59079c4847bd791c22aabd92b
Instruction ID: 1976d155ac8d099234ee3f07ae942c047681902390d94a75db932e77025a7aee
Opcode Fuzzy Hash: 82c66f738b9c41a2d33d2497e02259bb66c8bcd59079c4847bd791c22aabd92b
Instruction Fuzzy Hash: AF7128762056C4CADB11CF26E48439E7BB1F388F98F180125EB465BB68CF7AD585CB00

Function 00000001400FD0F4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 147windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400F9DFC: SHGetDesktopFolder.SHELL32 ref: 00000001400F9E3B
Part of subcall function 00000001400F9DFC: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400F9E4A
Part of subcall function 00000001400F9DFC: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400F9E5C
Part of subcall function 00000001400F9DFC: SHGetPathFromIDListW.SHELL32 ref: 00000001400F9E8A
Part of subcall function 00000001400F9DFC: lstrlenW.KERNEL32 ref: 00000001400F9E9D
Part of subcall function 00000001400F9DFC: GetWindowsDirectoryW.KERNEL32 ref: 00000001400F9F01
Part of subcall function 00000001400F9DFC: SHGetFileInfoW.SHELL32 ref: 00000001400F9F21

Part of subcall function 00000001400FCFEC: RegisterClassExW.USER32 ref: 00000001400FD066
Part of subcall function 00000001400FCFEC: CreateWindowExW.USER32 ref: 00000001400FD0A7

GetCurrentThreadId.KERNEL32 ref: 00000001400FD164
SetWindowsHookExW.USER32 ref: 00000001400FD17A
TrackPopupMenu.USER32 ref: 00000001400FD1BB
GetMenuItemInfoW.USER32 ref: 00000001400FD23D
GetCursorPos.USER32 ref: 00000001400FD250
SendMessageW.USER32 ref: 00000001400FD284
#18.SHELL32 ref: 00000001400FD303
UnhookWindowsHookEx.USER32 ref: 00000001400FD31C
DestroyMenu.USER32 ref: 00000001400FD335

Strings

1, xrefs: 00000001400FD2B6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FolderMenuWindows$HookInfoLocationSpecial$ClassCreateCurrentCursorDesktopDestroyDirectoryFileFromItemListMessagePathPopupRegisterSendThreadTrackUnhookWindowlstrlen
String ID: 1
API String ID: 1986443932-2212294583
Opcode ID: 017e1fcdb5041dea43e4e5ef5ca760f41a045f45972e04e04561bb667492bedf
Instruction ID: 4a34fb743099f5c0d21492d07469bf26186d2e4b10e55b7b02df0579b31d6d60
Opcode Fuzzy Hash: 017e1fcdb5041dea43e4e5ef5ca760f41a045f45972e04e04561bb667492bedf
Instruction Fuzzy Hash: D8616D32200B8196E7A9DB22E590BDDB3A5F38CBC4F444016EF9947B64DFB9C4A4D780

Function 0000000140024264 Relevance: 21.1, APIs: 14, Instructions: 135windowkeyboardtimeCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00000001400242C7
GetAsyncKeyState.USER32 ref: 00000001400242E4
GetWindowTextW.USER32 ref: 0000000140024333
SendMessageW.USER32 ref: 0000000140024353

Part of subcall function 000000014001DD00: GetCursorPos.USER32 ref: 000000014001DD31
Part of subcall function 000000014001DD00: ScreenToClient.USER32 ref: 000000014001DD4A
Part of subcall function 000000014001DD00: SendMessageW.USER32 ref: 000000014001DD61
Part of subcall function 000000014001DD00: SendMessageW.USER32 ref: 000000014001DD98
Part of subcall function 000000014001DD00: GetParent.USER32 ref: 000000014001DDF0
Part of subcall function 000000014001DD00: SendMessageW.USER32 ref: 000000014001DE39

ShowWindow.USER32 ref: 0000000140024384
ShowWindow.USER32 ref: 0000000140024393
KillTimer.USER32 ref: 00000001400243A2
GetAsyncKeyState.USER32 ref: 00000001400243CB
ShowWindow.USER32 ref: 00000001400243E9
ShowWindow.USER32 ref: 00000001400243F8
KillTimer.USER32 ref: 0000000140024407
SetFocus.USER32 ref: 0000000140024411

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$MessageSendShow$AsyncFocusKillStateTimer$ClientCursorParentScreenText
String ID:
API String ID: 1093764380-0
Opcode ID: 37ebd5f6e52e66a54b59bbc2f7ff1f2532833614a27d4f5e2fa0e94b20c9e92b
Instruction ID: 6805c90a65e38899544e8c03b055e5b4624535c23f5bf62ab5c369371d14bfbe
Opcode Fuzzy Hash: 37ebd5f6e52e66a54b59bbc2f7ff1f2532833614a27d4f5e2fa0e94b20c9e92b
Instruction Fuzzy Hash: 5B518E32304A8082EB66EB63D9503EA7361F78CBD5F444026EB8E47AB5CF39DD958740

Function 000000014002483C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130windowtimeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400248A8
SendMessageW.USER32 ref: 00000001400249A4
GetParent.USER32 ref: 00000001400249C3
SendMessageW.USER32 ref: 00000001400249DB
GetParent.USER32 ref: 0000000140024A04
SendMessageW.USER32 ref: 0000000140024A1C
GetFocus.USER32 ref: 0000000140024A2B
ShowWindow.USER32 ref: 0000000140024A3F
KillTimer.USER32 ref: 0000000140024A4E

Strings

z, xrefs: 0000000140024871
0, xrefs: 0000000140024983
n, xrefs: 0000000140024868

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$ParentWindow$FocusKillRectShowTimer
String ID: 0$n$z
API String ID: 67215063-1260578908
Opcode ID: ad2fa97399c74bd8e148a163742bb3981c4192edaa37dd00953432776324da9c
Instruction ID: 353916c933dbeb335ca23472a2ee22bd995c05d693e285e5e6657473a8f6f8bf
Opcode Fuzzy Hash: ad2fa97399c74bd8e148a163742bb3981c4192edaa37dd00953432776324da9c
Instruction Fuzzy Hash: 9A516F32205B8492EB56CF27E5403DD73A0F38CBC0F18452AEB5A47BA4CF78C9958740

Function 000000014001F004 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014001F04A
GetWindowRect.USER32 ref: 000000014001F091
ScreenToClient.USER32 ref: 000000014001F09F
ScreenToClient.USER32 ref: 000000014001F0B1
ExcludeClipRect.GDI32 ref: 000000014001F0DE
MapWindowPoints.USER32 ref: 000000014001F107
OffsetWindowOrgEx.GDI32 ref: 000000014001F122
SendMessageW.USER32 ref: 000000014001F15A
SetWindowOrgEx.GDI32 ref: 000000014001F16E
DefWindowProcW.USER32 ref: 000000014001F183
GetSysColor.USER32 ref: 000000014001F1B4

Strings

@@@, xrefs: 000000014001F19B

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$ClientRectScreen$ClipColorExcludeMessageOffsetParentPointsProcSend
String ID: @@@
API String ID: 2202115610-159275591
Opcode ID: a8ba20d67e2554cb8f7e019cc5a408e0be371603667b6fe64e080c7b47ba407f
Instruction ID: cfd89bdcf9b9de1506be96823bbc52b926521566db7552c5b4f4f4d4a564549d
Opcode Fuzzy Hash: a8ba20d67e2554cb8f7e019cc5a408e0be371603667b6fe64e080c7b47ba407f
Instruction Fuzzy Hash: 81515E76604B8486E761CF27E84079EB761F388FC0F444116EB9A4BBA9CF3AD455CB00

Function 0000000140016964 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 00000001400169B8
GetStockObject.GDI32 ref: 00000001400169C6

Strings

(, xrefs: 0000000140016A01

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ObjectStock
String ID: (
API String ID: 3428563643-3887548279
Opcode ID: dbfb32c48899aaefe43eaba97014cafc6b24533e1e6f2073b3d9948d7bb9592a
Instruction ID: 5c754f1ce86fb98e8e9def602d4d805f5c7ee26293241d6fdc1ebd05c272f42c
Opcode Fuzzy Hash: dbfb32c48899aaefe43eaba97014cafc6b24533e1e6f2073b3d9948d7bb9592a
Instruction Fuzzy Hash: 86412176206B408AEB529B62E8543AA77A0FB4DBC5F484025EF4E4B764DF7DC844CB41

Function 000000014001E148 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014001E17F
GetWindowRect.USER32 ref: 000000014001E1B7
ScreenToClient.USER32 ref: 000000014001E1C6
ScreenToClient.USER32 ref: 000000014001E1DA
GetWindowRect.USER32 ref: 000000014001E200
ScreenToClient.USER32 ref: 000000014001E20F
ScreenToClient.USER32 ref: 000000014001E223
SetWindowPos.USER32 ref: 000000014001E26C
SetWindowPos.USER32 ref: 000000014001E2A7
SetWindowPos.USER32 ref: 000000014001E2BD
ShowWindow.USER32 ref: 000000014001E2CC

Strings

\, xrefs: 000000014001E28A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$Client$Screen$Rect$Show
String ID: \
API String ID: 246452983-2967466578
Opcode ID: d47420ffb9c6a9e4f20d59f050cefa3e15003d7d6e67e64eaf7e1f1bf76f9deb
Instruction ID: f665aa084009d26088d94018eddfa345193660b9efb92d92c2f5957e8de33296
Opcode Fuzzy Hash: d47420ffb9c6a9e4f20d59f050cefa3e15003d7d6e67e64eaf7e1f1bf76f9deb
Instruction Fuzzy Hash: 5F51B076214B848AD711CF2AE48865EBBB5F38CB94F184125EB8947B28CF3AD945CF40

Function 0000000140013F50 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140013F76
GetDlgItem.USER32 ref: 0000000140013F85
EnableWindow.USER32 ref: 0000000140013F97
GetDlgItem.USER32 ref: 0000000140013FA6
ShowWindow.USER32 ref: 0000000140013FB1
GetModuleHandleW.KERNEL32 ref: 0000000140013FC1
LoadImageW.USER32 ref: 0000000140013FE8
GetDlgItem.USER32 ref: 0000000140013FFA
SetWindowPos.USER32 ref: 000000014001401E
SendMessageW.USER32 ref: 0000000140014037
SendMessageW.USER32 ref: 000000014001405D

Strings

shell32, xrefs: 0000000140013FBA

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ItemMessageSendWindow$EnableHandleImageLoadModuleShow
String ID: shell32
API String ID: 3276235772-4179111565
Opcode ID: 278e41ecb9c5394f1e9cccd109cb03c186a636365eca5ddfe4908873fb1d45fe
Instruction ID: 04ea4c2bb814a5d63896c709fb182604e0ea412f879f4aac82f426d9a495bdd1
Opcode Fuzzy Hash: 278e41ecb9c5394f1e9cccd109cb03c186a636365eca5ddfe4908873fb1d45fe
Instruction Fuzzy Hash: AE318F3230068082EB669B27F85479A7761F78DFE5F0842259F6A1BBB5CF3DC4868700

Function 000000014000B45C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 75stringCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 000000014000B49E
GetVersionExW.KERNEL32 ref: 000000014000B4F3
_cwprintf_s_l.LIBCMT ref: 000000014000B537
lstrlenW.KERNEL32 ref: 000000014000B550
lstrlenW.KERNEL32 ref: 000000014000B56C
lstrlenW.KERNEL32 ref: 000000014000B587
lstrlenW.KERNEL32 ref: 000000014000B59D

Strings

Win32 WINDOWS, xrefs: 000000014000B565, 000000014000B572
Windows %d.%d, xrefs: 000000014000B52D
Win32s, xrefs: 000000014000B580, 000000014000B58D
Unbekannt , xrefs: 000000014000B596, 000000014000B5A3
Win32 NT , xrefs: 000000014000B549, 000000014000B556

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$Version$_cwprintf_s_l
String ID: Unbekannt $ Win32 NT $ Win32 WINDOWS$ Win32s$Windows %d.%d
API String ID: 186566674-1665667020
Opcode ID: 7ac9d5a7afde2f0ab05f418263c8f16b336959beaec5b9c1beb767fe6be93ec7
Instruction ID: a7870134e7f6aaab7ce6c1545d93f9d4c2554553abfe56dcda2b0a86a282c088
Opcode Fuzzy Hash: 7ac9d5a7afde2f0ab05f418263c8f16b336959beaec5b9c1beb767fe6be93ec7
Instruction Fuzzy Hash: B741CE74220E059AFB57DB1BEC453E437B1B75DB86F880451EB0A6B2B0DB3AC848CB51

Function 00000001400049E0 Relevance: 19.7, APIs: 13, Instructions: 175timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 0000000140004A24

Part of subcall function 00000001400041C8: GetClientRect.USER32 ref: 000000014000420D
Part of subcall function 00000001400041C8: GetClientRect.USER32 ref: 0000000140004260
Part of subcall function 00000001400041C8: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400042E9
Part of subcall function 00000001400041C8: #190.SHELL32 ref: 0000000140004345

ShowWindow.USER32 ref: 0000000140004A45
KillTimer.USER32 ref: 0000000140004A5D
GlobalUnlock.KERNEL32 ref: 0000000140004B3E
GlobalFree.KERNEL32 ref: 0000000140004B47

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClientGlobalKillRectTimer$#190FolderFreeLocationShowSpecialUnlockWindow
String ID:
API String ID: 296821359-0
Opcode ID: f5d0d520823314f4caf08c963358c158c66f2b9a780af6c20416ee76c4d95752
Instruction ID: 3652137149b15181d2ea5413d4dbcb7718f1dd4f1004878e16fc513910652855
Opcode Fuzzy Hash: f5d0d520823314f4caf08c963358c158c66f2b9a780af6c20416ee76c4d95752
Instruction Fuzzy Hash: B18149B2315A4182FB66DB26F8547AA63A0F78CFD8F084121EB5A476B5DF3DC449C704

Function 000000014000BB74 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 172windowstringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000BBCF
GetWindowTextW.USER32 ref: 000000014000BBE1
lstrlenW.KERNEL32 ref: 000000014000BBF6
lstrlenW.KERNEL32 ref: 000000014000BC37
_cwprintf_s_l.LIBCMT ref: 000000014000BD34
GetDlgItem.USER32 ref: 000000014000BD4F
SetWindowTextW.USER32 ref: 000000014000BD63
SendMessageW.USER32 ref: 000000014000BD77
SendMessageW.USER32 ref: 000000014000BD9D
SendMessageW.USER32 ref: 000000014000BDB1

Strings

%s\%s, xrefs: 000000014000BD25

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$ItemTextWindowlstrlen$_cwprintf_s_l
String ID: %s\%s
API String ID: 4093046438-4073750446
Opcode ID: 68f6d6e936142cc6abd4d8e24d6dd9447a291e48de21addc7d95c0bade4a9985
Instruction ID: 53bbeb9e5caabb3b8c04ebf1d86b7c83d5c5240be59d6a0cb739a061037817ca
Opcode Fuzzy Hash: 68f6d6e936142cc6abd4d8e24d6dd9447a291e48de21addc7d95c0bade4a9985
Instruction Fuzzy Hash: C4814F72214A8182EA52DB26E8903E97360F789BF0F544322AB7E87BF5DF38C445C740

Function 000000014003CD34 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138windowmemoryCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32 ref: 000000014003CD6C
GetDC.USER32 ref: 000000014003CD74
GetObjectW.GDI32 ref: 000000014003CDA2
GetDIBits.GDI32 ref: 000000014003CE41
GetDIBits.GDI32 ref: 000000014003CE9F
ReleaseDC.USER32 ref: 000000014003CED5
DeleteObject.GDI32 ref: 000000014003CEE0
DeleteObject.GDI32 ref: 000000014003CEEB
GdipAlloc.GDIPLUS ref: 000000014003CEF6
GdipCreateBitmapFromScan0.GDIPLUS ref: 000000014003CF3D

Strings

&, xrefs: 000000014003CF1E

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Object$BitsDeleteGdip$AllocBitmapCreateFromIconInfoReleaseScan0
String ID: &
API String ID: 1474606373-3042966939
Opcode ID: efd7b6a0251c5f25296dd131fd042078232bfbe72c4c06099bde3b84839c1c43
Instruction ID: 48cc2c82cc5d401a9a212c694a46ec3a892dad168c173f5bb63c627ab31c3f48
Opcode Fuzzy Hash: efd7b6a0251c5f25296dd131fd042078232bfbe72c4c06099bde3b84839c1c43
Instruction Fuzzy Hash: 78517D36214B808AE726CF26E54079EB7A1F78DBC4F484125EB8A4BB69DF3DC455CB40

Function 0000000140103F1C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF73C
Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF75D
Part of subcall function 00000001400FF714: GetSysColor.USER32 ref: 00000001400FF768
Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF780
Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF79A
Part of subcall function 00000001400FF714: GetSysColor.USER32 ref: 00000001400FF7B2
Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF7CE
Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF7E8
Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF801
Part of subcall function 00000001400FF714: SendMessageW.USER32 ref: 00000001400FF919

#18.SHELL32 ref: 0000000140103F37
RegisterClassExW.USER32 ref: 000000014010403D
GetModuleHandleW.KERNEL32 ref: 0000000140104045
CreateWindowExW.USER32 ref: 0000000140104084
RegisterDragDrop.OLE32 ref: 000000014010409D
SetWindowLongPtrW.USER32 ref: 00000001401040CA
#4.SHELL32 ref: 00000001401040DA
#2.SHELL32 ref: 0000000140104111

Part of subcall function 0000000140105B58: LoadLibraryW.KERNEL32 ref: 0000000140105B83
Part of subcall function 0000000140105B58: GetProcAddress.KERNEL32 ref: 0000000140105B9F

Strings

explorer, xrefs: 0000000140103F8D, 0000000140103FC1
NotifyWnd, xrefs: 000000014010401C
P, xrefs: 0000000140104035

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$ColorRegisterWindow$AddressClassCreateDragDropHandleLibraryLoadLongModuleProc
String ID: NotifyWnd$P$explorer
API String ID: 4162847491-2394816450
Opcode ID: 072f3490385f1b08bd3957999a245e8133dcb9d59dc5d89f484f6012cf92940e
Instruction ID: 75ff469e65e1dbaa82315562281a00d6aea1b4f115567bc715d4e1351d8ff632
Opcode Fuzzy Hash: 072f3490385f1b08bd3957999a245e8133dcb9d59dc5d89f484f6012cf92940e
Instruction Fuzzy Hash: 5E517B72314B81DBEB19DF22E5547DAB3A0F388B99F404015EB8907AA5DF79D468CB40

Function 00000001400487CC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 82librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140048424: GetProcAddress.KERNEL32(?,?,?,00000001400487F1), ref: 000000014004843C
Part of subcall function 0000000140048424: GlobalUnlock.KERNEL32 ref: 0000000140048460
Part of subcall function 0000000140048424: GlobalFree.KERNEL32 ref: 000000014004846A

GetProcAddress.KERNEL32 ref: 0000000140048805
FindResourceW.KERNEL32 ref: 0000000140048827
SizeofResource.KERNEL32 ref: 000000014004883B
LoadResource.KERNEL32 ref: 000000014004884D
LockResource.KERNEL32 ref: 0000000140048856
GlobalUnlock.KERNEL32 ref: 000000014004886D
GlobalFree.KERNEL32 ref: 0000000140048877
GlobalAlloc.KERNEL32 ref: 000000014004888A
GlobalLock.KERNEL32 ref: 000000014004889C
CreateStreamOnHGlobal.OLE32 ref: 00000001400488C6

Strings

GdipLoadImageFromStream, xrefs: 00000001400487FE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Global$Resource$AddressFreeLockProcUnlock$AllocCreateFindLoadSizeofStream
String ID: GdipLoadImageFromStream
API String ID: 3915296160-1836631380
Opcode ID: 4743f0a83db7852f490e38e269407323609c48114d59ec4f22f2ab552ca190ed
Instruction ID: 6b3c03ebe510526f4041e7fd4005190226d5dcb4b2b80ebea02d67574c264f35
Opcode Fuzzy Hash: 4743f0a83db7852f490e38e269407323609c48114d59ec4f22f2ab552ca190ed
Instruction Fuzzy Hash: 9031DD71605B4181EA669B23E8543A973A0FB8CFC4F488429DF4A4B769EF39C545C354

Function 000000014001B770 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

ImageList_Create.COMCTL32 ref: 000000014001B7B9
GetModuleHandleW.KERNEL32 ref: 000000014001B7CD
LoadImageW.USER32 ref: 000000014001B7EE
ImageList_ReplaceIcon.COMCTL32 ref: 000000014001B801
LoadImageW.USER32 ref: 000000014001B81F
ImageList_ReplaceIcon.COMCTL32 ref: 000000014001B832
LoadImageW.USER32 ref: 000000014001B850
ImageList_ReplaceIcon.COMCTL32 ref: 000000014001B863
GetDlgItem.USER32 ref: 000000014001B872
SendMessageW.USER32 ref: 000000014001B88A

Strings

shell32.dll, xrefs: 000000014001B7BF

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Image$List_$IconLoadReplace$CreateHandleItemMessageModuleSend
String ID: shell32.dll
API String ID: 1514679979-3366042328
Opcode ID: 9a1caa2c96ad7bd751b2a0529b9ac9fa9cd7bbd283ff4223c960c49a5efe6c2c
Instruction ID: a8002d649c5a56b799ffe6446cb70a10a431a5f148db1ed63a867d4b65364dfb
Opcode Fuzzy Hash: 9a1caa2c96ad7bd751b2a0529b9ac9fa9cd7bbd283ff4223c960c49a5efe6c2c
Instruction Fuzzy Hash: CB312735200B8082E711AB23E85879A77A4F78CFE9F140115EA9A0BBB4CF7EC449CB40

Function 000000014000AE80 Relevance: 18.2, APIs: 12, Instructions: 213windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014000AEDE
DestroyWindow.USER32 ref: 000000014000AEF0

Part of subcall function 000000014000909C: GetClassNameW.USER32 ref: 00000001400090F7
Part of subcall function 000000014000909C: lstrcmpiW.KERNEL32 ref: 0000000140009114
Part of subcall function 000000014000909C: GetWindowLongW.USER32 ref: 0000000140009127
Part of subcall function 000000014000909C: SetWindowLongW.USER32 ref: 0000000140009140
Part of subcall function 000000014000909C: GetWindowLongW.USER32 ref: 000000014000914C
Part of subcall function 000000014000909C: CreateCursor.USER32 ref: 00000001400091C5
Part of subcall function 000000014000909C: GetParent.USER32 ref: 00000001400091E6
Part of subcall function 000000014000909C: SendMessageW.USER32 ref: 00000001400091F9
Part of subcall function 000000014000909C: GetStockObject.GDI32 ref: 000000014000920C

InvalidateRect.USER32 ref: 000000014000AFF6
InvalidateRect.USER32 ref: 000000014000B06E
UpdateWindow.USER32 ref: 000000014000B078
PtInRect.USER32 ref: 000000014000B0A9
SetFocus.USER32 ref: 000000014000B0B8
SetCapture.USER32 ref: 000000014000B0C2
GetCapture.USER32 ref: 000000014000B0D2
ReleaseCapture.USER32 ref: 000000014000B0DE
PtInRect.USER32 ref: 000000014000B101

Part of subcall function 0000000140009C50: GetCursorPos.USER32 ref: 0000000140009C68
Part of subcall function 0000000140009C50: ScreenToClient.USER32 ref: 0000000140009C77
Part of subcall function 0000000140009C50: PtInRect.USER32 ref: 0000000140009C9B

InvalidateRect.USER32 ref: 000000014000B1D1

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: RectWindow$CaptureInvalidateLong$Cursor$ClassClientCreateDestroyFocusMessageNameObjectParentReleaseScreenSendStockUpdatelstrcmpi
String ID:
API String ID: 3150403950-0
Opcode ID: c4ee1c578c7f47e4fbfbe921c45e571604ae03fc4b7d35570336eea197aea935
Instruction ID: 3d45684839cdca5c2181369342152f05ee2739737828f72ae546f52ec848db28
Opcode Fuzzy Hash: c4ee1c578c7f47e4fbfbe921c45e571604ae03fc4b7d35570336eea197aea935
Instruction Fuzzy Hash: 8E915BB2A14A8185EB72DF66F4803EE73A5F389BD4F584022EB89576B5CF38C845C700

Function 000000014000204C Relevance: 18.1, APIs: 12, Instructions: 118COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 0000000140002069
GetParent.USER32 ref: 000000014000207F
GetWindow.USER32 ref: 000000014000208C
GetWindowRect.USER32 ref: 000000014000209D
GetWindowLongW.USER32 ref: 00000001400020B6
SystemParametersInfoW.USER32 ref: 00000001400020D7
GetWindowRect.USER32 ref: 00000001400020F7
GetParent.USER32 ref: 0000000140002102
GetClientRect.USER32 ref: 0000000140002113
GetClientRect.USER32 ref: 0000000140002121
MapWindowPoints.USER32 ref: 0000000140002138
SetWindowPos.USER32 ref: 00000001400021DE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$Rect$ClientLongParent$InfoParametersPointsSystem
String ID:
API String ID: 2289592163-0
Opcode ID: e78856af9152c24a87f141017bd36f2d3bad89628bb575f646988a1160544266
Instruction ID: 312306d3f7eb7005132e0c3f4ef1c4776f6e8c197fce6b373ac1fd4fb78c43b8
Opcode Fuzzy Hash: e78856af9152c24a87f141017bd36f2d3bad89628bb575f646988a1160544266
Instruction Fuzzy Hash: 7E418D72324A4186E712CF3AF94879EB761F78CBD0F644110EB9987AA8CF39D804CB40

Function 000000014001CDE0 Relevance: 18.1, APIs: 12, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 000000014001CBF0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC0B
Part of subcall function 000000014001CBF0: RegisterWindowMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC18
Part of subcall function 000000014001CBF0: RegisterWindowMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC2B
Part of subcall function 000000014001CBF0: GetClassInfoExW.USER32 ref: 000000014001CC56
Part of subcall function 000000014001CBF0: LoadCursorW.USER32 ref: 000000014001CC9E
Part of subcall function 000000014001CBF0: RegisterClassExW.USER32 ref: 000000014001CCC6
Part of subcall function 000000014001CBF0: GetClassInfoExW.USER32 ref: 000000014001CD1A
Part of subcall function 000000014001CBF0: LoadCursorW.USER32 ref: 000000014001CD62
Part of subcall function 000000014001CBF0: RegisterClassExW.USER32 ref: 000000014001CD8A
Part of subcall function 000000014001CBF0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CDC1

FindResourceW.KERNEL32 ref: 000000014001CE1C
FindResourceW.KERNEL32 ref: 000000014001CE3A
LoadResource.KERNEL32 ref: 000000014001CE4D
LockResource.KERNEL32 ref: 000000014001CE56
LoadResource.KERNEL32 ref: 000000014001CE67
LockResource.KERNEL32 ref: 000000014001CE75
DialogBoxIndirectParamW.USER32 ref: 000000014001CEA7
GetLastError.KERNEL32 ref: 000000014001CEBB
GlobalHandle.KERNEL32 ref: 000000014001CECB
GlobalFree.KERNEL32 ref: 000000014001CED4
GetLastError.KERNEL32 ref: 000000014001CEDC
SetLastError.KERNEL32 ref: 000000014001CEEA

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Resource$ClassLoadRegister$ErrorLast$CriticalCursorFindGlobalInfoLockMessageSectionWindow$DialogEnterFreeHandleIndirectLeaveParam
String ID:
API String ID: 2053837155-0
Opcode ID: 26e1dacd03aafd8c8a5985d5030c6c63c1e9a6c34976afdf96c758388c2a00d7
Instruction ID: 8a021db920f6b76a2838fe1e7d6fe08826e6cb4fe3829f216fbd3e5b12316500
Opcode Fuzzy Hash: 26e1dacd03aafd8c8a5985d5030c6c63c1e9a6c34976afdf96c758388c2a00d7
Instruction Fuzzy Hash: EE314B34311B5186EE569B63A808799B7E1BB4DFE4F080624AF2E0B7F5DE3ED8458340

Function 0000000140023E78 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140023F2F
lstrlenW.KERNEL32 ref: 0000000140023F4C
SendMessageW.USER32 ref: 0000000140023F95
SendMessageW.USER32 ref: 00000001400240C8
SendMessageW.USER32 ref: 00000001400240EB
SendMessageW.USER32 ref: 0000000140024107
MessageBoxW.USER32 ref: 000000014002416A
SendMessageW.USER32 ref: 00000001400241B6
SendMessageW.USER32 ref: 00000001400241E3

Strings

0, xrefs: 0000000140023EFE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Message$Send$lstrlen
String ID: 0
API String ID: 3731344635-4108050209
Opcode ID: 1c0c79508f9db68edd305f4970a7c45edc0dd75714934a35244da955ed481589
Instruction ID: eb63377bd6780249ed3a6118032bcf46eb7a9b29496cd68f2a442a2cbc5651e3
Opcode Fuzzy Hash: 1c0c79508f9db68edd305f4970a7c45edc0dd75714934a35244da955ed481589
Instruction Fuzzy Hash: 8891CF32304A8082FBA28B67E8543D97360F799BD0F14422AAB5947AF5DF7DCCC58741

Function 000000014003FD18 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 171stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 000000014003FD8E
GetStockObject.GDI32 ref: 000000014003FDA1
GetObjectW.GDI32 ref: 000000014003FDC8
lstrcpynW.KERNEL32 ref: 000000014003FE33
CreateFontIndirectW.GDI32 ref: 000000014003FE41
DeleteObject.GDI32 ref: 000000014003FE72
GetObjectW.GDI32 ref: 000000014003FF07
CreateFontIndirectW.GDI32 ref: 000000014003FFD6

Strings

FontFaceName, xrefs: 000000014003FDE4
Start, xrefs: 000000014003FDF8

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Object$CreateFontIndirect$DeleteInfoParametersStockSystemlstrcpyn
String ID: FontFaceName$Start
API String ID: 3063546216-3130205924
Opcode ID: c6e1499cfb9564bb87d0e889e4a3538c7a7504f1bc9edd6da0c40f8a7d3fc47a
Instruction ID: 1335b930583471c401568da85460d81441081d594d8bf66777c56c906804ed68
Opcode Fuzzy Hash: c6e1499cfb9564bb87d0e889e4a3538c7a7504f1bc9edd6da0c40f8a7d3fc47a
Instruction Fuzzy Hash: 69816272204A8086EB62DB26F4503DAB7A1F78DB90F544225EB9D476B9DF3CC544CB00

Function 0000000140021368 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00000001400213B6
SendMessageW.USER32 ref: 0000000140021410
#155.SHELL32 ref: 000000014002141B
SetFocus.USER32 ref: 0000000140021425
SendMessageW.USER32 ref: 0000000140021468
SendMessageW.USER32 ref: 0000000140021482
SendMessageW.USER32 ref: 000000014002152C
SetFocus.USER32 ref: 0000000140021535
MessageBoxW.USER32 ref: 000000014002159F

Strings

o, xrefs: 00000001400213BC

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Message$Send$Focus$#155ShowWindow
String ID: o
API String ID: 2215054203-252678980
Opcode ID: 94a81325d3e9a3dd52085e5951d4ef5b73bf1f2d353f4957e86eb7ed04f8b1f8
Instruction ID: f360dae6c34f02a1a50e69c9ca832809ff607a5ede2e33d9de8455e465023ea0
Opcode Fuzzy Hash: 94a81325d3e9a3dd52085e5951d4ef5b73bf1f2d353f4957e86eb7ed04f8b1f8
Instruction Fuzzy Hash: C7715C72210A4182EB629B67E8507DA6360F7D8BF4F444312AB6E47AF5CF7CC881C740

Function 000000014004847C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00000001400484BF
GetProcAddress.KERNEL32 ref: 00000001400484DF
GetProcAddress.KERNEL32 ref: 00000001400484FF
GetProcAddress.KERNEL32 ref: 0000000140048522
GetProcAddress.KERNEL32 ref: 0000000140048545

Strings

GdipCreateImageAttributes, xrefs: 000000014004851B
GdipDrawImageRectRectI, xrefs: 00000001400484F8
GdipCreateFromHDC, xrefs: 00000001400484B8
GdipSetImageAttributesColorMatrix, xrefs: 000000014004853E
GdipDeleteGraphics, xrefs: 00000001400484D8

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressProc
String ID: GdipCreateFromHDC$GdipCreateImageAttributes$GdipDeleteGraphics$GdipDrawImageRectRectI$GdipSetImageAttributesColorMatrix
API String ID: 190572456-226930721
Opcode ID: ec020341f3fd1c9a219bf9e339275d5b6ec1268e70b2c8aff49a7e354ba13650
Instruction ID: d79905fdd51cec85347cc80a3e93e2b177e4b0c056a36e1656d9055f5e08d980
Opcode Fuzzy Hash: ec020341f3fd1c9a219bf9e339275d5b6ec1268e70b2c8aff49a7e354ba13650
Instruction Fuzzy Hash: 0681E732515F819AE671CF13E8807AAB3B0F7DDB90F14521AEB8946678DF78C490DB00

Function 000000014001B8B4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014001B8EE
SendMessageW.USER32 ref: 000000014001B902

Part of subcall function 000000014005E758: RegOpenKeyExW.ADVAPI32 ref: 000000014005E7E3
Part of subcall function 000000014005E758: RegCloseKey.ADVAPI32 ref: 000000014005E7F7
Part of subcall function 000000014005E758: RegDeleteKeyW.ADVAPI32 ref: 000000014005E813
Part of subcall function 000000014005E758: RegCloseKey.ADVAPI32 ref: 000000014005E83F

GetModuleFileNameW.KERNEL32 ref: 000000014001B938
_cwprintf_s_l.LIBCMT ref: 000000014001B9B2
ShellExecuteExW.SHELL32 ref: 000000014001B9D2
EndDialog.USER32 ref: 000000014001B9E5
GetDlgItem.USER32 ref: 000000014001BA4B
SendMessageW.USER32 ref: 000000014001BA5F

Strings

runas, xrefs: 000000014001B9C1
RegisterAdminKey4_EEETWETRFSD=%d, xrefs: 000000014001B9A6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CloseItemMessageSend$DeleteDialogExecuteFileModuleNameOpenShell_cwprintf_s_l
String ID: RegisterAdminKey4_EEETWETRFSD=%d$runas
API String ID: 1829791887-816592029
Opcode ID: e372da56c28a990fbb92f7d819f175b5be815f8c1b7e09dd1fcf64c85f84d74b
Instruction ID: 4334877fde328765f94068981d195eae6652ff7aec441a5f90725909425142f0
Opcode Fuzzy Hash: e372da56c28a990fbb92f7d819f175b5be815f8c1b7e09dd1fcf64c85f84d74b
Instruction Fuzzy Hash: CB517432305A8182F762DF66E8913D973A0F78CBA4F584225E7698BAF5DF39C845C740

Function 000000014001A25C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001A2CE
GetClassInfoExW.USER32 ref: 000000014001A304
GetClassInfoExW.USER32 ref: 000000014001A31C
LeaveCriticalSection.KERNEL32 ref: 000000014001A32A
LoadCursorW.USER32 ref: 000000014001A371
GetClassInfoExW.USER32 ref: 000000014001A3D3
RegisterClassExW.USER32 ref: 000000014001A3E6
LeaveCriticalSection.KERNEL32 ref: 000000014001A40F

Strings

P, xrefs: 000000014001A2F5
ATL:%p, xrefs: 000000014001A395

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p$P
API String ID: 269841140-2635742592
Opcode ID: 7135ce2e13eeb8f1b9f4bcc9cc07b40e4abefb95b85b1c23abd4ab857eedd00b
Instruction ID: 5c11983778a0ab81b461f75c5dd45ad7feddb2b90970f6c6fe026f4118fcad2c
Opcode Fuzzy Hash: 7135ce2e13eeb8f1b9f4bcc9cc07b40e4abefb95b85b1c23abd4ab857eedd00b
Instruction Fuzzy Hash: 26518A76200B80A3EA25DB23E5443DD33A0F389BC0F444612EF5A4BBA4CB7AD5A5C740

Function 000000014001E7FC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registryCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 000000014001E833
GetModuleHandleW.KERNEL32 ref: 000000014001E85E
RegisterClassExW.USER32 ref: 000000014001E89F
CreateWindowExW.USER32 ref: 000000014001E8DE
ShowWindow.USER32 ref: 000000014001E8F0
SetWindowLongPtrW.USER32 ref: 000000014001E905
#4.SHELL32 ref: 000000014001E912
#2.SHELL32 ref: 000000014001E946

Strings

NotifyWnd_123, xrefs: 000000014001E87E
P, xrefs: 000000014001E897

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$ClassCreateFolderHandleLocationLongModuleRegisterShowSpecial
String ID: NotifyWnd_123$P
API String ID: 299184763-2082992119
Opcode ID: 1d53f2cbd94e36df47257f48112cbb351e0baf55650e9ff48d23cdca450d3295
Instruction ID: 6e4335584d0a11d185457a98343a665f84a6d97a261aeb1d3196329f68ad3c39
Opcode Fuzzy Hash: 1d53f2cbd94e36df47257f48112cbb351e0baf55650e9ff48d23cdca450d3295
Instruction Fuzzy Hash: 57415E32614B8087F765CF22E44839EB3A0F78CB99F540119EB894BAA8CF7EC155CB40

Function 0000000140006A08 Relevance: 16.6, APIs: 11, Instructions: 150stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140006A36
lstrcatW.KERNEL32 ref: 0000000140006A62
lstrcatW.KERNEL32 ref: 0000000140006A6E
lstrcatW.KERNEL32 ref: 0000000140006A7A
lstrcatW.KERNEL32 ref: 0000000140006A86
lstrcatW.KERNEL32 ref: 0000000140006A92
lstrcatW.KERNEL32 ref: 0000000140006A9E
lstrlenW.KERNEL32 ref: 0000000140006AA7
lstrlenW.KERNEL32 ref: 0000000140006AB0
lstrlenW.KERNEL32 ref: 0000000140006B38
lstrlenW.KERNEL32 ref: 0000000140006B63

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID:
API String ID: 751011610-0
Opcode ID: 2c46cecf6dd1d1aeaeca04e78982a9fbe33ca1ac9120f1a51e7d7d4f4d1fd1c9
Instruction ID: a6d428bd347c04e7a3eb1a91d8404619ce07dde4f06cd20341777a9d9b1d3f47
Opcode Fuzzy Hash: 2c46cecf6dd1d1aeaeca04e78982a9fbe33ca1ac9120f1a51e7d7d4f4d1fd1c9
Instruction Fuzzy Hash: BC514EB130064189DF669F22E9543A973A2FB1CBD4F488022DF46AB374EB7DC490C344

Function 0000000140017120 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00000001400171F9

Strings

{, xrefs: 0000000140017255

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CreateInstance
String ID: {
API String ID: 542301482-366298937
Opcode ID: 6bd7c3035b2f1fec2c520c9da2092109bdcf0cc699e1576e10d92db8021fd3a6
Instruction ID: e2cddfe4c8c8dd64bed88e1f857c62dc5917b2c5f16a611aa439516e0512c65a
Opcode Fuzzy Hash: 6bd7c3035b2f1fec2c520c9da2092109bdcf0cc699e1576e10d92db8021fd3a6
Instruction Fuzzy Hash: 4D51743260464181EB629F2AE844BD973B1F38CB98F588112FB5A4B6B4DB7AC586C700

Function 0000000140083F24 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,00000000,00000000,000000014008468A), ref: 000000014008401B
LoadResource.KERNEL32(?,?,?,00000000,00000000,000000014008468A), ref: 000000014008402A
LockResource.KERNEL32(?,?,?,00000000,00000000,000000014008468A), ref: 0000000140084033
SizeofResource.KERNEL32(?,?,?,00000000,00000000,000000014008468A), ref: 0000000140084042
lstrlenW.KERNEL32(?,?,?,00000000,00000000,000000014008468A), ref: 00000001400840C8
lstrlenW.KERNEL32(?,?,?,00000000,00000000,000000014008468A), ref: 00000001400840E9
FreeResource.KERNEL32(?,?,?,00000000,00000000,000000014008468A), ref: 0000000140084105

Strings

IMG, xrefs: 000000014008400D
p, xrefs: 0000000140083F2C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Resource$lstrlen$FindFreeLoadLockSizeof
String ID: IMG$p
API String ID: 3332429121-1219239123
Opcode ID: dc1794f371df491982d42308c46714979876dd8f28c65607bb525849b9d121ff
Instruction ID: 95d36bdf9983765ff8fba5d12307b46627a2d1bef3768e68c3930ddb0e036328
Opcode Fuzzy Hash: dc1794f371df491982d42308c46714979876dd8f28c65607bb525849b9d121ff
Instruction Fuzzy Hash: 1D514D76218AC08AD761EB26F8443DAB7A5F7CCB94F444215EB9D83BA9DF38C454CB00

Function 000000014001DD00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014001DD31
ScreenToClient.USER32 ref: 000000014001DD4A
SendMessageW.USER32 ref: 000000014001DD61
SendMessageW.USER32 ref: 000000014001DD98
GetParent.USER32 ref: 000000014001DDF0
SendMessageW.USER32 ref: 000000014001DE10
GetParent.USER32 ref: 000000014001DE1F
SendMessageW.USER32 ref: 000000014001DE39

Strings

0, xrefs: 000000014001DDCD

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Parent$ClientCursorScreen
String ID: 0
API String ID: 3424710631-4108050209
Opcode ID: 6972e0b8af878e675b3cba79eeed6a12daec459d72d18f05386f1dda4083b506
Instruction ID: b08a569aa33570b1f3eb60ac203390e3ace8c55b3d1c2544c6414936085219ec
Opcode Fuzzy Hash: 6972e0b8af878e675b3cba79eeed6a12daec459d72d18f05386f1dda4083b506
Instruction Fuzzy Hash: 9B312F72214A8482E761DF22E4547DE73A1F78CF89F484016EB8D4BAA8CF3DC949CB40

Function 0000000140009CC4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 0000000140009CF6
GetDlgCtrlID.USER32 ref: 0000000140009D10
GetParent.USER32 ref: 0000000140009D1D
GetDlgCtrlID.USER32 ref: 0000000140009D3D
GetParent.USER32 ref: 0000000140009D49
SendMessageW.USER32 ref: 0000000140009D5F
ShellExecuteW.SHELL32 ref: 0000000140009D81
InvalidateRect.USER32 ref: 0000000140009DA4

Strings

open, xrefs: 0000000140009D6B

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Ctrl$Parent$ExecuteInvalidateMessageRectSendShell
String ID: open
API String ID: 1200564152-2758837156
Opcode ID: 518eda953508c50585776ef5b8d8172c329e54e578ab125f7fbe16511b086925
Instruction ID: bdd8e8cff3ba433485ce1aaed6632ce3e642ae7ee45adf98f839c4fb0c243799
Opcode Fuzzy Hash: 518eda953508c50585776ef5b8d8172c329e54e578ab125f7fbe16511b086925
Instruction Fuzzy Hash: F4215C36204B8083E725CB22F8953A9B761F78DBD5F084526EB9A4BB64CF3AD465C740

Function 000000014001FC14 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 000000014001FC35
SelectObject.GDI32 ref: 000000014001FC45
MoveToEx.GDI32 ref: 000000014001FC5C
LineTo.GDI32 ref: 000000014001FC6C
LineTo.GDI32 ref: 000000014001FC7C
LineTo.GDI32 ref: 000000014001FC8D
LineTo.GDI32 ref: 000000014001FC9E
SelectObject.GDI32 ref: 000000014001FCAB
DeleteObject.GDI32 ref: 000000014001FCB9
DeleteObject.GDI32 ref: 000000014001FCC7

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: LineObject$DeleteSelect$CreateMove
String ID:
API String ID: 942295950-0
Opcode ID: 8905afc1c0ad8fed279197ddca2ebb14e51d8cef65e504ca11912654cb231f72
Instruction ID: dafebe9fe28e3f16b7396be985a0e8fda7e01714ea8ec3aa6c9759547280ec70
Opcode Fuzzy Hash: 8905afc1c0ad8fed279197ddca2ebb14e51d8cef65e504ca11912654cb231f72
Instruction Fuzzy Hash: 5A21963A710A808BD7559F23E95479AB761F78DFD4F188015EF5A0BB28CF39E4458B80

Function 0000000140006138 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 335stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001E54: LoadLibraryW.KERNEL32 ref: 0000000140001E87
Part of subcall function 0000000140001E54: GetProcAddress.KERNEL32 ref: 0000000140001E9E

lstrlenW.KERNEL32 ref: 0000000140006319
_cwprintf_s_l.LIBCMT ref: 0000000140006353
_cwprintf_s_l.LIBCMT ref: 0000000140006463
MessageBoxW.USER32 ref: 00000001400064DA

Strings

%d c2:%d, xrefs: 0000000140006457
--, xrefs: 0000000140006468
%d.) %s : %s, xrefs: 0000000140006347
, xrefs: 000000014000647A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: _cwprintf_s_l$AddressLibraryLoadMessageProclstrlen
String ID: $--$%d c2:%d$%d.) %s : %s
API String ID: 2498098824-883129594
Opcode ID: 70e4913d2d89bd3880ad882b7e21b25d7f954f37d94998cd494a27b14dc6733a
Instruction ID: 1662987e0f51c3c27642f526c6c655dd5087fd7a4b320527f6e57c0d40f780c9
Opcode Fuzzy Hash: 70e4913d2d89bd3880ad882b7e21b25d7f954f37d94998cd494a27b14dc6733a
Instruction Fuzzy Hash: 9EE17072305A8082EA52CB7AE8517D963A1F789BF4F444312EB6E976F5DF38C445CB40

Function 00000001400A6518 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 183windowcomCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400A6562
CoCreateInstance.OLE32 ref: 00000001400A65B9
FindWindowExW.USER32 ref: 00000001400A665C
GetDlgCtrlID.USER32 ref: 00000001400A66D7
SendMessageW.USER32 ref: 00000001400A673D
ImageList_GetImageInfo.COMCTL32 ref: 00000001400A6765
SendMessageW.USER32 ref: 00000001400A6797

Strings

SysTreeView32, xrefs: 00000001400A664C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ImageMessageSend$ClientCreateCtrlFindInfoInstanceList_RectWindow
String ID: SysTreeView32
API String ID: 3498475682-1698111956
Opcode ID: b40857ce68eca97ac279472ae2654539bca499f7acb29a13780fa7775b3860a5
Instruction ID: b967fff96086e11505ed5890c6433bfeb092e69e14d3da72218f5800dead6df7
Opcode Fuzzy Hash: b40857ce68eca97ac279472ae2654539bca499f7acb29a13780fa7775b3860a5
Instruction Fuzzy Hash: E7812576210B8486DB65DF26E8847DE73A5F388B80F548922DBAE47B64DF39D885C700

Function 0000000140040018 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 166registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400400D8
RegOpenKeyExW.ADVAPI32 ref: 0000000140040157
RegQueryValueExW.ADVAPI32 ref: 00000001400401A8
lstrlenW.KERNEL32 ref: 00000001400401B8
RegCloseKey.ADVAPI32 ref: 00000001400401D4
lstrlenW.KERNEL32 ref: 000000014004021A

Strings

Content Type, xrefs: 000000014004019C
application/unknown, xrefs: 0000000140040127

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$CloseOpenQueryValue
String ID: Content Type$application/unknown
API String ID: 2304643261-1085911772
Opcode ID: 729a1a9da6d946ea1f34177d70679dbff31b99967a0bb983a2b847bf8bd67fac
Instruction ID: 7d05fe7c52b983f75d58c2bb761ad57d65d29fbc042a1f479a0e2f95defb6702
Opcode Fuzzy Hash: 729a1a9da6d946ea1f34177d70679dbff31b99967a0bb983a2b847bf8bd67fac
Instruction Fuzzy Hash: DE716C36211A4096EB529F66E8803DA63A0F788BE4F448225FB6E477F6DF38C455CB00

Function 0000000140115834 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014011588B
SHGetMalloc.SHELL32 ref: 00000001401158A7
SHBrowseForFolderW.SHELL32 ref: 000000014011593C
SHGetPathFromIDListW.SHELL32 ref: 0000000140115961
lstrlenW.KERNEL32 ref: 000000014011597B
MessageBoxW.USER32 ref: 00000001401159AD

Strings

Verzeichnisauswahl / Select a directory:, xrefs: 0000000140115884, 0000000140115891
Failed to get directory, xrefs: 00000001401159A4

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$BrowseFolderFromListMallocMessagePath
String ID: Failed to get directory$Verzeichnisauswahl / Select a directory:
API String ID: 611531059-3768070435
Opcode ID: e5d83f78b5bc466dd82e8a16b2694b29347c46f22ebacb69bd1f815ada073fac
Instruction ID: 70b6ff1d12bcbbf4c6862068cb43ef99f1d53f3ccfea9ca737139f6557321e0e
Opcode Fuzzy Hash: e5d83f78b5bc466dd82e8a16b2694b29347c46f22ebacb69bd1f815ada073fac
Instruction Fuzzy Hash: 4D615032211A4086E756EB3AE8953A923A0FB8CFB4F544711DB6F8B6F4DF39C4558740

Function 00000001400FA63C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400FA1E0: SHGetFileInfoW.SHELL32 ref: 00000001400FA26F
Part of subcall function 00000001400FA1E0: lstrlenW.KERNEL32 ref: 00000001400FA282

AppendMenuW.USER32 ref: 00000001400FA69D
AppendMenuW.USER32 ref: 00000001400FA6BF
GetMenuItemInfoW.USER32 ref: 00000001400FA707
lstrcpynW.KERNEL32 ref: 00000001400FA732
SetMenuItemInfoW.USER32 ref: 00000001400FA758

Strings

d, xrefs: 00000001400FA6DD
H, xrefs: 00000001400FA6D5
1, xrefs: 00000001400FA713

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Menu$Info$AppendItem$Filelstrcpynlstrlen
String ID: 1$H$d
API String ID: 3659072720-2962081501
Opcode ID: 89560908aa01e2190ba77cccb70d0fdca5208bb7476d50e5c641b9a2ece68469
Instruction ID: fc02280e636dd2d6a70bd4ec8c3b7a2432faa55408951c49149887ab4ccf56cf
Opcode Fuzzy Hash: 89560908aa01e2190ba77cccb70d0fdca5208bb7476d50e5c641b9a2ece68469
Instruction Fuzzy Hash: 5331C372214A8082E762DB26E8547CAB3A0F7CDBE4F445225BB6A47AF5CF7CC505CB00

Function 000000014001E2F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014001E323
ScreenToClient.USER32 ref: 000000014001E33F
SendMessageW.USER32 ref: 000000014001E359
SendMessageW.USER32 ref: 000000014001E374
ScreenToClient.USER32 ref: 000000014001E3B2
SendMessageW.USER32 ref: 000000014001E3CC
SendMessageW.USER32 ref: 000000014001E402

Strings

o, xrefs: 000000014001E408

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$ClientScreen$Cursor
String ID: o
API String ID: 2946236063-252678980
Opcode ID: ef7565315ca815afcddbb04c803b954a53bf61e154ffe7df45128ba5cbdcb52e
Instruction ID: 45a8256c60a5a16804508c6eb6fde6f4c1b61692bd0d3b56c2c541f91f8d4270
Opcode Fuzzy Hash: ef7565315ca815afcddbb04c803b954a53bf61e154ffe7df45128ba5cbdcb52e
Instruction Fuzzy Hash: C3413B36214A8583EB65CB22E4547DEB3A0F78CFD5F448122EB5A0BB68DF79C555CB00

Function 000000014001DA80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 000000014001DAB1
ShowWindow.USER32 ref: 000000014001DB05
SetFocus.USER32 ref: 000000014001DB0F
SendMessageW.USER32 ref: 000000014001DB28
SetWindowPos.USER32 ref: 000000014001DB62
UpdateWindow.USER32 ref: 000000014001DB6C
RedrawWindow.USER32 ref: 000000014001DB81

Part of subcall function 00000001400FE830: #4.SHELL32 ref: 00000001400FE843

Strings

p, xrefs: 000000014001DB40

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$FocusFolderLocationMessageRedrawSendShowSpecialUpdate
String ID: p
API String ID: 1076984956-2181537457
Opcode ID: 266f0b2ab112205f0fbbeebdebc48049461b818aec0bb42451ce944bca3b1aed
Instruction ID: 9eb0a05253ee0a9591f03b78a0303ee2663ee33ba0746f13fc5c789fc2b9bbd8
Opcode Fuzzy Hash: 266f0b2ab112205f0fbbeebdebc48049461b818aec0bb42451ce944bca3b1aed
Instruction Fuzzy Hash: DB318D72300A8087E718DF67E95478EB761F78CBA0F448225DBAA47BA4CF39D465CB40

Function 0000000140007F1C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 48registrytimeCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140007F5F
timeGetTime.WINMM ref: 0000000140007F6F
RegSetValueExW.ADVAPI32 ref: 0000000140007F9B
RegCloseKey.ADVAPI32 ref: 0000000140007FB4
RegDeleteValueW.ADVAPI32 ref: 0000000140007FC8
RegCloseKey.ADVAPI32 ref: 0000000140007FE0

Strings

_________ADMIN_TEST_SoftwareOK, xrefs: 0000000140007F89, 0000000140007FBE
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 0000000140007F43

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CloseValue$DeleteOpenTimetime
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion$_________ADMIN_TEST_SoftwareOK
API String ID: 1042658670-3312681302
Opcode ID: b57ef26c7f9f59886a9f6bd09978b25a63e142dadbd2d67efb49e61e1def9bfc
Instruction ID: 93d4eb29420f7a8397024a88b39a01418e1dcb35781e1373d50b23cd77d437aa
Opcode Fuzzy Hash: b57ef26c7f9f59886a9f6bd09978b25a63e142dadbd2d67efb49e61e1def9bfc
Instruction Fuzzy Hash: D52151B1610B0186FB528B26F844BE973A4F75DB95F980130EB494B6B4EB3DC188CB40

Function 0000000140103BA4 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140048B84: GetVersionExW.KERNEL32 ref: 0000000140048BE5
Part of subcall function 0000000140048B84: GetVersionExW.KERNEL32 ref: 0000000140048C19

Concurrency::details::stl_critical_section_win7::stl_critical_section_win7.LIBCPMT ref: 0000000140103C3D

Part of subcall function 0000000140118880: InitializeCriticalSection.KERNEL32 ref: 0000000140118897

SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103D0A
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103D1E
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103D34
SHGetSettings.SHELL32 ref: 0000000140103D42
DeleteObject.GDI32 ref: 0000000140103DAA
CreateFontIndirectW.GDI32 ref: 0000000140103DCA
SHGetDesktopFolder.SHELL32 ref: 0000000140103DE1
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103DF9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Folder$LocationSpecial$Version$Concurrency::details::stl_critical_section_win7::stl_critical_section_win7CreateCriticalDeleteDesktopFontIndirectInitializeObjectSectionSettings
String ID:
API String ID: 4159206225-0
Opcode ID: a799804ddf88ae58d7e28c15e9a88a2b400b0d6743f4b1ee47025bf93db21a22
Instruction ID: 6f3ffeec9e0406492a276f117b0f5e0e68a6d5468a7e380ec3e4171c25c19210
Opcode Fuzzy Hash: a799804ddf88ae58d7e28c15e9a88a2b400b0d6743f4b1ee47025bf93db21a22
Instruction Fuzzy Hash: 2C810872201B8087E769CF26F8947DEB7A8F749BA4F504219DBEA076A0DF39D055CB40

Function 0000000140015D6C Relevance: 13.6, APIs: 9, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1fc83b9c300319994002453ff1fbeaf10af7aacc190cdf1e5edf7319907a13
Instruction ID: 8902ad8abcf953dfc7f8d0c16a0b02d7ea7967f02e6f9919dd1262025804e2a8
Opcode Fuzzy Hash: 0b1fc83b9c300319994002453ff1fbeaf10af7aacc190cdf1e5edf7319907a13
Instruction Fuzzy Hash: 7B312732614B40C6EB669B26E41439963E0FB8CFC5F084015EF8A0F768DF7AD505C740

Function 0000000140022170 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowstringCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00000001400221B2
SendMessageW.USER32 ref: 0000000140022216
lstrlenW.KERNEL32 ref: 000000014002227A
lstrlenW.KERNEL32 ref: 0000000140022297
SendMessageW.USER32 ref: 0000000140022335
SendMessageW.USER32 ref: 0000000140022390

Strings

0, xrefs: 000000014002234B

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$lstrlen$DrivesLogical
String ID: 0
API String ID: 1932446174-4108050209
Opcode ID: 592ac17d05d446328c3688e30ddf1153552348c05069813c25ede8053c76e5e4
Instruction ID: e856c5174a01106574392260ac54b9b31cd9196cc3e436c50abd4262a28f5b2a
Opcode Fuzzy Hash: 592ac17d05d446328c3688e30ddf1153552348c05069813c25ede8053c76e5e4
Instruction Fuzzy Hash: 8771A132204A8096E762DF26E8407DE77A0F788BA4F444226EB9D47AF5DF3CC549CB40

Function 00000001400085AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400085E6
lstrlenW.KERNEL32 ref: 0000000140008644
lstrcpyW.KERNEL32 ref: 000000014000865B
IsWindow.USER32 ref: 0000000140008677
SendMessageW.USER32 ref: 0000000140008698
SendMessageW.USER32 ref: 0000000140008711

Strings

H, xrefs: 00000001400086A6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSendlstrlen$Windowlstrcpy
String ID: H
API String ID: 3084890318-2852464175
Opcode ID: 998fd3e03e9546dc5ce73377d0c6faa6de96efd626bce2f7390d205c5cf8eea9
Instruction ID: 00dc3f2accd2afacbe5e53b625b80bfc19200b543686506839eeae09b77daa82
Opcode Fuzzy Hash: 998fd3e03e9546dc5ce73377d0c6faa6de96efd626bce2f7390d205c5cf8eea9
Instruction Fuzzy Hash: 2D417072214B8082EA65DB26F9443A973A0F78CBE0F044224EF994BBA4CF39D465C740

Function 00000001400022A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67registryclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400022C5
GlobalFree.KERNEL32 ref: 00000001400022CE
RegisterClipboardFormatW.USER32 ref: 0000000140002303
GlobalLock.KERNEL32 ref: 000000014000237F
GlobalUnlock.KERNEL32 ref: 0000000140002391
ReleaseStgMedium.OLE32 ref: 000000014000239C

Strings

Shell IDList Array, xrefs: 00000001400022F6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Global$Unlock$ClipboardFormatFreeLockMediumRegisterRelease
String ID: Shell IDList Array
API String ID: 660139674-4184189358
Opcode ID: d9502714cfd4eeb025a438ff4370efde520d43677dca64ecf7438b66c26511cb
Instruction ID: d4b21c7c341ee0f96bc615b554f6c755829edfc16a3668a57fc3daebf2462da3
Opcode Fuzzy Hash: d9502714cfd4eeb025a438ff4370efde520d43677dca64ecf7438b66c26511cb
Instruction Fuzzy Hash: D031F3B2204A4186EB52CB26E88439967B0FB8CBD4F144125EB8A87674DF3DC554CB00

Function 000000014001F818 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014001F831
SendMessageW.USER32 ref: 000000014001F84D
OutputDebugStringW.KERNEL32 ref: 000000014001F85A
SendMessageW.USER32 ref: 000000014001F874
SetFocus.USER32 ref: 000000014001F880
SendMessageW.USER32 ref: 000000014001F895

Strings

fffff, xrefs: 000000014001F853

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Focus$DebugOutputString
String ID: fffff
API String ID: 3720455092-4168676731
Opcode ID: d87b18b21f16af6a7ec6c76fb937ac97ee716c7bf0c7f15d98149f5f35deb68e
Instruction ID: 06b651e80687653329116ea51fc719b0f8f11fc327404b097ad18aa9ec196e5c
Opcode Fuzzy Hash: d87b18b21f16af6a7ec6c76fb937ac97ee716c7bf0c7f15d98149f5f35deb68e
Instruction Fuzzy Hash: 93011D3171154182EB518F72F859BE93360E79DF8AF4C50218F0A0FA70DF3AC44A8740

Function 0000000140020284 Relevance: 12.1, APIs: 8, Instructions: 99windowtimethreadCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400202B1
SendMessageW.USER32 ref: 00000001400202D2
SendMessageW.USER32 ref: 00000001400202F6
#18.SHELL32 ref: 0000000140020308
KillTimer.USER32 ref: 0000000140020327
SetTimer.USER32 ref: 000000014002033B
GetCurrentThreadId.KERNEL32 ref: 000000014002037F
RaiseException.KERNEL32 ref: 000000014002040B

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Timer$CurrentExceptionKillRaiseThread
String ID:
API String ID: 3847418034-0
Opcode ID: 68dc1cbe0aa24f5a72b5a5f84de792b169ec02f3503486e96eca1d02fefaeae8
Instruction ID: b550e88aca2e2971f9cabf041bfae2363234ac33b535199f5b93c579eccb6f49
Opcode Fuzzy Hash: 68dc1cbe0aa24f5a72b5a5f84de792b169ec02f3503486e96eca1d02fefaeae8
Instruction Fuzzy Hash: A2414B32310B4082EB658B27E4947A973A5F788FD5F548129EF5E4BBA5CF39C8858700

Function 0000000140008824 Relevance: 12.1, APIs: 8, Instructions: 95comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0000000140008876
#8.OLEAUT32 ref: 000000014000889A
#9.OLEAUT32 ref: 00000001400088DE
#9.OLEAUT32 ref: 00000001400088EA
#9.OLEAUT32 ref: 000000014000895E
#9.OLEAUT32 ref: 000000014000896A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 0b51c8b527ad2f00af57ab81d83cb1fae91b659708fd774fc8f7d48fba9401a9
Instruction ID: 30c3a11663207b04ce095c9100f30b01413de14057cc9cfd9d68442222aacb3b
Opcode Fuzzy Hash: 0b51c8b527ad2f00af57ab81d83cb1fae91b659708fd774fc8f7d48fba9401a9
Instruction Fuzzy Hash: 88413572214B4492EB22DF26E8503D973B0F789F95F544122DB8E4B6B8DF39C989C740

Function 000000014002184C Relevance: 12.1, APIs: 8, Instructions: 67windowtimeCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014002185C
ShowWindow.USER32 ref: 000000014002187B
ShowWindow.USER32 ref: 0000000140021887
SetWindowTextW.USER32 ref: 00000001400218D5
SendMessageW.USER32 ref: 00000001400218F1
SendMessageW.USER32 ref: 0000000140021909
SetTimer.USER32 ref: 000000014002191F
SetFocus.USER32 ref: 000000014002192C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$FocusMessageSendShow$TextTimer
String ID:
API String ID: 1913100717-0
Opcode ID: de8d7ff7c91b498aabb582babbec0c5d97a4d4816c88dcba63e197aca167ba28
Instruction ID: c75126f2db7df582280ac30466f0de8ea6cd3c0ad971bec71a96c073e1f00cd0
Opcode Fuzzy Hash: de8d7ff7c91b498aabb582babbec0c5d97a4d4816c88dcba63e197aca167ba28
Instruction Fuzzy Hash: 83312B36200A8182E752DF76E8507D97362F7C8BF8F5842229F694BAE8CF39C945C740

Function 0000000140025258 Relevance: 12.1, APIs: 8, Instructions: 53windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 0000000140025276

Part of subcall function 0000000140024F7C: SendMessageW.USER32 ref: 0000000140024F9B
Part of subcall function 0000000140024F7C: SendMessageW.USER32 ref: 0000000140024FDC
Part of subcall function 0000000140024F7C: SendMessageW.USER32 ref: 0000000140024FF7

KillTimer.USER32 ref: 0000000140025292
KillTimer.USER32 ref: 00000001400252AE
SendMessageW.USER32 ref: 00000001400252C6
SendMessageW.USER32 ref: 00000001400252E3
#18.SHELL32 ref: 00000001400252ED
SendMessageW.USER32 ref: 0000000140025306
SendMessageW.USER32 ref: 0000000140025322

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$KillTimer
String ID:
API String ID: 1116794301-0
Opcode ID: e45ad180756f6a66daf05634541f668884d209b0447e005d31019f26e81111e8
Instruction ID: 1bab376f7a794c7d31a38753163fbee1d4bf8b7147017290e8f01d4ca8160433
Opcode Fuzzy Hash: e45ad180756f6a66daf05634541f668884d209b0447e005d31019f26e81111e8
Instruction Fuzzy Hash: 30211C35201A8082EB919FB7E85479D6361E7CDFDAF5890319F4A5BBA8DE38C8858350

Function 0000000140005D28 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140003AE4: lstrlenA.KERNEL32 ref: 0000000140003B08
Part of subcall function 0000000140003AE4: MultiByteToWideChar.KERNEL32 ref: 0000000140003B86
Part of subcall function 0000000140003AE4: lstrlenW.KERNEL32 ref: 0000000140003BA2

_cwprintf_s_l.LIBCMT ref: 0000000140005F02
CoTaskMemFree.OLE32 ref: 0000000140005F1F
_cwprintf_s_l.LIBCMT ref: 000000014000606A
CoTaskMemFree.OLE32 ref: 00000001400060BD

Part of subcall function 0000000140001FB4: LoadLibraryW.KERNEL32 ref: 0000000140001FD7
Part of subcall function 0000000140001FB4: GetProcAddress.KERNEL32 ref: 0000000140001FFA

Strings

ViewMode,%d;ImageSize,%d;FolderFlags,%d;GroupBy,%s;Group,%d;, xrefs: 0000000140006023
%s,%d;, xrefs: 0000000140005EF6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FreeTask_cwprintf_s_llstrlen$AddressByteCharLibraryLoadMultiProcWide
String ID: %s,%d;$ViewMode,%d;ImageSize,%d;FolderFlags,%d;GroupBy,%s;Group,%d;
API String ID: 1249642529-1631008325
Opcode ID: 203c4573784517ce03fd3c447d22a9bbf788c9fd543a52949406ede2e60a0183
Instruction ID: 9ab6454bb757e8da9094741ec634296485af00c7723aab5dd1c2fcc9ba6f4e5e
Opcode Fuzzy Hash: 203c4573784517ce03fd3c447d22a9bbf788c9fd543a52949406ede2e60a0183
Instruction Fuzzy Hash: 17C16172204A8086EA12DB2AE4403DEB7A1F7C9FE4F544212EB9D47BA9DF79C545CB00

Function 00000001401020EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 00000001401021F5
#18.SHELL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 0000000140102212
#18.SHELL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 000000014010221E
#25.SHELL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 000000014010222A
SendMessageW.USER32 ref: 0000000140102283

Strings

g, xrefs: 00000001401021E2

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AllocGlobalMessageSend
String ID: g
API String ID: 277534643-30677878
Opcode ID: a3ede16d70b84d5b16f8be3e7eef29651660cf2209a86c703adac8cf844c0f0e
Instruction ID: 58952fd4f6ce98fa664fcb414808b88aa69d7abdc39faae01a3d54ba6093df09
Opcode Fuzzy Hash: a3ede16d70b84d5b16f8be3e7eef29651660cf2209a86c703adac8cf844c0f0e
Instruction Fuzzy Hash: 5F416B72604B85C6EB61CF56E8447DAB3A1F38CF94F544226EBA943BA8CF39C545CB40

Function 00000001400F9460 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400F947F
SHGetDesktopFolder.SHELL32 ref: 00000001400F94AA
CreatePopupMenu.USER32 ref: 00000001400F9503
TrackPopupMenu.USER32 ref: 00000001400F9588
SendMessageW.USER32 ref: 00000001400F9607

Strings

8, xrefs: 00000001400F95D6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MenuPopup$CreateDesktopFolderMessageParentSendTrack
String ID: 8
API String ID: 4175632323-4194326291
Opcode ID: 953e1428a459ef7c34fd10fe8bc78450de88d03029f7ffd9cdbf9f1594351eae
Instruction ID: 6b4657662e0c15f174c5e52701b3c905c76491e72966aaa2a50895af07cd93e3
Opcode Fuzzy Hash: 953e1428a459ef7c34fd10fe8bc78450de88d03029f7ffd9cdbf9f1594351eae
Instruction Fuzzy Hash: C4510576314B8486EB618B26E49479AB7A0F789B89F548115EB8D4BB68CF7DC448CB00

Function 00000001400250B0 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140025106
SendMessageW.USER32 ref: 0000000140025126
SendMessageW.USER32 ref: 000000014002513E
SendMessageW.USER32 ref: 000000014002515F
SendMessageW.USER32 ref: 00000001400251A5
SendMessageW.USER32 ref: 00000001400251DD
GetFocus.USER32 ref: 00000001400251E6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: f860ffe6d2140f2844f54cab0ca51870d3129242f74bd8ea73c5c69872e084bb
Instruction ID: b610f388160f3f1a26fda727c0b36c87e76938eff2afb54359062850295804c1
Opcode Fuzzy Hash: f860ffe6d2140f2844f54cab0ca51870d3129242f74bd8ea73c5c69872e084bb
Instruction Fuzzy Hash: 5A419F31314A80C2FBA6AB62E8507DA7350F789BD5F488125AB594BEF5DF38CC95C704

Function 0000000140017B78 Relevance: 10.6, APIs: 7, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

#6.OLEAUT32 ref: 0000000140017BDF
#7.OLEAUT32 ref: 0000000140017BF2
#7.OLEAUT32 ref: 0000000140017C05
CoTaskMemAlloc.OLE32 ref: 0000000140017C13
#6.OLEAUT32 ref: 0000000140017C26

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AllocTask
String ID:
API String ID: 277515162-0
Opcode ID: 5e8679a3c84486a76ba3651a4798ff9ea1603562ef64feffcd663faec1f149ab
Instruction ID: 2024940fa7bce86b04e29bd2d8e461a2552d7b48f24a366a49c5181144aec1d9
Opcode Fuzzy Hash: 5e8679a3c84486a76ba3651a4798ff9ea1603562ef64feffcd663faec1f149ab
Instruction Fuzzy Hash: 28319431200B8586FB569B67A4547D953B0EBCCBD4F184429BF4D8F7B5DE7AC8848380

Function 000000014000801C Relevance: 10.6, APIs: 7, Instructions: 80threadCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 0000000140008044
GetCurrentThreadId.KERNEL32 ref: 0000000140008058
EnterCriticalSection.KERNEL32 ref: 0000000140008065
RaiseException.KERNEL32 ref: 00000001400080A0
EnterCriticalSection.KERNEL32 ref: 00000001400080CE
GetCurrentThreadId.KERNEL32 ref: 00000001400080DD
LeaveCriticalSection.KERNEL32 ref: 0000000140008113

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CriticalSection$CurrentEnterExceptionRaiseThread$Leave
String ID:
API String ID: 1900833728-0
Opcode ID: ba634b300a653fc6c7866f7a959c155f4ccca22f17d11136a9290faf1b74e37b
Instruction ID: aa2b480570dfd8a4a5ca896e549a89b7028c7b0db67c4808613ad90208e02cc4
Opcode Fuzzy Hash: ba634b300a653fc6c7866f7a959c155f4ccca22f17d11136a9290faf1b74e37b
Instruction Fuzzy Hash: E8318E72210B8182EBA5CF62F95079977A4FB4CBC4F485421EF9A07F64DF38D4A58740

Function 00000001400F9DFC Relevance: 10.6, APIs: 7, Instructions: 80stringCOMMON

Download Yara Rule

APIs

SHGetDesktopFolder.SHELL32 ref: 00000001400F9E3B
SHGetSpecialFolderLocation.SHELL32 ref: 00000001400F9E4A
SHGetSpecialFolderLocation.SHELL32 ref: 00000001400F9E5C
SHGetPathFromIDListW.SHELL32 ref: 00000001400F9E8A
lstrlenW.KERNEL32 ref: 00000001400F9E9D
GetWindowsDirectoryW.KERNEL32 ref: 00000001400F9F01
SHGetFileInfoW.SHELL32 ref: 00000001400F9F21

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Folder$LocationSpecial$DesktopDirectoryFileFromInfoListPathWindowslstrlen
String ID:
API String ID: 3622127152-0
Opcode ID: f31967b80806024e4af3f12ef5453d4f7bfbc6933549fb0c34b3948bf1d303ec
Instruction ID: 5ec5ded693a50d538c3300387ca122cb75aea0257e626655050a9e7877038880
Opcode Fuzzy Hash: f31967b80806024e4af3f12ef5453d4f7bfbc6933549fb0c34b3948bf1d303ec
Instruction Fuzzy Hash: 75313872600B8586EB61DF26E4947DAB3A1F78CB84F844435DB8A87B79DF39D045C780

Function 0000000140020DC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140006F44: CreateWindowExW.USER32 ref: 0000000140006FCC

SendMessageW.USER32 ref: 0000000140020E75
SendMessageW.USER32 ref: 0000000140020EFB

Part of subcall function 000000014001E584: SendMessageW.USER32 ref: 000000014001E5B5

Strings

ComboBoxEx32, xrefs: 0000000140020E0A
d, xrefs: 0000000140020DEF
B, xrefs: 0000000140020E18
2, xrefs: 0000000140020E24

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$CreateWindow
String ID: 2$B$ComboBoxEx32$d
API String ID: 2286652126-2739734601
Opcode ID: 38eaeb23fb88a4f4eec0de346e90d652ca85c744b6c391e02b432fcefee57cb3
Instruction ID: 437f6332de87a5facb4a58d3b39335fbcc2ef115efb4f6be8620e2d7ce48a668
Opcode Fuzzy Hash: 38eaeb23fb88a4f4eec0de346e90d652ca85c744b6c391e02b432fcefee57cb3
Instruction Fuzzy Hash: 21318D72611B8486EB41CF26E4443DD77A0F748F98F584039AB490BBA5DF79C886CB00

Function 0000000140009B24 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 0000000140009B66
SetCursor.USER32 ref: 0000000140009B78
InvalidateRect.USER32 ref: 0000000140009BB6
UpdateWindow.USER32 ref: 0000000140009BC0
_TrackMouseEvent.COMCTL32 ref: 0000000140009BF4
InvalidateRect.USER32 ref: 0000000140009C28
UpdateWindow.USER32 ref: 0000000140009C32

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Rect$InvalidateUpdateWindow$CursorEventMouseTrack
String ID:
API String ID: 1598129390-0
Opcode ID: 802e805989fa9d4c4a32bece14764307a2230e9df8b2b09ca72670b31ce017dd
Instruction ID: 949cb897e6d9736c8290268a34c261f74a99af520b63d9f9da859e87e208ad99
Opcode Fuzzy Hash: 802e805989fa9d4c4a32bece14764307a2230e9df8b2b09ca72670b31ce017dd
Instruction Fuzzy Hash: E1314F7260468486EB52CF3AE5547DD77E0F788F88F484026EB894B679CF39C946CB90

Function 0000000140001260 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001210: lstrlenW.KERNEL32 ref: 0000000140001231

SetWindowTextW.USER32 ref: 00000001400012D8
wsprintfW.USER32 ref: 00000001400012EF
SendMessageW.USER32 ref: 0000000140001360

Part of subcall function 0000000140001148: SendMessageW.USER32 ref: 00000001400011A7

Strings

@, xrefs: 000000014000132D
last_entry, xrefs: 00000001400012BA, 000000014000133A
entry_%03d, xrefs: 00000001400012E0

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$TextWindowlstrlenwsprintf
String ID: @$entry_%03d$last_entry
API String ID: 1117576183-2027942737
Opcode ID: 48a734eb831d4a926fa84141339b4d994ed079c3306510baa5842e080204d01d
Instruction ID: 20367c67e7e0e347c9ea5ae8511fba4c3340f68be4988edafbc17f5fb6ca8904
Opcode Fuzzy Hash: 48a734eb831d4a926fa84141339b4d994ed079c3306510baa5842e080204d01d
Instruction Fuzzy Hash: 35316B72204A85A1EB31DFA2F4957DA73A1F78CBC0F841012EB8947A6ADF38C115CB84

Function 000000014001FF04 Relevance: 10.6, APIs: 7, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014001FF32
ScreenToClient.USER32 ref: 000000014001FF41
SendMessageW.USER32 ref: 000000014001FF72
SendMessageW.USER32 ref: 000000014001FF97
GetKeyState.USER32 ref: 000000014001FFA2
SendMessageW.USER32 ref: 000000014001FFCC
SendMessageW.USER32 ref: 000000014001FFDF

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$ClientCursorScreenState
String ID:
API String ID: 3260035165-0
Opcode ID: a343c8b907ce01b40606f00f3a9d77aadc0a1782466dc752b0cf1a0f6d8135ae
Instruction ID: c55825a72f766a07505aea3f532184b6208be2b27f5a7f4d0f0cdc84b4e8e52c
Opcode Fuzzy Hash: a343c8b907ce01b40606f00f3a9d77aadc0a1782466dc752b0cf1a0f6d8135ae
Instruction Fuzzy Hash: BB216A32604A4487E7518F36E8547AA73A0F78CF89F488011EB8A4BAB8DF7DC945CF40

Function 0000000140001988 Relevance: 10.6, APIs: 7, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400019C4
SendMessageW.USER32 ref: 00000001400019E0
SendMessageW.USER32 ref: 00000001400019FA
SetWindowLongPtrW.USER32 ref: 0000000140001A0E
SetWindowLongPtrW.USER32 ref: 0000000140001A20
SetWindowLongPtrW.USER32 ref: 0000000140001A38
SetWindowLongPtrW.USER32 ref: 0000000140001A55

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fa389dbd0ff469c580dd02baa99d938c1ff7d63db430f8735c4fcb3ba0e5e364
Instruction ID: 64377e77e092256bba4b0bf8dd6efe28a2cdfd72a8759b74ea15fe6f58fd8926
Opcode Fuzzy Hash: fa389dbd0ff469c580dd02baa99d938c1ff7d63db430f8735c4fcb3ba0e5e364
Instruction Fuzzy Hash: C7213576700B8193E718CB72E984B9A73A0F78DB94F448121DB1A07F21DF35D0798340

Function 00000001400F963C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00000001400F9663
GetMenuItemInfoW.USER32 ref: 00000001400F96AF
GetMenuItemCount.USER32 ref: 00000001400F96BA

Strings

d, xrefs: 00000001400F969F
H, xrefs: 00000001400F9697
?, xrefs: 00000001400F96A7

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ItemMenu$Count$Info
String ID: ?$H$d
API String ID: 1536321054-264075452
Opcode ID: 7a3e92aaea603efdefe6229bc4d6be2efc8871259700f46f410b9cef0d8ffbe3
Instruction ID: 5eca7ed4276809b55e93e9ca8379de036a42334ab9fcc5bdd33d7e260f2269e4
Opcode Fuzzy Hash: 7a3e92aaea603efdefe6229bc4d6be2efc8871259700f46f410b9cef0d8ffbe3
Instruction Fuzzy Hash: E3014032204A8486E762CF62E9953DA72A1F78CBC8F444125EB8D4BB65DF7DC549CB40

Function 0000000140053BCC Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

GetClipBox.GDI32 ref: 0000000140053C0C
CopyRect.USER32 ref: 0000000140053C24
GetClientRect.USER32 ref: 0000000140053C4E
SetBkColor.GDI32 ref: 0000000140053D61
ExtTextOutW.GDI32 ref: 0000000140053D8F
SetBkColor.GDI32 ref: 0000000140053D9A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ColorRect$ClientClipCopyText
String ID:
API String ID: 3037928153-0
Opcode ID: 8f9e3595d1f24f89afdd309441a8681e8f0c67a4d7e7932a1e4881341db277d8
Instruction ID: 8260f42f37f333a98bb1e8b9bc4db72a3e4eedd5c871235fd60e27b76e8a4575
Opcode Fuzzy Hash: 8f9e3595d1f24f89afdd309441a8681e8f0c67a4d7e7932a1e4881341db277d8
Instruction Fuzzy Hash: 4D5177766187908BD315CF1AA84479AFBA5F3D8B81F50411AFB8643B28DB7DD846CF00

Function 0000000140022BE0 Relevance: 9.1, APIs: 6, Instructions: 133windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140020988: IsWindowVisible.USER32 ref: 0000000140020995
Part of subcall function 0000000140020988: ShowWindow.USER32 ref: 00000001400209A5
Part of subcall function 0000000140020988: ShowWindow.USER32 ref: 00000001400209B1
Part of subcall function 0000000140020988: SendMessageW.USER32 ref: 00000001400209D2
Part of subcall function 0000000140020988: SendMessageW.USER32 ref: 00000001400209FD
Part of subcall function 0000000140020988: ReleaseCapture.USER32 ref: 0000000140020A03

GetCursorPos.USER32 ref: 0000000140022C92
GetWindowRect.USER32 ref: 0000000140022CA3
SendMessageW.USER32 ref: 0000000140022CC1
SetCapture.USER32 ref: 0000000140022CD5
SendMessageW.USER32 ref: 0000000140022DD1
ReleaseCapture.USER32 ref: 0000000140022DD7

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSendWindow$Capture$ReleaseShow$CursorRectVisible
String ID:
API String ID: 898369708-0
Opcode ID: 9c36f5682363d8106458575818e2ac02bb8ebccf653df2b50aa808af24c2f18c
Instruction ID: 9e7ededcd470cc7bf4384a777be597110a382e4ea636f7fee75998e3a344dd72
Opcode Fuzzy Hash: 9c36f5682363d8106458575818e2ac02bb8ebccf653df2b50aa808af24c2f18c
Instruction Fuzzy Hash: 89515B36604B8096EB618B62F4043DE72A4F388BC8F20452AFB8917BA5DF79C945CB45

Function 00000001400074B8 Relevance: 9.1, APIs: 6, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000014000750A
RegCloseKey.ADVAPI32 ref: 0000000140007526
RegEnumKeyExW.ADVAPI32 ref: 0000000140007587
RegCloseKey.ADVAPI32 ref: 000000014000759B
RegDeleteKeyW.ADVAPI32 ref: 00000001400075B0
RegCloseKey.ADVAPI32 ref: 00000001400075C2

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: bf99dca1336df69e9244f836b331ceaeb518d51efc0e3d7ef9c974df55cd5413
Instruction ID: d7bd5abe59ac059ee7eff851a91fbfb4fc1a61cb37cfc273d06cbcdd0c71c80d
Opcode Fuzzy Hash: bf99dca1336df69e9244f836b331ceaeb518d51efc0e3d7ef9c974df55cd5413
Instruction Fuzzy Hash: 32313E76608B8486DA51DF66F88479AB7A0F38CBD4F940025EB8E47B65CF7DC485CB40

Function 00000001400017FC Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140001851
SendMessageW.USER32 ref: 0000000140001865
SendMessageW.USER32 ref: 0000000140001888
SendMessageW.USER32 ref: 00000001400018AC
SendMessageW.USER32 ref: 00000001400018C4
SetWindowLongPtrW.USER32 ref: 00000001400018E3

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 12d0f0d73ac8d2e3b61ed2c7a29258e4ce9088586d7d1f5a5a690189d225b3e2
Instruction ID: 39fb874ae95ad9df0cd18ba223608d9a1f9d5846aaa8b884554e399c5500fca1
Opcode Fuzzy Hash: 12d0f0d73ac8d2e3b61ed2c7a29258e4ce9088586d7d1f5a5a690189d225b3e2
Instruction Fuzzy Hash: FA21BE71B1068182FB618BA3F845BDA2390E7CCBE5F589121AB0A4BEB4DE79C1418740

Function 0000000140013780 Relevance: 9.1, APIs: 6, Instructions: 52stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00000001400137A4
GetWindowTextW.USER32 ref: 00000001400137B7
GetDlgItem.USER32 ref: 00000001400137C6
GetWindowTextW.USER32 ref: 00000001400137E9
lstrlenW.KERNEL32 ref: 00000001400137FC
EndDialog.USER32 ref: 0000000140013833

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ItemTextWindow$Dialoglstrlen
String ID:
API String ID: 1317092535-0
Opcode ID: a87151fa2057cafff4ff3c40a49fe09c4c87aec9be2fe003504239a4af3fa535
Instruction ID: cdc34d9d0ca18f597bc0f2442e4f5c04772569c5d815cbb7c897c3705deea6ad
Opcode Fuzzy Hash: a87151fa2057cafff4ff3c40a49fe09c4c87aec9be2fe003504239a4af3fa535
Instruction Fuzzy Hash: 79212736605A9183EB52DF27E49435EA3A0F78CF80F444022EB8A8BB68CE39D5468740

Function 000000014001603C Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000014001607D
GetDeviceCaps.GDI32 ref: 000000014001608E
GetDeviceCaps.GDI32 ref: 000000014001609E
ReleaseDC.USER32 ref: 00000001400160AB
MulDiv.KERNEL32 ref: 00000001400160BF
MulDiv.KERNEL32 ref: 00000001400160D2

Part of subcall function 0000000140001D00: FindWindowExW.USER32 ref: 0000000140001D34

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CapsDevice$FindReleaseWindow
String ID:
API String ID: 359319186-0
Opcode ID: 335af62c087f23680f868d21f8b268083a477dfa7f84046068a8233ea32e3cee
Instruction ID: 555d2e7100eae8ecbc063fbf60d384ae605c5965ff4310db2ed006cd44cf6971
Opcode Fuzzy Hash: 335af62c087f23680f868d21f8b268083a477dfa7f84046068a8233ea32e3cee
Instruction Fuzzy Hash: AF113D75300B408AEB4ADF72E84935A76A1F78CFC1F188129EF4A4BB65DF3AD8118744

Function 0000000140015F80 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 0000000140015FC1
GetDeviceCaps.GDI32 ref: 0000000140015FD2
GetDeviceCaps.GDI32 ref: 0000000140015FE2
ReleaseDC.USER32 ref: 0000000140015FEF
MulDiv.KERNEL32 ref: 0000000140016003
MulDiv.KERNEL32 ref: 0000000140016016

Part of subcall function 0000000140001D00: FindWindowExW.USER32 ref: 0000000140001D34

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CapsDevice$FindReleaseWindow
String ID:
API String ID: 359319186-0
Opcode ID: b12ce51487e56afd0b3dbcd9719e3b41cdc7e025723370b1946c30d8a801cd06
Instruction ID: 32313d7738bb70db4353e7da33688b8d3e54c674ab3359cd1800ddaf45387ef1
Opcode Fuzzy Hash: b12ce51487e56afd0b3dbcd9719e3b41cdc7e025723370b1946c30d8a801cd06
Instruction Fuzzy Hash: C9113D753016408BEB49DF22E80539976A1F78CFC1F188139EF4A4B765DF39D8018744

Function 0000000140015C2D Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 0000000140015C67
ClientToScreen.USER32 ref: 0000000140015C7A
GetParent.USER32 ref: 0000000140015C84
ScreenToClient.USER32 ref: 0000000140015C9A
ScreenToClient.USER32 ref: 0000000140015CAC
MoveWindow.USER32 ref: 0000000140015CDA

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClientScreen$MoveParentWindow
String ID:
API String ID: 2420994850-0
Opcode ID: 1f98c295c3b08c56dcbf839a4a4d2b88b824048dac41c1f21ebf9688380bf2dc
Instruction ID: 7f329799f33bd3262adc9ebb96557a10ded11004f7850d3629f50e521894eeb0
Opcode Fuzzy Hash: 1f98c295c3b08c56dcbf839a4a4d2b88b824048dac41c1f21ebf9688380bf2dc
Instruction Fuzzy Hash: E6115C76316B418AEA51DF26E84479DB760FB88BC4F045511EB8A4BB28EF3DC455CB40

Function 000000014002196C Relevance: 9.0, APIs: 6, Instructions: 37windowtimeCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0000000140021989
ShowWindow.USER32 ref: 000000014002199D
ShowWindow.USER32 ref: 00000001400219AC
KillTimer.USER32 ref: 00000001400219BB
KillTimer.USER32 ref: 00000001400219D1
GetFocus.USER32 ref: 00000001400219DE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FocusKillShowTimerWindow
String ID:
API String ID: 3044290596-0
Opcode ID: 8621990ddfdd798133131d01057765c320258a9855b5f303c8fe18765cb774f9
Instruction ID: 2b9b25263dbd1fb5fa7c94dd138958bca2446ae866684a869933d9ca086554c2
Opcode Fuzzy Hash: 8621990ddfdd798133131d01057765c320258a9855b5f303c8fe18765cb774f9
Instruction Fuzzy Hash: D5015E31705A8092EB86C76BE5543EE6261F7DCBC1F0840259B494BA70CF3CC9D2C340

Function 0000000140020988 Relevance: 9.0, APIs: 6, Instructions: 33windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0000000140020995
ShowWindow.USER32 ref: 00000001400209A5
ShowWindow.USER32 ref: 00000001400209B1
SendMessageW.USER32 ref: 00000001400209D2
SendMessageW.USER32 ref: 00000001400209FD
ReleaseCapture.USER32 ref: 0000000140020A03

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$MessageSendShow$CaptureReleaseVisible
String ID:
API String ID: 3175066377-0
Opcode ID: ce0e83a03ec4ee1dd4523d9e77da799b9ee6c93cae91b3f4803d904d8190cee2
Instruction ID: 16d2b01de5cf0ce976be5311fdb5b58e5e045f856cc25ec0490923595423f03d
Opcode Fuzzy Hash: ce0e83a03ec4ee1dd4523d9e77da799b9ee6c93cae91b3f4803d904d8190cee2
Instruction Fuzzy Hash: 5B01FB7170164582F7969F73E8587E92361EB8CF96F4880368B0A5F665CF39C9868350

Function 0000000140084178 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 275windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 0000000140030614: lstrlenW.KERNEL32 ref: 00000001400306AE

Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 000000014000349C
Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 0000000140003518

Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 00000001400034BB
Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 00000001400036A1

Part of subcall function 000000014010691C: lstrlenW.KERNEL32 ref: 0000000140106985
Part of subcall function 000000014010691C: lstrlenW.KERNEL32 ref: 00000001401069E0

SetMenuItemInfoW.USER32 ref: 00000001400844DF

Strings

H, xrefs: 00000001400842CD
MENU_2017, xrefs: 000000014008418F
, xrefs: 00000001400842FD
0, xrefs: 00000001400844A5

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$ByteCharInfoItemMenuMultiWide
String ID: $0$H$MENU_2017
API String ID: 3110664725-3967075016
Opcode ID: 8e81b88c14c24131ab1970799924c347965d24fb70a2d45b9b1259aab2ef4ff1
Instruction ID: 814d161aec673e9a6ab83f971220734419c78d4361167942e45194d01dc9a85f
Opcode Fuzzy Hash: 8e81b88c14c24131ab1970799924c347965d24fb70a2d45b9b1259aab2ef4ff1
Instruction Fuzzy Hash: 76D1617330598182EB62CB2AE8517DA6360FB89BB4F444311B7BD879E6DF78C585CB40

Function 0000000140004CA8 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 272COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32 ref: 0000000140004DA1

Strings

image, xrefs: 0000000140004E6F
>>>>>>>>>>>>>>>>>>>>>>>>:, xrefs: 0000000140004D66
audio, xrefs: 0000000140004F45
video, xrefs: 0000000140004EFD

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: DebugOutputString
String ID: >>>>>>>>>>>>>>>>>>>>>>>>:$audio$image$video
API String ID: 1166629820-85831261
Opcode ID: 89fbec7ecaf396ec757d79277fa80d567e2ed32d2e822b1b38b77f2b79e6fa56
Instruction ID: 4ea4c7d9c971c157d1c39f83fbb9d670df84a9e1285380ed96d5ec2a79abadac
Opcode Fuzzy Hash: 89fbec7ecaf396ec757d79277fa80d567e2ed32d2e822b1b38b77f2b79e6fa56
Instruction Fuzzy Hash: FFC14FB3201A8086EA62DB2AE4913DE73A1F7897B4F144312B779576F6CF38D885C740

Function 000000014000CD3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 0000000140085BB0: _cwprintf_s_l.LIBCMT ref: 0000000140085BEA

GetActiveWindow.USER32 ref: 000000014000CDE4
MessageBoxW.USER32 ref: 000000014000CE93

Part of subcall function 0000000140085724: GetPrivateProfileIntW.KERNEL32 ref: 0000000140085755
Part of subcall function 0000000140085724: _cwprintf_s_l.LIBCMT ref: 0000000140085776

GetActiveWindow.USER32 ref: 000000014000CF8C

Strings

Lizenz, xrefs: 000000014000CD94, 000000014000CDB7
Lizenz, xrefs: 000000014000CD56

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ActiveWindow_cwprintf_s_llstrlen$ByteCharMessageMultiPrivateProfileWide
String ID: Lizenz$Lizenz
API String ID: 391245238-3383787514
Opcode ID: 628e5b16bab049e6997546dd1029402422e97129fc60ff241b007c050ef05ba6
Instruction ID: e852d2016f22db00871252161425d8d185331b9801793e0a7a8e9bb15f26c547
Opcode Fuzzy Hash: 628e5b16bab049e6997546dd1029402422e97129fc60ff241b007c050ef05ba6
Instruction Fuzzy Hash: 4661727231198182EA63DB67E8517E963A1FB89BB0F440312BB79876F5DF38C945CB40

Function 0000000140007068 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400070CA
CompareStringW.KERNEL32 ref: 0000000140007124
CompareStringW.KERNEL32 ref: 0000000140007173

Strings

<A>, xrefs: 000000014000710C
</A>, xrefs: 0000000140007159

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: </A>$<A>
API String ID: 1657112622-2122467442
Opcode ID: f1ae98306a0dc4d9a198098ee93d0280e83c32c987eb90ee134b27f4caac6ae2
Instruction ID: a16723b432ad62851a6586a46339e6a28edab238c7e60eb586aea2c4c25c0ee0
Opcode Fuzzy Hash: f1ae98306a0dc4d9a198098ee93d0280e83c32c987eb90ee134b27f4caac6ae2
Instruction Fuzzy Hash: 81417C72A04B84C9EB25CF2AE8447E9BBA4F798F84F558115DB8C83768EF38D446C740

Function 00000001400016D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014000170F
SendMessageW.USER32 ref: 0000000140001723
wsprintfW.USER32 ref: 0000000140001758

Part of subcall function 00000001400013AC: SendMessageW.USER32 ref: 0000000140001405

Part of subcall function 00000001400011C0: lstrlenW.KERNEL32 ref: 00000001400011E1

wsprintfW.USER32 ref: 00000001400017BD

Strings

entry_%03d, xrefs: 0000000140001749, 00000001400017AE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$wsprintf$lstrlen
String ID: entry_%03d
API String ID: 3434472813-2287328738
Opcode ID: 26b86d3896f9feefeeda562d8e09b7ead3a32d8b3692815a9f317978bf79a396
Instruction ID: b717c8b35cd5727ca2a66aa291fbfd0401708055774c6d90922703a28f774ded
Opcode Fuzzy Hash: 26b86d3896f9feefeeda562d8e09b7ead3a32d8b3692815a9f317978bf79a396
Instruction Fuzzy Hash: D3216F71714A8591E721DB62F8957DA63A1F78CBC4F845021EB8D47E6ADF3CC606CB80

Function 000000014005E758 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140006CCC: RegCreateKeyExW.ADVAPI32 ref: 0000000140006D21
Part of subcall function 0000000140006CCC: RegCloseKey.ADVAPI32 ref: 0000000140006D4A

RegOpenKeyExW.ADVAPI32 ref: 000000014005E7E3
RegCloseKey.ADVAPI32 ref: 000000014005E7F7
RegDeleteKeyW.ADVAPI32 ref: 000000014005E813
RegCloseKey.ADVAPI32 ref: 000000014005E83F

Strings

Q-Dir-Admin-Test, xrefs: 000000014005E780, 000000014005E809

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Close$CreateDeleteOpen
String ID: Q-Dir-Admin-Test
API String ID: 2517957394-3722092558
Opcode ID: fa309d441f328594c4a57fcd27547200bf35728bb60ff2fe9e7224a57156d17a
Instruction ID: 87b703af280292c386fa99309ddd0cbb0e8fddd641967dc40ad9411048e722ac
Opcode Fuzzy Hash: fa309d441f328594c4a57fcd27547200bf35728bb60ff2fe9e7224a57156d17a
Instruction Fuzzy Hash: 2C212B32614A9082EB52CB16F85439973E5F78CFD0F680112EB9947BA4CF7AC985CB80

Function 0000000140022074 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400220BE
SendMessageW.USER32 ref: 00000001400220E7
SendMessageW.USER32 ref: 000000014002212D

Strings

@, xrefs: 00000001400220CF
0, xrefs: 00000001400220A6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$lstrlen
String ID: 0$@
API String ID: 1172434978-1545510068
Opcode ID: 1601c8e892db72aa0a1cf2bf1ea9bc19a7191a27e1eb105fa9045aeaef51daeb
Instruction ID: ddbfc51c3a79b05a2869253fabb33f1850f7458376bc7d084a722858f95e90de
Opcode Fuzzy Hash: 1601c8e892db72aa0a1cf2bf1ea9bc19a7191a27e1eb105fa9045aeaef51daeb
Instruction Fuzzy Hash: 4321813231464082E7619B3AE44439A77A0E7C9BA4F548315E7A987AF9CF38C556CF44

Function 000000014011A924 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 000000014011A95F
lstrlenW.KERNEL32 ref: 000000014011A96E
RegSetValueExW.ADVAPI32 ref: 000000014011A98E
RegCloseKey.ADVAPI32 ref: 000000014011A99B

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 000000014011A948

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CloseOpenValuelstrlen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 2964171075-3913687870
Opcode ID: 7c50986e9f4b8f3e8bd8faefeb71720e6021442e1d482e1be689d0675f62ecc8
Instruction ID: 5cfe4bb5abde329db52458d4a005f69208c2917290fcb5ade1d3e3645eb3a88a
Opcode Fuzzy Hash: 7c50986e9f4b8f3e8bd8faefeb71720e6021442e1d482e1be689d0675f62ecc8
Instruction Fuzzy Hash: 48014C76214B5087DB109F66E84039DBBA1F788FE0F594621EF8947B68CF39C54ACB44

Function 0000000140105AD8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140105B01
GetProcAddress.KERNEL32 ref: 0000000140105B21
FreeLibrary.KERNEL32 ref: 0000000140105B35

Strings

IsThemeActive, xrefs: 0000000140105B17
UxTheme.dll, xrefs: 0000000140105AF2

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: IsThemeActive$UxTheme.dll
API String ID: 145871493-3611418440
Opcode ID: 908373fd2877a7542c0fe83e044299c2c99612ad8c6aa36e03c116ce3a162b6c
Instruction ID: de9107f110dc6e1ef5aef7b735d2bc255ab8f3378797630c10079203d58b98cd
Opcode Fuzzy Hash: 908373fd2877a7542c0fe83e044299c2c99612ad8c6aa36e03c116ce3a162b6c
Instruction Fuzzy Hash: AC018F31B0165086E751DF67B8803A673E0F70CF94F880929FB5A877B4CB38C8819B00

Function 0000000140015E88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140015EAC
BitBlt.GDI32 ref: 0000000140015EEB
DeleteDC.GDI32 ref: 0000000140015EF4
ReleaseDC.USER32 ref: 0000000140015F05

Strings

, xrefs: 0000000140015EC9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClientDeleteRectRelease
String ID:
API String ID: 2015589292-3916222277
Opcode ID: b84018bee03d18d6e97db581ce38ac2242b1c3bacfb9994da0e698130dd945ce
Instruction ID: 7cd606f413cf8c21f9ea87088eab4501500ebd18866ac3de96a94ce5da873c8f
Opcode Fuzzy Hash: b84018bee03d18d6e97db581ce38ac2242b1c3bacfb9994da0e698130dd945ce
Instruction Fuzzy Hash: 28012D76218A80C6D7118F26E54836EB7A1F788FE9F144115EF8947B28CB7DC889CB00

Function 0000000140006C74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140006C88
GetProcAddress.KERNEL32 ref: 0000000140006CA0
FreeLibrary.KERNEL32 ref: 0000000140006CB8

Strings

EnableThemeDialogTexture, xrefs: 0000000140006C96
UxTheme.dll, xrefs: 0000000140006C81

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnableThemeDialogTexture$UxTheme.dll
API String ID: 145871493-3190584797
Opcode ID: 34f173713268b76265d243d26936bb18781a0dd01399a9456a214fb2d26c225c
Instruction ID: f56c2b9d72aac4315c18d815eab8db19e53424442d43405e60542a7c232650f8
Opcode Fuzzy Hash: 34f173713268b76265d243d26936bb18781a0dd01399a9456a214fb2d26c225c
Instruction Fuzzy Hash: 48E0C970711A4181EE869B63F9557A523A1EB8CFC0F4C64249E5A0B774EE39C994C740

Function 000000014005C55C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014005C56C
GetProcAddress.KERNEL32 ref: 000000014005C57C
GetCurrentProcess.KERNEL32 ref: 000000014005C58E

Strings

IsWow64Process, xrefs: 000000014005C572
kernel32, xrefs: 000000014005C565

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: ccada01f8b32241bef24b644c24404add471177c14a0d24d1d61a43f5af79063
Instruction ID: 70c19d9519b70ab8798b5845d989e8cd7bb5b3e93dd8160c8ad995d837fd7981
Opcode Fuzzy Hash: ccada01f8b32241bef24b644c24404add471177c14a0d24d1d61a43f5af79063
Instruction Fuzzy Hash: E2E0C274626B4183EA46EB26EC8479933A4FB4CB85F841014EA0E07374EF3DC14ACB40

Function 000000014001816C Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400181C5
GetModuleFileNameW.KERNEL32 ref: 000000014001823A
#161.OLEAUT32 ref: 000000014001825A
#162.OLEAUT32 ref: 000000014001827A
LeaveCriticalSection.KERNEL32 ref: 0000000140018382

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CriticalSection$#161#162EnterFileLeaveModuleName
String ID:
API String ID: 2971530505-0
Opcode ID: 690f21a3e1845385bcaf53a61c12f3dc099acad6d1dcaefb814ef141a452e445
Instruction ID: a25afa92f56d2209929bf59a66b26f0a43651612561abbed378a00cff9f07290
Opcode Fuzzy Hash: 690f21a3e1845385bcaf53a61c12f3dc099acad6d1dcaefb814ef141a452e445
Instruction Fuzzy Hash: 8A613E32205B4086EB66CB2AE4903AD77B1F788FD4F644125EF594B6B8DF3ACA45C740

Function 0000000140019790 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400173B8: DestroyAcceleratorTable.USER32 ref: 0000000140017561

RedrawWindow.USER32 ref: 00000001400197DB
DestroyWindow.USER32 ref: 0000000140019807

Part of subcall function 0000000140016174: GetWindowLongPtrW.USER32 ref: 0000000140016195
Part of subcall function 0000000140016174: SetWindowLongPtrW.USER32 ref: 00000001400161B6

IsWindow.USER32 ref: 0000000140019810
RedrawWindow.USER32 ref: 000000014001987A
DestroyWindow.USER32 ref: 00000001400198AE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$Destroy$LongRedraw$AcceleratorTable
String ID:
API String ID: 3281180885-0
Opcode ID: 280645d32c9fc4c27c3d3ff831acddb7af44f93bf84960ef5978e0be93ad8e71
Instruction ID: 69f05dee8efd94aa638988ec922dfefb139b10ce20c02c48992fdc72880c37e0
Opcode Fuzzy Hash: 280645d32c9fc4c27c3d3ff831acddb7af44f93bf84960ef5978e0be93ad8e71
Instruction Fuzzy Hash: 7331A132B04A5085FB629B77D8413ED3270BB9ABE4F584115EF5A4BAE9DF36C582C340

Function 0000000140023CA8 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140023CF8
ClientToScreen.USER32 ref: 0000000140023D14
GetWindowRect.USER32 ref: 0000000140023D27
SendMessageW.USER32 ref: 0000000140023DDC
SendMessageW.USER32 ref: 0000000140023DF9

Part of subcall function 0000000140023730: GetWindowRect.USER32 ref: 0000000140023765
Part of subcall function 0000000140023730: SendMessageW.USER32 ref: 0000000140023790
Part of subcall function 0000000140023730: SendMessageW.USER32 ref: 00000001400237D0

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$RectWindow$ClientScreen
String ID:
API String ID: 2198136683-0
Opcode ID: 25aae191ebed58256dedb4c8005e7a6a9c56e7cefbce6b6ef52f19e44207613b
Instruction ID: 625f7a3db415114be2c7c946a1617b858740bbf1a3ad8bb013b25d59d0c9dcbb
Opcode Fuzzy Hash: 25aae191ebed58256dedb4c8005e7a6a9c56e7cefbce6b6ef52f19e44207613b
Instruction Fuzzy Hash: 3D419076210B8086EB419F22E4447ED7360F788FC9F888029EF090B7A5CF78C949C751

Function 0000000140007AEC Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140007B00
GetDlgItem.USER32 ref: 0000000140007B24
SetWindowTextW.USER32 ref: 0000000140007B30
SetWindowTextW.USER32 ref: 0000000140007B7B
SetDlgItemTextW.USER32 ref: 0000000140007BC9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ItemText$Window
String ID:
API String ID: 2802354418-0
Opcode ID: a594adfbb520d1e042016f0e6dc4fa538fe7353b5541c58799b67476dee03054
Instruction ID: b634ca63e069e3e971be17b39d32aaa82f392764d4f4bf4a7909ee36b2a31c6b
Opcode Fuzzy Hash: a594adfbb520d1e042016f0e6dc4fa538fe7353b5541c58799b67476dee03054
Instruction Fuzzy Hash: 0D31617270094183EA41DB7BD8113996361EB88BF0F184321AB7D877E5DF3DC8828751

Function 0000000140015278 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00000001400152C9
GetDlgItem.USER32 ref: 000000014001533A
SendMessageW.USER32 ref: 000000014001534E
GetDlgItem.USER32 ref: 000000014001535E
SendMessageW.USER32 ref: 0000000140015372

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Message$ItemSend
String ID:
API String ID: 950433545-0
Opcode ID: 6e43536db41890a5825e03dcb4903996deabe10d9ec55dcb28b7f51d9de9cb92
Instruction ID: 7bca7bfb517bbd07c9e830d1f50b30bb9cf377672a3dcc04f259e63f8db61dda
Opcode Fuzzy Hash: 6e43536db41890a5825e03dcb4903996deabe10d9ec55dcb28b7f51d9de9cb92
Instruction Fuzzy Hash: 00319F3271098083EB619B3AE86439A7360FBC9BF0F544311AB7A8BAF5DF79C4518740

Function 0000000140017578 Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 000000014001762A
GetFocus.USER32 ref: 0000000140017632
IsChild.USER32 ref: 000000014001763F
GetWindow.USER32 ref: 0000000140017650
SetFocus.USER32 ref: 0000000140017659

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: 2669ce6f154819341a29bbc97dbade08fc2acc40a1aae060a0b4eb754087abf5
Instruction ID: bfaa4b68dd51fa5ad69d427633385faf4ef39b43638e56a6b71d6b7b69afc303
Opcode Fuzzy Hash: 2669ce6f154819341a29bbc97dbade08fc2acc40a1aae060a0b4eb754087abf5
Instruction Fuzzy Hash: 28312B32205B8486EB95CF6AD4587D973B0F788F99F088625DB9D4B7A4CF3AC449CB40

Function 000000014000A844 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 000000014000A8BA
SHGetPathFromIDListW.SHELL32 ref: 000000014000A8CA
wsprintfW.USER32 ref: 000000014000A8E4
GetDlgItem.USER32 ref: 000000014000A8F7
SetWindowTextW.USER32 ref: 000000014000A903

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FolderFromItemListLocationPathSpecialTextWindowwsprintf
String ID:
API String ID: 3259017916-0
Opcode ID: b337608be67815e1f882543b53302fc6b7cb76a9cbfcc451b9fed8b6dfe20f4a
Instruction ID: bfd92be44cf0351dca82a94b62c2d325711ab0d382a8b8545932bfc03b26e6e2
Opcode Fuzzy Hash: b337608be67815e1f882543b53302fc6b7cb76a9cbfcc451b9fed8b6dfe20f4a
Instruction Fuzzy Hash: C3215E72214A8592EA15DB22E4943EA6361F7CCFC5F4880219F8D0BB69CF3CC14ACB80

Function 000000014001FCE4 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014001FD0B
GetClientRect.USER32 ref: 000000014001FD37
GetSysColor.USER32 ref: 000000014001FD4A

Part of subcall function 000000014001FC14: CreatePen.GDI32 ref: 000000014001FC35
Part of subcall function 000000014001FC14: SelectObject.GDI32 ref: 000000014001FC45
Part of subcall function 000000014001FC14: MoveToEx.GDI32 ref: 000000014001FC5C
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC6C
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC7C
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC8D
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC9E
Part of subcall function 000000014001FC14: SelectObject.GDI32 ref: 000000014001FCAB
Part of subcall function 000000014001FC14: DeleteObject.GDI32 ref: 000000014001FCB9
Part of subcall function 000000014001FC14: DeleteObject.GDI32 ref: 000000014001FCC7

IntersectClipRect.GDI32 ref: 000000014001FD91
SendMessageW.USER32 ref: 000000014001FDA4

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: LineObject$DeleteRectSelect$ClientClipColorCreateIntersectMessageMoveParentSend
String ID:
API String ID: 640795467-0
Opcode ID: 8abdaa05f8489e53c2f73c3562a215e7ab2baa942873b570995f9dff90c38e61
Instruction ID: 5038d5b4792f7b22fca29c3999077a22cbaf7a2f18104be4f42bbff3053623b0
Opcode Fuzzy Hash: 8abdaa05f8489e53c2f73c3562a215e7ab2baa942873b570995f9dff90c38e61
Instruction Fuzzy Hash: 0821E5726286848ADB918F26F44079AB7B0F7C8B84F049116EF8A87B28DF79C445CF40

Function 000000014001DBA4 Relevance: 7.5, APIs: 5, Instructions: 49keyboardwindowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014001DBD3
GetAsyncKeyState.USER32 ref: 000000014001DBE8
SendMessageW.USER32 ref: 000000014001DC16
GetAsyncKeyState.USER32 ref: 000000014001DC2D
ShowWindow.USER32 ref: 000000014001DC44

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AsyncState$FocusMessageSendShowWindow
String ID:
API String ID: 3327096832-0
Opcode ID: 5f866e217674990f0777899df403e4e448b59f894e4c893b9b520a52e3229b59
Instruction ID: fe49c99cfa19325b68a893d8f7872c518b3e05df83aafa69b7cd2fa17d13bb67
Opcode Fuzzy Hash: 5f866e217674990f0777899df403e4e448b59f894e4c893b9b520a52e3229b59
Instruction Fuzzy Hash: FB115131700681C2FB6A9B23E55439973A1F7ACBD1F444822EB464BAB4CFB9C8D1C780

Function 000000014001DE6C Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001DE8E
SendMessageW.USER32 ref: 000000014001DEAC
SendMessageW.USER32 ref: 000000014001DEE1
SendMessageW.USER32 ref: 000000014001DEF9
SetWindowPos.USER32 ref: 000000014001DF31

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: 5271574c828254bc2fb153a96e3a34bcbde8accf79d5c1475769f08ac4ca33aa
Instruction ID: 7f1d6115c0fc46552c443e6366ab1eb2d2bd81526d3f9c9a880eedcc8480a8b6
Opcode Fuzzy Hash: 5271574c828254bc2fb153a96e3a34bcbde8accf79d5c1475769f08ac4ca33aa
Instruction Fuzzy Hash: C3117C7272468087E7218F62F859B9A77B0F3C9B9AF144011EB894BE18CB3DC5508F04

Function 000000014001F724 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001F754
SendMessageW.USER32 ref: 000000014001F776
SendMessageW.USER32 ref: 000000014001F789
SendMessageW.USER32 ref: 000000014001F7AF
SendMessageW.USER32 ref: 000000014001F7CE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: efb0df76017d4c17dd09bcb5af510510d325fa0b52017d4f83d20dd3488b4872
Instruction ID: a9d85750d5e182a9d3a4b2647fb052577f188aba24419e61fa361592b93b4448
Opcode Fuzzy Hash: efb0df76017d4c17dd09bcb5af510510d325fa0b52017d4f83d20dd3488b4872
Instruction Fuzzy Hash: E411423531454582FB529F72E825BDA33A1E78DF89F485021EF090FEA5CE3AC545CB00

Function 00000001400C4C68 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

#18.SHELL32 ref: 00000001400C4C8C
#17.SHELL32 ref: 00000001400C4C98
#16.SHELL32 ref: 00000001400C4CB4
#18.SHELL32 ref: 00000001400C4CBD
#155.SHELL32 ref: 00000001400C4CCE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: #155
String ID:
API String ID: 1122522878-0
Opcode ID: 9a32cc60d28c6435935e3f868d0b0a818da1d710b44b85fc901688fecaf1c201
Instruction ID: da2093146b1d4883f13c63bd912c2f832ea7c315c3b51f47c1b6f2bbca3d1f38
Opcode Fuzzy Hash: 9a32cc60d28c6435935e3f868d0b0a818da1d710b44b85fc901688fecaf1c201
Instruction Fuzzy Hash: 62014F31606B4582EB9A8B23E5943A963A0BB5DFC4F084020EF0A0B778EF3DC4658340

Function 000000014002E4EC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 223windowCOMMON

Download Yara Rule

APIs

#18.SHELL32 ref: 000000014002E51B

Part of subcall function 00000001400FD62C: SHGetFileInfoW.SHELL32 ref: 00000001400FD67D

SendMessageW.USER32 ref: 000000014002E869

Part of subcall function 0000000140002D3C: SHGetMalloc.SHELL32 ref: 0000000140002D81

Part of subcall function 00000001400C4C68: #18.SHELL32 ref: 00000001400C4C8C
Part of subcall function 00000001400C4C68: #17.SHELL32 ref: 00000001400C4C98

Strings

ftp://, xrefs: 000000014002E744
', xrefs: 000000014002E7E9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FileInfoMallocMessageSend
String ID: '$ftp://
API String ID: 2720085397-2224211471
Opcode ID: b6ef2afb53ec975224ac763cd79f9719379ac8e05474e69a604d13932f95c70a
Instruction ID: 9e87be585b3c4869394aaa91d6377e58f1872d871267d8a4f42fb31f4084679d
Opcode Fuzzy Hash: b6ef2afb53ec975224ac763cd79f9719379ac8e05474e69a604d13932f95c70a
Instruction Fuzzy Hash: 68B15332255AC181EB62DB26E4947DEB360F7887E4F444326A7AD47AF9DF78C845CB00

Function 0000000140085F64 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101stringtimeCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140085FA9
timeGetTime.WINMM ref: 0000000140085FCE

Strings

Start, xrefs: 0000000140085FE3, 0000000140086003
chk_ini, xrefs: 0000000140085FDC, 0000000140085FFC

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Timelstrlentime
String ID: Start$chk_ini
API String ID: 1894013882-2223941635
Opcode ID: 0910d0cb727912416846f1174ea37008d238004550ec1db09e7153c98418481c
Instruction ID: 94e55ab4f76687b738f5f610a6ec0209f5c1f17635defe9a180fb0e4e79d6394
Opcode Fuzzy Hash: 0910d0cb727912416846f1174ea37008d238004550ec1db09e7153c98418481c
Instruction Fuzzy Hash: DD416D32300A4182EA629F7BE8513DA73A0F788BF4F154725A779876F5DF39C5458B00

Function 000000014002E268 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringwindowCOMMON

Download Yara Rule

APIs

SHGetFileInfoW.SHELL32 ref: 000000014002E31D
lstrlenW.KERNEL32 ref: 000000014002E330
SendMessageW.USER32 ref: 000000014002E3A5

Strings

7, xrefs: 000000014002E34A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FileInfoMessageSendlstrlen
String ID: 7
API String ID: 1791443542-1790921346
Opcode ID: fd089fbe94b865a4ff175553e115fef7a51f2bc2555e8dd100df362627659a02
Instruction ID: d8490fb1d67b395f664c64d04c705b151f0ec587bd65ca41e6f578b32846002c
Opcode Fuzzy Hash: fd089fbe94b865a4ff175553e115fef7a51f2bc2555e8dd100df362627659a02
Instruction Fuzzy Hash: 5B41B332214A8082E762DB26E8417DA73A1F7CCBA0F444225BB5E4BAE5DF3CC445CB00

Function 000000014000F9F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AC04: lstrlenW.KERNEL32 ref: 000000014000AC4C

MessageBoxW.USER32 ref: 000000014000FA39
PostQuitMessage.USER32 ref: 000000014000FADB

Strings

DIR (error):, xrefs: 000000014000FA1A
-install -nolisense, xrefs: 000000014000FAB5

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Message$PostQuitlstrlen
String ID: -install -nolisense$DIR (error):
API String ID: 3530804915-3378501890
Opcode ID: da9d2116cc6d976f98589fa54ca457e95707e8747e53270dfad2b62e2fa2f9a8
Instruction ID: 02d7fa17c24a308701276c9fe8fa7bfc21bf2d42b33da7dad155f12c4e7e3459
Opcode Fuzzy Hash: da9d2116cc6d976f98589fa54ca457e95707e8747e53270dfad2b62e2fa2f9a8
Instruction Fuzzy Hash: 8941937234098082E662DB7AE8553EA2391F78C7F0F144701AB3D976E2DF3DD8859B01

Function 000000014002077C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140020829
WideCharToMultiByte.KERNEL32 ref: 0000000140020893
lstrcpynA.KERNEL32 ref: 00000001400208AA

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Strings

xxA, xrefs: 00000001400207D2

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide$lstrcpyn
String ID: xxA
API String ID: 3533429210-1134453250
Opcode ID: c9b13b3b49ae3a0fe1a40338baec8b2d82f1397cac2e77cee96e721580689359
Instruction ID: a547eeaf1373a3928091a96cb44de3c9cb1a2777885c000a75fc5d867d7c1398
Opcode Fuzzy Hash: c9b13b3b49ae3a0fe1a40338baec8b2d82f1397cac2e77cee96e721580689359
Instruction Fuzzy Hash: FC315B32610B8085DB11DF26E8447DA77A1F74CBA8F884326AB6A4BBE6DF38C5548740

Function 000000014000BE80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000BEC6

Part of subcall function 000000014000AC04: lstrlenW.KERNEL32 ref: 000000014000AC4C

ShellExecuteExW.SHELL32 ref: 000000014000BF53

Strings

-install -runas , xrefs: 000000014000BF27
runas, xrefs: 000000014000BF42

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ExecuteFileModuleNameShelllstrlen
String ID: -install -runas $runas
API String ID: 1911922327-3929630117
Opcode ID: bae3965100ca9b4d2d0ec7dbf4dbf3a6776746e7f2184b68808a97797d12ec14
Instruction ID: 2e156fb82ac7297d941c920cfff97abb80f607fa0f8022e121350240a9254d8e
Opcode Fuzzy Hash: bae3965100ca9b4d2d0ec7dbf4dbf3a6776746e7f2184b68808a97797d12ec14
Instruction Fuzzy Hash: F8415E72205A8082EB62DB2AE8953EA73A0F789BB4F544312A77D476F5DF78C5418B40

Function 00000001400FCFEC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegisterClassExW.USER32 ref: 00000001400FD066
CreateWindowExW.USER32 ref: 00000001400FD0A7

Strings

P, xrefs: 00000001400FD01C
statis_dum_iii, xrefs: 00000001400FD03F

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClassCreateRegisterWindow
String ID: P$statis_dum_iii
API String ID: 3469048531-1313065383
Opcode ID: 7204a8fc8213da2249f4636d29afe0a13662ff5a4b7e30aacd79e94bcc40acda
Instruction ID: 0e978ea9e3005acd3e133d29108afae009959e9db712d3859dcc4d955e5486f4
Opcode Fuzzy Hash: 7204a8fc8213da2249f4636d29afe0a13662ff5a4b7e30aacd79e94bcc40acda
Instruction Fuzzy Hash: 02311972218B848AD750CF11F84838EB7B8F348B80FA5412AEB9C47724CF7AD965CB44

Function 0000000140002888 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400028B3
GetProcAddress.KERNEL32 ref: 00000001400028DB

Strings

QISearch, xrefs: 00000001400028D1
SHLWAPI.DLL, xrefs: 00000001400028AC

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: QISearch$SHLWAPI.DLL
API String ID: 2574300362-4145147620
Opcode ID: 024a2e34a9e16ffaf39e3ee9d7162d9bb1e6c21d7cf10d2e7c5e60dc774e91dc
Instruction ID: ab2e1c7d4fd7b7f29266dee46f7ffa0049422a4993816f206347337d25c21c3c
Opcode Fuzzy Hash: 024a2e34a9e16ffaf39e3ee9d7162d9bb1e6c21d7cf10d2e7c5e60dc774e91dc
Instruction Fuzzy Hash: 80011274206B4481EA9ACB17B84079A63A0BB5CFC0F488426EF5D07778EF3CC458C700

Function 00000001400F816C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400F819E
GetProcAddress.KERNEL32 ref: 00000001400F81B5

Strings

SHCreateItemFromIDList, xrefs: 00000001400F81AB
shell32.dll, xrefs: 00000001400F8197

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHCreateItemFromIDList$shell32.dll
API String ID: 2574300362-1230108373
Opcode ID: 55f173ef94ab55738991bd415ffd65b7ca69e7955fa855aaca1ef78abd096189
Instruction ID: 3ec731725c5976e047d5f3ed11543dc33774e5eb01105c34f16c41895327d7f4
Opcode Fuzzy Hash: 55f173ef94ab55738991bd415ffd65b7ca69e7955fa855aaca1ef78abd096189
Instruction Fuzzy Hash: 90012C34306B4180FE6ACB17B8643E522A4BB4CBD0F484539AF0E0BB74EF78C5429344

Function 00000001400010D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001102
GetProcAddress.KERNEL32 ref: 000000014000111E

Strings

SHAutoComplete, xrefs: 0000000140001114
SHLWAPI.DLL, xrefs: 00000001400010FB

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHAutoComplete$SHLWAPI.DLL
API String ID: 2574300362-1962728933
Opcode ID: 91fbb4a9fa89c319b7572ef584f78a7a01c34eab096ff84b722d1c6fe429b0da
Instruction ID: 9c84f83e5ba2447c17645bfe4ecb8d1c6c0cccc2d12660ec6964ceba05baf484
Opcode Fuzzy Hash: 91fbb4a9fa89c319b7572ef584f78a7a01c34eab096ff84b722d1c6fe429b0da
Instruction Fuzzy Hash: E1F03C31315A5081EB96DF57F9803EA62A1A78CBC0F984935EB5A47BB8DF78C9958300

Function 000000014011B3C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014011B3F6
GetProcAddress.KERNEL32 ref: 000000014011B412

Strings

SHAutoComplete, xrefs: 000000014011B408
SHLWAPI.DLL, xrefs: 000000014011B3EF

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHAutoComplete$SHLWAPI.DLL
API String ID: 2574300362-1962728933
Opcode ID: 1fce9783a230938123d34a771df2d9e771897002ef47b020f12f1327e121a8b2
Instruction ID: fed27306617197554a2f73ec955ba6208234ef249cfd57f541c290223bed88eb
Opcode Fuzzy Hash: 1fce9783a230938123d34a771df2d9e771897002ef47b020f12f1327e121a8b2
Instruction Fuzzy Hash: F9F04F3131565082EA569B57F9C07AA23A0B74CFC0F8C9832DB5E4BB78DB78C8958344

Function 0000000140001DCC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001DFF
GetProcAddress.KERNEL32 ref: 0000000140001E16

Strings

SHGetPropertyStoreFromParsingName, xrefs: 0000000140001E0C
shell32.dll, xrefs: 0000000140001DF8

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetPropertyStoreFromParsingName$shell32.dll
API String ID: 2574300362-1006681335
Opcode ID: d9b05ad3e55157e09f719d1eb70f3573b6e390ed23ebcb2909dd36dc982255a9
Instruction ID: 92a53c9b2c6986d392c079306b9cab9ff1ccb880d0bf9384d9deb60e5bdf1e0c
Opcode Fuzzy Hash: d9b05ad3e55157e09f719d1eb70f3573b6e390ed23ebcb2909dd36dc982255a9
Instruction Fuzzy Hash: 80011275205B8085EA02DB13F84039AA3A0BB8CFD0F984525EF9D47B38EF78C5518680

Function 0000000140001E54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001E87
GetProcAddress.KERNEL32 ref: 0000000140001E9E

Strings

SHGetPropertyStoreFromParsingName, xrefs: 0000000140001E94
shell32.dll, xrefs: 0000000140001E80

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetPropertyStoreFromParsingName$shell32.dll
API String ID: 2574300362-1006681335
Opcode ID: e48e1507de48a4311fe272084056ca125e9c775215d8b2176caca9c43a3bb255
Instruction ID: 8bd99dd649bbacec6d3eddf30d920764205e6e430a851636932afa8aede0e0a9
Opcode Fuzzy Hash: e48e1507de48a4311fe272084056ca125e9c775215d8b2176caca9c43a3bb255
Instruction Fuzzy Hash: C1011635609B8085EA02DB13F84079AA3A0AB8CFD0F584425EF9C47B78DF78C5558680

Function 0000000140048318 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014004832C
GetProcAddress.KERNEL32 ref: 0000000140048353

Strings

GdiplusStartup, xrefs: 0000000140048349
gdiplus.dll, xrefs: 0000000140048325

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GdiplusStartup$gdiplus.dll
API String ID: 2574300362-2859723088
Opcode ID: 6b284fe02d542a2ce75dd6ef7befe24c2a921d87d8afc18bd5ca5d95d158839b
Instruction ID: 02acb70657b7ce33846d5257c67c8b078a4d2101f609615c76177b8a4c57a85b
Opcode Fuzzy Hash: 6b284fe02d542a2ce75dd6ef7befe24c2a921d87d8afc18bd5ca5d95d158839b
Instruction Fuzzy Hash: 17014F73614B4082EB668F61F4543A973E0FB5CB88F4C4629AB9D0A7A8DF7CC658C744

Function 00000001400A5040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400A5072
GetProcAddress.KERNEL32 ref: 00000001400A5089

Strings

SHCreateItemFromIDList, xrefs: 00000001400A507F
shell32.dll, xrefs: 00000001400A506B

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHCreateItemFromIDList$shell32.dll
API String ID: 2574300362-1230108373
Opcode ID: b134420dda41a678cf4efad9540bf980d1ee860ab89cf5841b3a577b61b047f8
Instruction ID: 6ecaa34bf034c5b73901124b93beb4e4cad3f1f82d00e2624006f4f16cdb6e34
Opcode Fuzzy Hash: b134420dda41a678cf4efad9540bf980d1ee860ab89cf5841b3a577b61b047f8
Instruction Fuzzy Hash: C5011D34612B4081FE46D717B8547D523A0BB5CFD1F489125AB5E0BB74EF39C5918784

Function 00000001400021F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014000222A
GetProcAddress.KERNEL32 ref: 0000000140002241

Strings

SHCreateItemFromIDList, xrefs: 0000000140002237
shell32.dll, xrefs: 0000000140002223

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHCreateItemFromIDList$shell32.dll
API String ID: 2574300362-1230108373
Opcode ID: a91374056d8a68bab526b41000e1498591f4dbb3c24734d4698b5937bf57ea7d
Instruction ID: b8c87af924705db2950075d95956967bfee2869166edcb5ef87f549912d79088
Opcode Fuzzy Hash: a91374056d8a68bab526b41000e1498591f4dbb3c24734d4698b5937bf57ea7d
Instruction Fuzzy Hash: 220119B1606B8090EA46DB57B9843D962A1AB4CFD0F489025AF4D0BB79EF39C585C344

Function 0000000140001A70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001A93
GetProcAddress.KERNEL32 ref: 0000000140001ABB

Strings

IUnknown_SetSite, xrefs: 0000000140001AB1
SHLWAPI.DLL, xrefs: 0000000140001A8C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IUnknown_SetSite$SHLWAPI.DLL
API String ID: 2574300362-510016731
Opcode ID: 6064f585d60d4145410394664492ab82eb0897fb9772e554ece2b036209c83a3
Instruction ID: 4f7f00e34cd4cc156fd306960ba262de995f3fe2bfab1153746e0823def66540
Opcode Fuzzy Hash: 6064f585d60d4145410394664492ab82eb0897fb9772e554ece2b036209c83a3
Instruction Fuzzy Hash: 4AF0ECB1702F4580EE56CB57B8407E522A0EB9EFD0F5840299F1E07BB8EB38C584C201

Function 000000014007DF08 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014007DF2B
GetProcAddress.KERNEL32 ref: 000000014007DF5C

Strings

SetMenuInfo, xrefs: 000000014007DF55
USER32.DLL, xrefs: 000000014007DF24

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetMenuInfo$USER32.DLL
API String ID: 2574300362-3329878150
Opcode ID: 008186b0390a6044e1f810bfaacacc4cc893faade5d3a264c7b360f571ff4f8e
Instruction ID: 5f6b0b84dccb0aeb09d1957f944bad3ef716bc03bd599b7d862f1e7eca1dbfcc
Opcode Fuzzy Hash: 008186b0390a6044e1f810bfaacacc4cc893faade5d3a264c7b360f571ff4f8e
Instruction Fuzzy Hash: 57016270316A4495EE9B8B57B9943A963B1AB4CFC4F88846BEA4E47774EF3DC8548300

Function 000000014007E154 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 000000014007E175
CreateSolidBrush.GDI32 ref: 000000014007E17F

Strings

, xrefs: 000000014007E15E
(, xrefs: 000000014007E1A0

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: BrushColorCreateSolid
String ID: $(
API String ID: 2798526982-1539405979
Opcode ID: 8bca26f666f68ddcab24edef733aa7cbd67f7eb763f99ad5e1c9ba8bd19d0f90
Instruction ID: cc96462c3d3a73b8de1c9c82f96d7f4ec678fd16d64f8ff339f61ba97182009a
Opcode Fuzzy Hash: 8bca26f666f68ddcab24edef733aa7cbd67f7eb763f99ad5e1c9ba8bd19d0f90
Instruction Fuzzy Hash: F0F06D7231478482EB229B22F5453DDB3A1F78CB84F844129EB8D077AADF3DC5448B00

Function 0000000140001EDC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001F07
GetProcAddress.KERNEL32 ref: 0000000140001F1E

Strings

Propsys.dll, xrefs: 0000000140001F00
PSGetPropertyDescription, xrefs: 0000000140001F14

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: PSGetPropertyDescription$Propsys.dll
API String ID: 2574300362-1499179682
Opcode ID: b89c33640890fbf125500b44bf15ad83a987c5a898db5bd3f9aff38a6f2d53d8
Instruction ID: b237bd86a10ac946d9027bf34f8adbce9966be18b6110875eac743190c2b36a3
Opcode Fuzzy Hash: b89c33640890fbf125500b44bf15ad83a987c5a898db5bd3f9aff38a6f2d53d8
Instruction Fuzzy Hash: 0FF0F470715B8191EA56DB17F8503A662A0AB8CFD0F489525AE5D47778EF3CC645C700

Function 000000014001595C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140015974
GetClassNameW.USER32 ref: 0000000140015988
lstrcmpW.KERNEL32 ref: 00000001400159A4

Strings

#32770, xrefs: 0000000140015998

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClassNameParentlstrcmp
String ID: #32770
API String ID: 3513268407-463685578
Opcode ID: 3ae7b716422dc3192f24f15b70690bc868262ec55aadb2eb93d50f21e9092d4c
Instruction ID: e288a9f42ec0ff8e3952b93c68f4a1e9c458a99ced97bda2198b7ac34596bf18
Opcode Fuzzy Hash: 3ae7b716422dc3192f24f15b70690bc868262ec55aadb2eb93d50f21e9092d4c
Instruction Fuzzy Hash: EFF03071321A45C6EB519B62E89539923A0F74CBC9F941029DB4E8F274DE39C508C740

Function 0000000140105B58 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140105B83
GetProcAddress.KERNEL32 ref: 0000000140105B9F

Strings

SetWindowTheme, xrefs: 0000000140105B95
UxTheme.dll, xrefs: 0000000140105B7C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetWindowTheme$UxTheme.dll
API String ID: 2574300362-2822173195
Opcode ID: 6e0da49aacfabf357029b364a9a1c58496de4a0e89ac07912c19dfa8c451e8b4
Instruction ID: 0731938fe58207dfb6702455b0e71ea80bed2a645dcd5936e3ac2dc96702abd7
Opcode Fuzzy Hash: 6e0da49aacfabf357029b364a9a1c58496de4a0e89ac07912c19dfa8c451e8b4
Instruction Fuzzy Hash: 13F01274711B8081EA5ADB53B99439673A0AB4DFD0F884465AE4E0BB78EF38C5858300

Function 0000000140001F48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001F6B
GetProcAddress.KERNEL32 ref: 0000000140001F8E

Strings

PSGetPropertyKeyFromName, xrefs: 0000000140001F87
Propsys.dll, xrefs: 0000000140001F64

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: PSGetPropertyKeyFromName$Propsys.dll
API String ID: 2574300362-403519385
Opcode ID: 25b940713112fac3b88c0b771f008fda2f6caf4df98c123291784805e4f36daa
Instruction ID: 850ba38c66e9a2e065ece50cc029bf3dd29729e01e27b5fb1390d41547a6979d
Opcode Fuzzy Hash: 25b940713112fac3b88c0b771f008fda2f6caf4df98c123291784805e4f36daa
Instruction Fuzzy Hash: A1F0B2B0616A0584EE96DB17FD953A562A1AB8CFC0F984425EA5D4B374EF3DC498C700

Function 0000000140001FB4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001FD7
GetProcAddress.KERNEL32 ref: 0000000140001FFA

Strings

Propsys.dll, xrefs: 0000000140001FD0
PSGetNameFromPropertyKey, xrefs: 0000000140001FF3

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: PSGetNameFromPropertyKey$Propsys.dll
API String ID: 2574300362-1696488721
Opcode ID: a4f35da2b8e56bff98c90dbeb5046eba8ac5fdfa696bfe1025a91a155028939b
Instruction ID: c995b99de344829539e21ee43e355361e437aa4a999d7b7e50af07b7260cbd82
Opcode Fuzzy Hash: a4f35da2b8e56bff98c90dbeb5046eba8ac5fdfa696bfe1025a91a155028939b
Instruction Fuzzy Hash: 7AF0B270206B4184FE9ADB57FD907A462A1AB9CFC0F584425EA0D8B374EF39C598C780

Function 0000000140048424 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,00000001400487F1), ref: 000000014004843C
GlobalUnlock.KERNEL32 ref: 0000000140048460
GlobalFree.KERNEL32 ref: 000000014004846A

Strings

GdipDisposeImage, xrefs: 0000000140048435

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Global$AddressFreeProcUnlock
String ID: GdipDisposeImage
API String ID: 1533353642-3565980357
Opcode ID: a4abbf6f368b430c10a21c962181fb2737ca6e8b6dafcfd9994dcd65e6a59665
Instruction ID: d88b59f72e536f6f0b794206abc0cba7b427f7b5d53eb3b9d58d43c7f53d9297
Opcode Fuzzy Hash: a4abbf6f368b430c10a21c962181fb2737ca6e8b6dafcfd9994dcd65e6a59665
Instruction Fuzzy Hash: D3F0F47521264085FF569FB2D45536C2360EB9CF84F0D44258F090F264CF39C894C394

Function 00000001400A4E30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,00000000,00000001401043E4), ref: 00000001400A4E53
GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,00000001401043E4), ref: 00000001400A4E6A

Strings

SHGetIDListFromObject, xrefs: 00000001400A4E60
shell32.dll, xrefs: 00000001400A4E4C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetIDListFromObject$shell32.dll
API String ID: 2574300362-2712335180
Opcode ID: 40dbb2ef79c6063c65a361d138461b082569a00b6a2db35aa8723f8983a01e3f
Instruction ID: 7db5ddfbe598e7274f233d8515b14e81639b748191d1b09f030b2e8b782c512c
Opcode Fuzzy Hash: 40dbb2ef79c6063c65a361d138461b082569a00b6a2db35aa8723f8983a01e3f
Instruction Fuzzy Hash: 39F01534712B4090EE56DB27F9843E562A1BBACFD4F4891249A1E4BB74EF78C4D48700

Function 00000001400EB2A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400EB2BF
GetProcAddress.KERNEL32 ref: 00000001400EB2DB

Strings

user32.dll, xrefs: 00000001400EB2B8
SetProcessDPIAware, xrefs: 00000001400EB2D1

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetProcessDPIAware$user32.dll
API String ID: 2574300362-1137607222
Opcode ID: 5b6d96cb6dbb1e847212dc029c4e773adc48d9993dbcc8fe46d1e707afd9163d
Instruction ID: 493432112d8da6590dd3b1c40e2d49a572422a9c4a2a5c2a3ae0f7300becff1c
Opcode Fuzzy Hash: 5b6d96cb6dbb1e847212dc029c4e773adc48d9993dbcc8fe46d1e707afd9163d
Instruction Fuzzy Hash: 34E0EE30303B0090FE5B9B63AC603A922A0AF0DB94F88082C8B0D173B0EF39CA448280

Function 0000000140102A7C Relevance: 6.2, APIs: 4, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4be9195cc77cef775c8262ad6f01d72f4586bf9be56751ae816e588f1db10a
Instruction ID: 8b70a3cb79fed4f23f4ea39d58610363a57c493864a3569b9f248fe61172f74f
Opcode Fuzzy Hash: 1c4be9195cc77cef775c8262ad6f01d72f4586bf9be56751ae816e588f1db10a
Instruction Fuzzy Hash: 45719E7130554055FA66EB63A8203EA6252AB9CFC4F48442AFF4E4BBF6EE78C945D700

Function 0000000140115610 Relevance: 6.2, APIs: 4, Instructions: 151comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,0000000140115B26), ref: 000000014011565B
#190.SHELL32(?,?,?,?,?,?,?,?,?,?,?,0000000140115B26), ref: 00000001401156E8
#4.SHELL32(?,?,?,?,?,?,?,?,?,?,?,0000000140115B26), ref: 0000000140115723
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140115B26), ref: 0000000140115792

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: #190CreateInstancelstrlen
String ID:
API String ID: 3519823768-0
Opcode ID: d3aeede6cfb267e8cdacd3fe1e1a9851ceeea0070934e8b6aec0a834bf095e89
Instruction ID: 4031ad1388f9cacfce5f3d757dc68f381943deca6c9ae25810f0c5bb8013c0af
Opcode Fuzzy Hash: d3aeede6cfb267e8cdacd3fe1e1a9851ceeea0070934e8b6aec0a834bf095e89
Instruction Fuzzy Hash: 8B613636300A80C6EB55AF2AD89139D7761F789FA4F548225EB2E8B7E4DF39C845C700

Function 0000000140015064 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

#7.OLEAUT32 ref: 0000000140015142
#6.OLEAUT32 ref: 000000014001518B

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ceb622f80d42db67fe6a6f522834c050ab0093bd0d86a59864c8b844b44a3a
Instruction ID: e724c0a393fb44e7d7fe32b0fe0895aa892e40907ff70938ef366399635737c4
Opcode Fuzzy Hash: 51ceb622f80d42db67fe6a6f522834c050ab0093bd0d86a59864c8b844b44a3a
Instruction Fuzzy Hash: 57518036314B4192EB66AF26E4507AE63A0F78DBD5F444229FB4A4FBA4DF3DC5048B40

Function 0000000140017DA4 Relevance: 6.1, APIs: 4, Instructions: 121windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32 ref: 0000000140017EB9
GetDlgItem.USER32 ref: 0000000140017EDD
SendMessageW.USER32 ref: 0000000140017F48

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: CallItemMessageProcSendWindow
String ID:
API String ID: 2540570209-0
Opcode ID: 84c870a64cba01f113ea922496bd8dab1d48acb80a32e4bec21fc688e076341b
Instruction ID: 6dd89c7723f76ef318bc3c75d1af482074e668c1e4c967f1e30e1c19cb29e322
Opcode Fuzzy Hash: 84c870a64cba01f113ea922496bd8dab1d48acb80a32e4bec21fc688e076341b
Instruction Fuzzy Hash: 5A51083260169482EA66DA1BD584BED63F1E38CFC4F244456FB4D0BBA8CB76C882C740

Function 000000014001BAE4 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014001BBE0
GetClientRect.USER32 ref: 000000014001BBEF
CreateAcceleratorTableW.USER32 ref: 000000014001BC17
GetParent.USER32 ref: 000000014001BC42

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ClientRect$AcceleratorCreateParentTable
String ID:
API String ID: 2716292469-0
Opcode ID: dde6dacba9a0fd88c2da3e85faeaa71228a4c03b5a5a80f5f4903a9e7cbb60fb
Instruction ID: e9e3a129fd05a8c3afb600424b66cc8f3f5fc5f14f7970f0e15b79112e3d724d
Opcode Fuzzy Hash: dde6dacba9a0fd88c2da3e85faeaa71228a4c03b5a5a80f5f4903a9e7cbb60fb
Instruction Fuzzy Hash: 94412C32204E4582DB62CF26E59079DB3A1F788BD4F494112EB9A8BB74DF7AC485C740

Function 000000014000B690 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000B6F0
SendMessageW.USER32 ref: 000000014000B704
GetDlgItem.USER32 ref: 000000014000B72A
SendMessageW.USER32 ref: 000000014000B740

Part of subcall function 0000000140007AEC: GetDlgItem.USER32 ref: 0000000140007B00
Part of subcall function 0000000140007AEC: GetDlgItem.USER32 ref: 0000000140007B24
Part of subcall function 0000000140007AEC: SetWindowTextW.USER32 ref: 0000000140007B30
Part of subcall function 0000000140007AEC: SetWindowTextW.USER32 ref: 0000000140007B7B
Part of subcall function 0000000140007AEC: SetDlgItemTextW.USER32 ref: 0000000140007BC9

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Item$Text$MessageSendWindow
String ID:
API String ID: 3469960932-0
Opcode ID: ec640232d88d5050cf1fe10705205ef973f39af6ea08bf42701aadeb61a1a83d
Instruction ID: 7f9063c28b5efc1fc8df8eeef4a294ff768a32359aff3d785d8a53f0f37903ad
Opcode Fuzzy Hash: ec640232d88d5050cf1fe10705205ef973f39af6ea08bf42701aadeb61a1a83d
Instruction Fuzzy Hash: 32416272315A8182EA62DB26E8513D973A0F7CDBE4F584221EB6D47BE5DF3CC9418B40

Function 00000001401024F8 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140102554
SendMessageW.USER32 ref: 000000014010256D
SendMessageW.USER32 ref: 00000001401025AD
SendMessageW.USER32 ref: 0000000140102620

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e9c618750f7e9578091f6e8aa6e7481c5c0fc8e068f3fb0e563ea0cbc207b183
Instruction ID: 4d5a6ef5ac5062a46ac362863f6712f742d6aee19744449d42b04f9158f65dc6
Opcode Fuzzy Hash: e9c618750f7e9578091f6e8aa6e7481c5c0fc8e068f3fb0e563ea0cbc207b183
Instruction Fuzzy Hash: B3313C32214B9586EB65CF62E800BCAB3A5F789F94F588026EF8D07B58CF39C545CB40

Function 000000014000998C Relevance: 6.1, APIs: 4, Instructions: 79stringCOMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00000001400099C9
lstrlenW.KERNEL32 ref: 00000001400099ED
LoadStringW.USER32 ref: 0000000140009A34
lstrlenW.KERNEL32 ref: 0000000140009A5D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: LoadStringlstrlen
String ID:
API String ID: 1897449643-0
Opcode ID: 457bd7444d0fc5994a8c104cdb6e2962a47c23aba82ab7f79dffde6ede849265
Instruction ID: 3cd70586c1396cff09d75043366134b9b1ed1679a98ee94d3190c10c9813ca6e
Opcode Fuzzy Hash: 457bd7444d0fc5994a8c104cdb6e2962a47c23aba82ab7f79dffde6ede849265
Instruction Fuzzy Hash: 4131717230568045EB22EB27F8983EA62A0F7CCBC8F454135EF8E87765DA38C445C780

Function 00000001400179A0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac78f750ec2e47ba6344a709ca526592b7416773e67249dee86739aa590f930
Instruction ID: 7c83a08e8cf7d5c6799400a3feae95c4bb6c90063c94fd271dd9d7610a84688e
Opcode Fuzzy Hash: bac78f750ec2e47ba6344a709ca526592b7416773e67249dee86739aa590f930
Instruction Fuzzy Hash: 0B213C32340B4182EA559F57E8407AD66F0AB8CFC0F888025AF4E8F364DE3AD9558301

Function 000000014001EC28 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 000000014001EC45

Part of subcall function 0000000140105AD8: LoadLibraryW.KERNEL32 ref: 0000000140105B01

GetSysColor.USER32 ref: 000000014001ECC1
GetClientRect.USER32 ref: 000000014001ECFA
InflateRect.USER32 ref: 000000014001ED0D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: ColorRect$ClientInflateLibraryLoad
String ID:
API String ID: 2668497441-0
Opcode ID: ee54cd4c1953a957bb43c1b937c2af624417fde18b992d8604e50a31b5b21dc2
Instruction ID: 621d7bfdc53ed731dfeb870418368c788bc9be0a4d45be09091ebdda6881bc4a
Opcode Fuzzy Hash: ee54cd4c1953a957bb43c1b937c2af624417fde18b992d8604e50a31b5b21dc2
Instruction Fuzzy Hash: 273193322186C087E711E779E49039EB7A0F7C9760F500226F7D6879F9DA7DC9458B50

Function 0000000140020AAC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

SetWindowPos.USER32 ref: 0000000140020AF0
SetWindowPos.USER32 ref: 0000000140020B1A
SetWindowPos.USER32 ref: 0000000140020B46
SetWindowPos.USER32 ref: 0000000140020B9D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 98d8c97723451eee5fa419887b154b15311763850bf29c52930ce66418f04811
Instruction ID: 76e228422efc14ab171354e0e710eb4dd20a536a494ed9ee1e2266c35080bb6e
Opcode Fuzzy Hash: 98d8c97723451eee5fa419887b154b15311763850bf29c52930ce66418f04811
Instruction Fuzzy Hash: 72317F726146408BE761CF26E094BAEBBA0F7C8BA5F040125EB8947A68CB7CC549CF40

Function 00000001401043B4 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001401043FE
SendMessageW.USER32 ref: 0000000140104439
#18.SHELL32(?,?,?,?,?,00000001400213ED), ref: 000000014010444F
SendMessageW.USER32 ref: 000000014010446E

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 02ee0a031452a712dcc5a9b6ccb9cc4f5df80136606332f29e6b9056247e12a8
Instruction ID: f4b5b43e1dbcac641fd52aed1dc90abb487d34aedc2016f7dd9dbe00a17d074d
Opcode Fuzzy Hash: 02ee0a031452a712dcc5a9b6ccb9cc4f5df80136606332f29e6b9056247e12a8
Instruction Fuzzy Hash: 64214FB6304A5182E761CF23E8847DA7360F78CF84F5881219B898BB65CF39C986C740

Function 00000001400AA5FC Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00000001400AA670
lstrlenW.KERNEL32 ref: 00000001400AA67B
GetShortPathNameW.KERNEL32 ref: 00000001400AA6AF
lstrlenW.KERNEL32 ref: 00000001400AA6BE

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Namelstrlen$FileModulePathShort
String ID:
API String ID: 2246708160-0
Opcode ID: c318728a733613225711cf00beb3823aa52db8ec8305aeff91280bd55fce9e73
Instruction ID: 9d750c61145206b6431f2e875ec00702626ddf6a83599796569612e2fd9313bb
Opcode Fuzzy Hash: c318728a733613225711cf00beb3823aa52db8ec8305aeff91280bd55fce9e73
Instruction Fuzzy Hash: 45216D71318A8082EB21DB12E9843DA63A0F78DBD4F444225EB9D47BB9DF3DC4458B40

Function 00000001400084DC Relevance: 6.1, APIs: 4, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140008513
lstrlenW.KERNEL32 ref: 0000000140008565
lstrcpyW.KERNEL32 ref: 000000014000857C
SetWindowTextW.USER32 ref: 0000000140008596

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$TextWindowlstrcpy
String ID:
API String ID: 3464547807-0
Opcode ID: db62b39b4671f13d4572fde29e556102d66c5e290e4090359d6da12b4e4a19fc
Instruction ID: c0fc1cc7a5d8f3d75b9a2797b5c5bd133a69d83c8b481480aec860af552f8b6a
Opcode Fuzzy Hash: db62b39b4671f13d4572fde29e556102d66c5e290e4090359d6da12b4e4a19fc
Instruction Fuzzy Hash: A1112B71205A4081EA25DB26B9543A96761FB8CFE5F044724AFAA0B7F9DF39C442C740

Function 0000000140024E2C Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140024E4B
SendMessageW.USER32 ref: 0000000140024E69
SendMessageW.USER32 ref: 0000000140024E86
SendMessageW.USER32 ref: 0000000140024EB6

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5e0b2b3ef8a332cd8a7ab54ce314edbc5ef82c1d537879b0ecb036aee84a5ce1
Instruction ID: fb0259056f7ffb6e2bebaff3f708ff68a1dbf888c46a5553fee308fd95b503aa
Opcode Fuzzy Hash: 5e0b2b3ef8a332cd8a7ab54ce314edbc5ef82c1d537879b0ecb036aee84a5ce1
Instruction Fuzzy Hash: 31015E3230068082FB958B76E854BEA3311E7CCFD9F599031AF154BEA5CE38C8868700

Function 0000000140025018 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140020420: SetLastError.KERNEL32 ref: 000000014002044D

Part of subcall function 0000000140024A78: SetParent.USER32 ref: 0000000140024AE9
Part of subcall function 0000000140024A78: CreateWindowExW.USER32 ref: 0000000140024B49
Part of subcall function 0000000140024A78: SendMessageW.USER32 ref: 0000000140024B6B
Part of subcall function 0000000140024A78: SendMessageW.USER32 ref: 0000000140024B80
Part of subcall function 0000000140024A78: SHGetSpecialFolderLocation.SHELL32 ref: 0000000140024BE4

GetWindowLongW.USER32 ref: 0000000140025053
SetWindowLongW.USER32 ref: 000000014002506F
GetWindowLongW.USER32 ref: 000000014002507E
SetWindowLongW.USER32 ref: 000000014002509C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Window$Long$MessageSend$CreateErrorFolderLastLocationParentSpecial
String ID:
API String ID: 127071798-0
Opcode ID: 31d0594e58dac9dbcf91257bd07bd6adf73933fdf4610d401216bfd29f03893a
Instruction ID: e840238b4ca7c3278d7244374dd0ad3c6c885b7f1ffa2557ae340cb135501bd2
Opcode Fuzzy Hash: 31d0594e58dac9dbcf91257bd07bd6adf73933fdf4610d401216bfd29f03893a
Instruction Fuzzy Hash: 6C017125310A5082E7619B37E840B9DA261EBCDBE4F584215EF9987BB9DF35C8408A50

Function 00000001400FE8E0 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400FE8FF
SendMessageW.USER32 ref: 00000001400FE920
#21.SHELL32 ref: 00000001400FE932
SendMessageW.USER32 ref: 00000001400FE94E

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c7720ca7e7c40b996d3996fa9c523e65bfa02980a4f1ce7d30cdc8fcfbe39b0b
Instruction ID: 1753b21ec4ce3c16ece94459741227543a9f819e30e0fd13699a7feb37fece1f
Opcode Fuzzy Hash: c7720ca7e7c40b996d3996fa9c523e65bfa02980a4f1ce7d30cdc8fcfbe39b0b
Instruction Fuzzy Hash: 75014032308A8482EB618B66F45479AA360E78CFD8F188011AF8D47B68DE79C585DB10

Function 0000000140009DC0 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140009DD6
SendMessageW.USER32 ref: 0000000140009DED
GetClientRect.USER32 ref: 0000000140009E17
FillRect.USER32 ref: 0000000140009E2A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Rect$ClientFillMessageParentSend
String ID:
API String ID: 425900729-0
Opcode ID: 246426f802778b43361a10255a9cf130cc92d45c8979f8c2c2d7b2e69a4a35bd
Instruction ID: 65746bd96716ed5646d9c75bf0e47ac62e73171429ad31b6a0f415f318d6a1f8
Opcode Fuzzy Hash: 246426f802778b43361a10255a9cf130cc92d45c8979f8c2c2d7b2e69a4a35bd
Instruction Fuzzy Hash: 8801DA76604B8486DB518F26F44439AB7A0F78CBC5F188526EB8D47B28DF39C545CB40

Function 0000000140001AE8 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32 ref: 0000000140001B02
GlobalLock.KERNEL32 ref: 0000000140001B0E
GlobalAlloc.KERNEL32 ref: 0000000140001B1C
GlobalUnlock.KERNEL32 ref: 0000000140001B36

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: Global$AllocLockSizeUnlock
String ID:
API String ID: 2086698462-0
Opcode ID: 09c52875e877b2a5fc08a8396cdfbcce9c071e6894155dc83de6b17818f59550
Instruction ID: d4e86e2ec7734a2390b9ac896b665349f28d54d72912de68fa70092b4f6f7785
Opcode Fuzzy Hash: 09c52875e877b2a5fc08a8396cdfbcce9c071e6894155dc83de6b17818f59550
Instruction Fuzzy Hash: C3F0F475705B9485DA459B63B94439A67A1F78DFD0F4C8434EF4A4BB29DE3CC0418740

Function 000000014002049C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Edit Path ;), xrefs: 00000001400204E8
0, xrefs: 00000001400204D0

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide
String ID: 0$Edit Path ;)
API String ID: 477651035-1818000224
Opcode ID: 8f265c33bc38ae585d8ce734efa95eedfd7aa536a2d69f8a7b000e511b4f5191
Instruction ID: 92e8f7f46945e047ba99f33e5a88af4d362af239cfe9d9597c6b8eead95aa8c0
Opcode Fuzzy Hash: 8f265c33bc38ae585d8ce734efa95eedfd7aa536a2d69f8a7b000e511b4f5191
Instruction Fuzzy Hash: E7515271204A4081EA52DB2AE4943EA7361FB89BF4F544316BB7D476F6DF78C841C740

Function 0000000140002AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 0000000140002B5B
GetFocus.USER32 ref: 0000000140002B64

Strings

DirectUIHWND, xrefs: 0000000140002B4D

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: FindFocusWindow
String ID: DirectUIHWND
API String ID: 3177014434-3768200426
Opcode ID: af27027bf0b43742ae8a5b907855fffb2ff0bb26dd53e08ee966ba0d9613169e
Instruction ID: a4c3607e550bbc57b8f385f4c7907111bbb0e25a870caa10011de1781df032b7
Opcode Fuzzy Hash: af27027bf0b43742ae8a5b907855fffb2ff0bb26dd53e08ee966ba0d9613169e
Instruction Fuzzy Hash: C1310AB2314A4082EB15CF26E44439EB3A0F78DFD4F654922EB5D97AB4DF79C8848701

Function 00000001401065FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

GetActiveWindow.USER32 ref: 0000000140106632
MessageBoxW.USER32 ref: 0000000140106644

Strings

string, xrefs: 000000014010661C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen$ActiveByteCharMessageMultiWideWindow
String ID: string
API String ID: 3708002346-2663297705
Opcode ID: d3b270f3d0d7c18b11d2ecafb63ddc10f939fbd971c88585d1cd80db10c6d421
Instruction ID: 0ef7e9c8ebfd1eb91094341b16459a694a545800eb2eece76a6eb6012339b009
Opcode Fuzzy Hash: d3b270f3d0d7c18b11d2ecafb63ddc10f939fbd971c88585d1cd80db10c6d421
Instruction Fuzzy Hash: 17111CB2311A4082EA51CB6FE8513997761FB89FF4F184315ABB9477F5DE79C4418700

Function 000000014001D4CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001D560
SendMessageW.USER32 ref: 000000014001D57F

Strings

0, xrefs: 000000014001D546

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: MessageSend
String ID: 0
API String ID: 3850602802-4108050209
Opcode ID: 2cd662d7ebf6fac9ccfca7c5517019c1845b6673797ba0c1b39958fbc234c6cb
Instruction ID: 0edbeefc919d7124638846e930830738506a7f8c3ec3b61a7e0fdb640a844e4a
Opcode Fuzzy Hash: 2cd662d7ebf6fac9ccfca7c5517019c1845b6673797ba0c1b39958fbc234c6cb
Instruction Fuzzy Hash: 9F113A722096C486E722CB52E4543DAB7A1E7DDB99F484115EB880BB99CB7DC545CF00

Function 000000014001CF14 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 000000014001CF95

Part of subcall function 000000014005D980: GetUserDefaultLangID.KERNEL32 ref: 000000014005D99F
Part of subcall function 000000014005D980: GetUserDefaultLangID.KERNEL32 ref: 000000014005D9B0

Part of subcall function 00000001400860D4: GetModuleFileNameW.KERNEL32 ref: 000000014008613E

Part of subcall function 0000000140085724: GetPrivateProfileIntW.KERNEL32 ref: 0000000140085755
Part of subcall function 0000000140085724: _cwprintf_s_l.LIBCMT ref: 0000000140085776

Strings

Start, xrefs: 000000014001CF83
m_lang_id, xrefs: 000000014001CF7C

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: DefaultLangUser$ActiveFileModuleNamePrivateProfileWindow_cwprintf_s_l
String ID: Start$m_lang_id
API String ID: 1238687741-533350618
Opcode ID: 2a2ea8878e430e9ac9dc71f0c97e8a5866c6441867f495c8b97fb8444bc8db48
Instruction ID: da8e90e005fe7cf686c9a8fcfee6dc250aeb8000f82de581d6aac4fa5f71f0f5
Opcode Fuzzy Hash: 2a2ea8878e430e9ac9dc71f0c97e8a5866c6441867f495c8b97fb8444bc8db48
Instruction Fuzzy Hash: 6D217C76225A8086EB21DF16F8447D973A0F78DBA4F540319A7584B6F5CB39C509CB40

Function 000000014007E7A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49stringwindowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 000000014007E82D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000D4EE), ref: 000000014007E83E

Strings

H, xrefs: 000000014007E7F0

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: InfoItemMenulstrlen
String ID: H
API String ID: 2604594206-2852464175
Opcode ID: 3726a0771b3acb710a45699ff882f1710b767f31d2be6f0e4be57d88078e9e2a
Instruction ID: 0202e2bed6aeba79b1ae7b68283dc396e02056d69b16cd482c4d7361eb1521e2
Opcode Fuzzy Hash: 3726a0771b3acb710a45699ff882f1710b767f31d2be6f0e4be57d88078e9e2a
Instruction Fuzzy Hash: 3311907631468086E761EF16E444B9E7764F788BD4F108224EB9E077A4CF7EC85ACB40

Function 0000000140048780 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140048424: GetProcAddress.KERNEL32(?,?,?,00000001400487F1), ref: 000000014004843C
Part of subcall function 0000000140048424: GlobalUnlock.KERNEL32 ref: 0000000140048460
Part of subcall function 0000000140048424: GlobalFree.KERNEL32 ref: 000000014004846A

GetProcAddress.KERNEL32 ref: 00000001400487A5
FreeLibrary.KERNEL32 ref: 00000001400487BE

Strings

GdiplusShutdown, xrefs: 000000014004879E

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: AddressFreeGlobalProc$LibraryUnlock
String ID: GdiplusShutdown
API String ID: 2219017130-872607806
Opcode ID: 3833d9bc5ee760caa3d62aa1db2a19e64992e11c6dffeff9801e85034df3e130
Instruction ID: 8548f661922bd977077a650ae9b9472497a7d73ec19d0179ce9b85231c86a647
Opcode Fuzzy Hash: 3833d9bc5ee760caa3d62aa1db2a19e64992e11c6dffeff9801e85034df3e130
Instruction Fuzzy Hash: 37F03932601A0182EB669B76C4943AC23A0EB8CF8CF090821DF194B2A4CF79C9948345

Function 00000001400C6728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000001400C8043), ref: 00000001400C6731
lstrcatW.KERNEL32(?,?,?,00000001400C8043), ref: 00000001400C674C

Strings

\, xrefs: 00000001400C673A

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrcatlstrlen
String ID: \
API String ID: 1475610065-2967466578
Opcode ID: a7dd1163c1630c191c56c47ffac60cb70d2431cff589c3d32520aff1fd3ab87d
Instruction ID: ecf6c7978da347110ad2b5e241d0ebec3c100959b16b9d2e41529072d50f2383
Opcode Fuzzy Hash: a7dd1163c1630c191c56c47ffac60cb70d2431cff589c3d32520aff1fd3ab87d
Instruction Fuzzy Hash: 28D09E6061671481EB296BA7684979413B1AB5CBCAF4854248B170B274DA7980D98240

Function 000000014000346C Relevance: 5.2, APIs: 4, Instructions: 189stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014000349C
lstrlenW.KERNEL32 ref: 00000001400034BB
lstrlenW.KERNEL32 ref: 0000000140003518
lstrlenW.KERNEL32 ref: 00000001400036A1

Memory Dump Source

Source File: 00000008.00000002.3107959397.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.3107933158.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108131459.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108249371.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108324519.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.3108372149.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_lvHost_v4.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 2c91adfc4207df4da6370e711a4044172966fa88e970d98e7d5bd1eec2555210
Instruction ID: 831c3a05420aad9251ac649fad6c53a27428b546b4ada271ac814e6292017296
Opcode Fuzzy Hash: 2c91adfc4207df4da6370e711a4044172966fa88e970d98e7d5bd1eec2555210
Instruction Fuzzy Hash: 88619172301A449ADE26DF67E9443E9A7A5F78CBC8F488521AB4A8B7B5DE3DC045C700

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vV5EOx0ipU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5a28ba07

C:\Users\user\AppData\Local\Temp\7066ed96

C:\Users\user\AppData\Local\Temp\77fafd11

C:\Users\user\AppData\Local\Temp\WebUI.dll

C:\Users\user\AppData\Local\Temp\bulk.iso

C:\Users\user\AppData\Local\Temp\iScrPaint.exe

C:\Users\user\AppData\Local\Temp\lough.log

C:\Users\user\AppData\Local\Temp\lvHost_v4.exe

C:\Users\user\AppData\Local\Temp\ondkpifasfpiuy

C:\Users\user\AppData\Local\Temp\seukanjejhxc

C:\Users\user\AppData\Local\Temp\xgxgnfo

C:\Users\user\AppData\Roaming\bgsystem_test\WebUI.dll

C:\Users\user\AppData\Roaming\bgsystem_test\bulk.iso

C:\Users\user\AppData\Roaming\bgsystem_test\iScrPaint.exe

C:\Users\user\AppData\Roaming\bgsystem_test\lough.log

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
vV5EOx0ipU.exe

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre