Edit tour

Windows Analysis Report
Scanned-IMGS_from NomanGroup IDT.scr.exe

Overview

General Information

Sample name:	Scanned-IMGS_from NomanGroup IDT.scr.exe
Analysis ID:	1590590
MD5:	17cbb82b7db7a77df6507dd32af10563
SHA1:	816fc79a0d8dc1ea493779e01f21f99c00a9229d
SHA256:	744a3efa374159a40ea07cf1c6a295f40fef90685421d20ceda619847dbe6165
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Scanned-IMGS_from NomanGroup IDT.scr.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe" MD5: 17CBB82B7DB7A77DF6507DD32AF10563)

svchost.exe (PID: 5692 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2182879514.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2182571976.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine|base64offset|contains: 6j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe, ParentProcessId: 7160, ParentProcessName: Scanned-IMGS_from NomanGroup IDT.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ProcessId: 5692, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine|base64offset|contains: 6j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe, ParentProcessId: 7160, ParentProcessName: Scanned-IMGS_from NomanGroup IDT.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ProcessId: 5692, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Virustotal: Detection: 36%			Perma Link
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2182879514.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2182571976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe

Joe Sandbox ML: detected

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2109640923.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2110597235.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2182912669.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2182912669.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2144165233.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150036430.0000000003A00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2109640923.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2110597235.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2182912669.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2182912669.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2144165233.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150036430.0000000003A00000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0056C2A2 FindFirstFileExW,	0_2_0056C2A2
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A68EE FindFirstFileW,FindClose,	0_2_005A68EE
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_005A698F
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0059D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0059D076
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0059D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0059D3A9
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005A9642
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005A979D
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_005A9B2B
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0059DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0059DBBE
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_005A5C97

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005ACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_005ACE44

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005AEAFF

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005AED6A

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

0_2_005AEAFF

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_0059AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0059AA57

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005C9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2182879514.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2182571976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000000.2101093183.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8527c43b-c
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000000.2101093183.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a40e07e5-3
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1a90e220-a
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3b2797dd-9

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C613 NtClose,	2_2_0042C613
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A903 NtCreateFile,	2_2_0040A903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B60 NtClose,LdrInitializeThunk,	2_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74340 NtSetContextThread,	2_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74650 NtSuspendThread,	2_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BE0 NtQueryValueKey,	2_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BF0 NtAllocateVirtualMemory,	2_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B80 NtQueryInformationFile,	2_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BA0 NtEnumerateValueKey,	2_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AD0 NtReadFile,	2_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AF0 NtWriteFile,	2_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AB0 NtWaitForSingleObject,	2_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FE0 NtCreateFile,	2_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F90 NtProtectVirtualMemory,	2_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FA0 NtQuerySection,	2_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FB0 NtResumeThread,	2_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F60 NtCreateProcessEx,	2_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F30 NtCreateSection,	2_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EE0 NtQueueApcThread,	2_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E80 NtReadVirtualMemory,	2_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EA0 NtAdjustPrivilegesToken,	2_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E30 NtWriteVirtualMemory,	2_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DD0 NtDelayExecution,	2_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DB0 NtEnumerateKey,	2_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D00 NtSetInformationFile,	2_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D10 NtMapViewOfSection,	2_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D30 NtUnmapViewOfSection,	2_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CC0 NtQueryVirtualMemory,	2_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CF0 NtOpenProcess,	2_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CA0 NtQueryInformationToken,	2_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C60 NtCreateKey,	2_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C70 NtFreeVirtualMemory,	2_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C00 NtQueryInformationProcess,	2_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73090 NtSetValueKey,	2_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73010 NtOpenDirectoryObject,	2_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C739B0 NtGetContextThread,	2_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D70 NtOpenThread,	2_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D10 NtOpenProcessToken,	2_2_03C73D10

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_0059D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0059D5EB

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_00591201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00591201

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_0059E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0059E8F6

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A2046	0_2_005A2046
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00538060	0_2_00538060
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00598298	0_2_00598298
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0056E4FF	0_2_0056E4FF
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0056676B	0_2_0056676B
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005C4873	0_2_005C4873
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0053CAF0	0_2_0053CAF0
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0055CAA0	0_2_0055CAA0
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0054CC39	0_2_0054CC39
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00566DD9	0_2_00566DD9
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0054B119	0_2_0054B119
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005391C0	0_2_005391C0
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00551394	0_2_00551394
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0055781B	0_2_0055781B
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0054997D	0_2_0054997D
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00537920	0_2_00537920
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00557A4A	0_2_00557A4A
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00557CA7	0_2_00557CA7
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005BBE44	0_2_005BBE44
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00569EEE	0_2_00569EEE
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0053BF40	0_2_0053BF40
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_01033B48	0_2_01033B48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410093	2_2_00410093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E10B	2_2_0040E10B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E113	2_2_0040E113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402250	2_2_00402250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401210	2_2_00401210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023F0	2_2_004023F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EC23	2_2_0042EC23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE6A	2_2_0040FE6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402670	2_2_00402670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE73	2_2_0040FE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167DE	2_2_004167DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167E3	2_2_004167E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D003E6	2_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC02C0	2_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF81CC	2_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF41A2	2_2_03CF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D001AA	2_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30100	2_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64750	2_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C6E0	2_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D00591	2_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEE4F6	2_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF2446	2_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4420	2_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF6BD7	2_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0A9A6	2_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E8F0	2_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C268B8	2_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4A840	2_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4CFE0	2_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBEFA0	2_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4F40	2_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C82F28	2_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60F30	2_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE2F30	2_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEEDB	2_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52E90	2_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFCE93	2_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40E59	2_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEE26	2_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3ADE0	2_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C58DBF	2_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4AD00	2_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDCD1F	2_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30CF2	2_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0CB5	2_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40C00	2_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4B1B0	2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7516C	2_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B16B	2_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF0CC	2_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF70E9	2_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF0E0	2_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF7B0	2_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85630	2_2_03C85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D095C3	2_2_03D095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDD5B0	2_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7571	2_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31460	2_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF43F	2_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB5BF0	2_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7DBF9	2_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FB80	2_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFB76	2_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEDAC6	2_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDDAAC	2_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85AA0	2_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE1AA3	2_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFA49	2_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7A46	2_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB3A6C	2_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49950	2_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B950	2_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD5910	2_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C438E0	2_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD800	2_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C03FD2	2_2_03C03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C03FD5	2_2_03C03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41F92	2_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFFB1	2_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFF09	2_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49EB0	2_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FDC0	2_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43D40	2_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF1D5A	2_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7D73	2_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFCF2	2_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB9C32	2_2_03CB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: String function: 00550A30 appears 46 times
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: String function: 0054F9F2 appears 40 times
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: String function: 00539CB3 appears 31 times

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2111887052.0000000003BF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from NomanGroup IDT.scr.exe
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2111587185.0000000003D9D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from NomanGroup IDT.scr.exe

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005A37B5 GetLastError,FormatMessageW,

0_2_005A37B5

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005910BF AdjustTokenPrivileges,CloseHandle,		0_2_005910BF
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005916C3

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005A51CD

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005BA67C

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_005A648E

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005342A2

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

File created: C:\Users\user\AppData\Local\Temp\peaks

Jump to behavior

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Virustotal: Detection: 36%
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Section loaded: wldp.dll	Jump to behavior

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe

Static file information: File size 1613824 > 1048576

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2109640923.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2110597235.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2182912669.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2182912669.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2144165233.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150036430.0000000003A00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2109640923.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.2110597235.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2182912669.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2182912669.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2144165233.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2150036430.0000000003A00000.00000004.00000020.00020000.00000000.sdmp

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00550A76 push ecx; ret	0_2_00550A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E80C push edx; iretw	2_2_0041E831
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D0FD push edx; retf	2_2_0040D121
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E898 push edx; iretw	2_2_0041E831
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411953 push FFFFFFCFh; iretd	2_2_00411974
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004031A0 push eax; ret	2_2_004031A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040C32C push eax; iretd	2_2_0040C32E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413B33 push ebp; retf	2_2_00413B4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D3EA push ebp; ret	2_2_0040D3EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413BF6 push cs; iretd	2_2_00413BF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401DE2 push eax; retf	2_2_00401DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A6D5 push eax; retf	2_2_0041A6DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404EBD push edi; ret	2_2_00404EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404F00 push edi; ret	2_2_00404EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D7EB push es; iretd	2_2_0040D7F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0225F pushad ; ret	2_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C027FA pushad ; ret	2_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx	2_2_03C309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0283D push eax; iretd	2_2_03C02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C01368 push eax; iretd	2_2_03C01369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C01065 push edi; ret	2_2_03C0108A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C018F3 push edx; iretd	2_2_03C01906

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0054F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0054F98E
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005C1C41

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96669

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

API/Special instruction interceptor: Address: 103376C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00416628 rdtsc

2_2_00416628

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	API coverage: 3.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5936

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0056C2A2 FindFirstFileExW,	0_2_0056C2A2
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A68EE FindFirstFileW,FindClose,	0_2_005A68EE
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_005A698F
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0059D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0059D076
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0059D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0059D3A9
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005A9642
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005A979D
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_005A9B2B
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0059DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0059DBBE
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_005A5C97

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00416628 rdtsc

2_2_00416628

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417733 LdrLoadDll,

2_2_00417733

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005AEAA2 BlockInput,

0_2_005AEAA2

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_00562622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00562622

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00554CE8 mov eax, dword ptr fs:[00000030h]	0_2_00554CE8
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_010323C8 mov eax, dword ptr fs:[00000030h]	0_2_010323C8
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_010339D8 mov eax, dword ptr fs:[00000030h]	0_2_010339D8
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_01033A38 mov eax, dword ptr fs:[00000030h]	0_2_01033A38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]	2_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0634F mov eax, dword ptr fs:[00000030h]	2_2_03D0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]	2_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]	2_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov ecx, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D062D6 mov eax, dword ptr fs:[00000030h]	2_2_03D062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0625D mov eax, dword ptr fs:[00000030h]	2_2_03D0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]	2_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]	2_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]	2_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]	2_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]	2_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]	2_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]	2_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]	2_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]	2_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]	2_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]	2_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]	2_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]	2_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]	2_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]	2_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C280A0 mov eax, dword ptr fs:[00000030h]	2_2_03C280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]	2_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]	2_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]	2_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]	2_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]	2_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]	2_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]	2_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]	2_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]	2_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]	2_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]	2_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]	2_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]	2_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]	2_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]	2_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]	2_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]	2_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]	2_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]	2_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]	2_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]	2_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]	2_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]	2_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]	2_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]	2_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]	2_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]	2_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]	2_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]	2_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]	2_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]	2_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]	2_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]	2_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]	2_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]	2_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]	2_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]	2_2_03C6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28B50 mov eax, dword ptr fs:[00000030h]	2_2_03C28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04B00 mov eax, dword ptr fs:[00000030h]	2_2_03D04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]	2_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]	2_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]	2_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]	2_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04940 mov eax, dword ptr fs:[00000030h]	2_2_03D04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]	2_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]	2_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]	2_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]	2_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D008C0 mov eax, dword ptr fs:[00000030h]	2_2_03D008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]	2_2_03C30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]	2_2_03CBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]	2_2_03C60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]	2_2_03CBE872

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_00590B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00590B62

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00562622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00562622
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_0055083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0055083F
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005509D5 SetUnhandledExceptionFilter,	0_2_005509D5
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_00550C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00550C21

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 316E008

Jump to behavior

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

0_2_00591201

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_00572BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00572BA5

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_0059B226 SendInput,keybd_event,

0_2_0059B226

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005B22DA

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

0_2_00590B62

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_00591663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00591663

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_00550698 cpuid

0_2_00550698

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_005A8195

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_0058D27A GetUserNameW,

0_2_0058D27A

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_0056B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0056B952

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe

Code function: 0_2_005342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005342DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2182879514.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2182571976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: WIN_81
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: WIN_XP
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: WIN_XPe
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: WIN_VISTA
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: WIN_7
Source: Scanned-IMGS_from NomanGroup IDT.scr.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2182879514.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2182571976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_005B1204
Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe	Code function: 0_2_005B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	24 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	12 Virtualization/Sandbox Evasion	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Scanned-IMGS_from NomanGroup IDT.scr.exe	36%	Virustotal		Browse
Scanned-IMGS_from NomanGroup IDT.scr.exe	32%	ReversingLabs	Win32.Dropper.Generic
Scanned-IMGS_from NomanGroup IDT.scr.exe	100%	Avira	DR/AutoIt.Gen8
Scanned-IMGS_from NomanGroup IDT.scr.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590590
Start date and time:	2025-01-14 10:18:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scanned-IMGS_from NomanGroup IDT.scr.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 44 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 2.17.190.73, 13.107.246.45
Excluded domains from analysis (whitelisted): cac-ocsp.digicert.com.edgekey.net, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e3913.cd.akamaiedge.net, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
04:19:06	API Interceptor	3x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	12.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	199.232.210.172
	PRODUKTY.EXE.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	199.232.210.172
	2330118683179179335.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	009.vbe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	577119676170175151.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	199.232.210.172
	possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	3ClBcOpPUX.exe	Get hash	malicious	CyberGate	Browse	199.232.210.172

Process:	C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.995079098920299
Encrypted:	true
SSDEEP:	6144:orQn/2I9aKhtl3bxYfWuLbuWfDqv2c7pUfFKNJ0a2tjuwPAcJGn:o24UtlrIWuvuYY7yMX0a8jHPAb
MD5:	10ED5D34A0330BDC9F7848B7FBA6B7A7
SHA1:	1E5599D63A3CA6FC8D1B2981E29E39EBBACEA98B
SHA-256:	D2DC5D56A99E4D6A08B9C8457679FC58E11AD1CF810CAE48AF4B623319459E47
SHA-512:	33034D70F7A4A2BD9961B2B246C9920B69ECF5FD8BA68DD164F582FEC193F121E0AC29F116D01F4DDC051B9160F07D51FF1C01930A762419060411ACAF07ABEB
Malicious:	false
Reputation:	low
Preview:	xh...XAHB..@......X6..}[I...WDI8DM95PX52NAUXAHBMWDI8DM95PX.2NA[G.FB.^.h.E....0\An1'7&:# w'(V*"M.2=.@;/u1/h...d$W (.8]R.2NAUXAH;L^.tX#..U7..R).O..x-0.S...U7./..i8&..$4,tX#.95PX52NA..AH.LVD?.U/95PX52NA.XCIIL\DIh@M95PX52NA.LAHB]WDIX@M95.X5"NAUZAHDMWDI8DM?5PX52NAU8EHBOWDI8DM;5..52^AUHAHBMGDI(DM95PX%2NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDgL!5M5PX.}JAUHAHB.SDI(DM95PX52NAUXAHbMW$I8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.4188758028769195
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scanned-IMGS_from NomanGroup IDT.scr.exe
File size:	1'613'824 bytes
MD5:	17cbb82b7db7a77df6507dd32af10563
SHA1:	816fc79a0d8dc1ea493779e01f21f99c00a9229d
SHA256:	744a3efa374159a40ea07cf1c6a295f40fef90685421d20ceda619847dbe6165
SHA512:	0917ff1f5eca9d620e3829ccbaed79f892c85195917fc420077e5d7004fd8d5cdd71cbc2abd6a27d672f6fe98947faf6aec5a797dd5de64cb1fbe09481621747
SSDEEP:	24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aKXAwXiEoFKrQO8wkoPuGwQVZqc/ByR61UFl:2TvC/MTQYxsWR7aKfXZr0pQuAW+sr
TLSH:	1075E0027381C062FF9B92734B5AF6115BBC69660123A62F13A81DBDFD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785B72C [Tue Jan 14 01:00:28 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007EFF14B585C3h
jmp 00007EFF14B57ECFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007EFF14B580ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007EFF14B5807Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007EFF14B5AC6Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007EFF14B5ACB8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007EFF14B5ACA1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xb35ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x188000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xb35ec	0xb3600	591bed869cb6d434460ffbe7270704eb	False	0.963825675087108	data	7.962847579133983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x188000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xaa8b4	data			1.0003163705285822
RT_GROUP_ICON	0x18706c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1870e4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1870f8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x18710c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x187120	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1871fc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 10:19:16.440445900 CET	1.1.1.1	192.168.2.6	0x250	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 10:19:16.440445900 CET	1.1.1.1	192.168.2.6	0x250	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:18:59
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
Imagebase:	0x530000
File size:	1'613'824 bytes
MD5 hash:	17CBB82B7DB7A77DF6507DD32AF10563
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:19:00
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
Imagebase:	0x340000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2182879514.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2182571976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	3.6%
Total number of Nodes:	1663
Total number of Limit Nodes:	30

Executed Functions

Function 005342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0053430D

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

GetCurrentProcess.KERNEL32(?,005CCB64,00000000,?,?), ref: 00534422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00534429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00534454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00534466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00534474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0053447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005344A0

Strings

|O, xrefs: 005736F8
GetNativeSystemInfo, xrefs: 00534460
kernel32.dll, xrefs: 0053444F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 56c5cd0210817e9c6806131cb773fc3fd3aaacbd7ca189a03e499c6629f6f547
Instruction ID: 6e4666321a6d9dc7cb8878e5369272afa4703f18deaccf1cc1199efb98f74a45
Opcode Fuzzy Hash: 56c5cd0210817e9c6806131cb773fc3fd3aaacbd7ca189a03e499c6629f6f547
Instruction Fuzzy Hash: CFA1B86198A6D0DFCB1DC7697C815977FA67B37310F08BCA9D0859FA22D2305608EF61

Function 005342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005350AA,?,?,00000000,00000000), ref: 005342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005350AA,?,?,00000000,00000000), ref: 005342C9
LoadResource.KERNEL32(?,00000000,?,?,005350AA,?,?,00000000,00000000,?,?,?,?,?,?,00534F20), ref: 005735BE
SizeofResource.KERNEL32(?,00000000,?,?,005350AA,?,?,00000000,00000000,?,?,?,?,?,?,00534F20), ref: 005735D3
LockResource.KERNEL32(005350AA,?,?,005350AA,?,?,00000000,00000000,?,?,?,?,?,?,00534F20,?), ref: 005735E6

Strings

SCRIPT, xrefs: 005342BF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f522642230a2d32bfcb683955647ad1dcfdb6c135c5a68f7a210e4352d726c21
Instruction ID: 80eb459e0a8e83167533488a86a0623494ad4cc0013d0de9cd616d85b61b8363
Opcode Fuzzy Hash: f522642230a2d32bfcb683955647ad1dcfdb6c135c5a68f7a210e4352d726c21
Instruction Fuzzy Hash: 59117C78200700BFD7218BA6DC48F277FBDFBD6B51F148169F41696650DB71EC04AA20

Function 00572BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00532B6B

Part of subcall function 00533A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00601418,?,00532E7F,?,?,?,00000000), ref: 00533A78

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005F2224), ref: 00572C10
ShellExecuteW.SHELL32(00000000,?,?,005F2224), ref: 00572C17

Strings

runas, xrefs: 00572C0B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 2082fd67575021c45ea8263b104a5283d752d504a808410b050366d186e5fe8d
Instruction ID: ec8c626bde24c8af4cf7d7787e4022afcf2f4282d6479b0c06316f4b8576536a
Opcode Fuzzy Hash: 2082fd67575021c45ea8263b104a5283d752d504a808410b050366d186e5fe8d
Instruction Fuzzy Hash: 4511D3712487466AC709FF60D869DBEBFA5BBE1340F04582DF186160B2DF618A0AD712

Function 0053D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0053D807
timeGetTime.WINMM ref: 0053DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0053DB28
TranslateMessage.USER32(?), ref: 0053DB7B
DispatchMessageW.USER32(?), ref: 0053DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0053DB9F
Sleep.KERNEL32(0000000A), ref: 0053DBB1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: e0edda9f97e4ca25b29d0f8485c8758d1411c9c802109402afcc92b81bc5bb5a
Instruction ID: 2a7148632e4d29e42465a1c364175dfd9f55da337b23518ee7c22e5bdbdc94ad
Opcode Fuzzy Hash: e0edda9f97e4ca25b29d0f8485c8758d1411c9c802109402afcc92b81bc5bb5a
Instruction Fuzzy Hash: 4E42F030608642DFD728DF24D898BAABFF5FF85304F14895DE85697291D770E844CBA2

Function 00532CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00532D07
RegisterClassExW.USER32(00000030), ref: 00532D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00532D42
InitCommonControlsEx.COMCTL32(?), ref: 00532D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00532D6F
LoadIconW.USER32(000000A9), ref: 00532D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00532D94

Strings

TaskbarCreated, xrefs: 00532D37
0, xrefs: 00532CE9
AutoIt v3 GUI, xrefs: 00532D23
+, xrefs: 00532CF0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c23e687e0ef8c20bb7ee4b5e913a9b52484c5e59a6974a37a5f4a9872e0e1202
Instruction ID: a33495a5698e3009cdfa7a206c43db9bbe7f6d980a92dedd8b907cab0a16f3db
Opcode Fuzzy Hash: c23e687e0ef8c20bb7ee4b5e913a9b52484c5e59a6974a37a5f4a9872e0e1202
Instruction Fuzzy Hash: 6F21EFB5D41308AFDB00DFA4E889BDEBFB5FB09701F00911AF615AA2A0D7B105449F90

Function 0057065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0057039A: CreateFileW.KERNELBASE(00000000,00000000,?,00570704,?,?,00000000,?,00570704,00000000,0000000C), ref: 005703B7

GetLastError.KERNEL32 ref: 0057076F
__dosmaperr.LIBCMT ref: 00570776
GetFileType.KERNELBASE(00000000), ref: 00570782
GetLastError.KERNEL32 ref: 0057078C
__dosmaperr.LIBCMT ref: 00570795
CloseHandle.KERNEL32(00000000), ref: 005707B5
CloseHandle.KERNEL32(?), ref: 005708FF
GetLastError.KERNEL32 ref: 00570931
__dosmaperr.LIBCMT ref: 00570938

Strings

H, xrefs: 005708BD

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 75e33d5d781cdb9423463c3e69244e7282a7cbbaf2439210a30ddb9544787a98
Instruction ID: cd587211139cf4fbd567b8340ef2de89dfbd87174675c45b0664cad5881d6eac
Opcode Fuzzy Hash: 75e33d5d781cdb9423463c3e69244e7282a7cbbaf2439210a30ddb9544787a98
Instruction Fuzzy Hash: ABA14532A001498FDF19AF68EC55BAE3FE1FB46320F14915DF8199B2D1DB309816EB91

Function 0053344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00533A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00601418,?,00532E7F,?,?,?,00000000), ref: 00533A78

Part of subcall function 00533357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00533379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0053356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0057318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005731CE
RegCloseKey.ADVAPI32(?), ref: 00573210
_wcslen.LIBCMT ref: 00573277
_wcslen.LIBCMT ref: 00573286

Strings

\, xrefs: 0057328C
Software\AutoIt v3\AutoIt, xrefs: 00533560
\Include\, xrefs: 00533527
Include, xrefs: 00573184, 005731C5

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 8e39f5d0ea6f8b02d7e128af5bc184b145f8b8c80889b1692d3e1126fabebd2c
Instruction ID: 82d6f389a8f95fce620109dc07263f99f2a1ef247fee349b8e454b4570067529
Opcode Fuzzy Hash: 8e39f5d0ea6f8b02d7e128af5bc184b145f8b8c80889b1692d3e1126fabebd2c
Instruction Fuzzy Hash: 0771C3714443029EC318DF65ECA999BBFE8FFC4750F40582EF589931A1EB749A48CB51

Function 00532B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00532B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00532B9D
LoadIconW.USER32(00000063), ref: 00532BB3
LoadIconW.USER32(000000A4), ref: 00532BC5
LoadIconW.USER32(000000A2), ref: 00532BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00532BEF
RegisterClassExW.USER32(?), ref: 00532C40

Part of subcall function 00532CD4: GetSysColorBrush.USER32(0000000F), ref: 00532D07
Part of subcall function 00532CD4: RegisterClassExW.USER32(00000030), ref: 00532D31
Part of subcall function 00532CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00532D42
Part of subcall function 00532CD4: InitCommonControlsEx.COMCTL32(?), ref: 00532D5F
Part of subcall function 00532CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00532D6F
Part of subcall function 00532CD4: LoadIconW.USER32(000000A9), ref: 00532D85
Part of subcall function 00532CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00532D94

Strings

0, xrefs: 00532C0F
AutoIt v3, xrefs: 00532C2F
#, xrefs: 00532C16

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 872eef3d7e78065dee7e2e75880c20d95577fd0c7956b27b8dc1c9c341dcc80f
Instruction ID: 5003620366ac1d93d798c61d87e00b5a50d0de2c919319b430c784d91288d05a
Opcode Fuzzy Hash: 872eef3d7e78065dee7e2e75880c20d95577fd0c7956b27b8dc1c9c341dcc80f
Instruction Fuzzy Hash: C6215070E40314AFDB149F95EC45B9E7FF6FB49B50F04101AF504AA6A0D3B10A44DF90

Function 0053B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053BB4E

Strings

p#`, xrefs: 0058024F
x#`, xrefs: 00580168
x#`, xrefs: 00580207
p#`, xrefs: 0053BA72
p%`, xrefs: 0053B8DC
p#`, xrefs: 0053BB6B
p#`, xrefs: 00580263
p%`, xrefs: 0053BB32

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#`$p#`$p#`$p#`$p%`$p%`$x#`$x#`
API String ID: 1385522511-2312716534
Opcode ID: 36947f9798c441872d18272e81540ccc7061a5e153fbbcc63d57bfc6673bda21
Instruction ID: 959e273689525dc1029f72e0951c5980c08f9990f49892a39206d5008bb7bb77
Opcode Fuzzy Hash: 36947f9798c441872d18272e81540ccc7061a5e153fbbcc63d57bfc6673bda21
Instruction Fuzzy Hash: 7A32AC35A0020ADFEB24DF58C898BBABFB6FF44314F148459EE05AB291C774AD45CB91

Function 00533170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0053316A,?,?), ref: 005331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0053316A,?,?), ref: 00533204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00533227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0053316A,?,?), ref: 00533232
CreatePopupMenu.USER32 ref: 00533246
PostQuitMessage.USER32(00000000), ref: 00533267

Strings

TaskbarCreated, xrefs: 0053322D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b0c751f26d17bcdc7d4d38c6952223c1e711c0abe284fe1158b8fec36d4a63b9
Instruction ID: e5d96b379a4ee8b9cf3548cd448a21870316a23b39128dbad760457532c6d67e
Opcode Fuzzy Hash: b0c751f26d17bcdc7d4d38c6952223c1e711c0abe284fe1158b8fec36d4a63b9
Instruction Fuzzy Hash: B0413335680205AFDB281B78DC1DB7F3F5AFB46300F044129F90B8A2A1CB608E41E7A1

Function 0053DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 005832B7
D%`, xrefs: 00582FDA
D%`D%`, xrefs: 0053E27E
D%`, xrefs: 0053E4B1
D%`, xrefs: 0053E1E0
D%`, xrefs: 0058302D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: D%`$D%`$D%`$D%`$D%`D%`$Variable must be of type 'Object'.
API String ID: 0-3088036347
Opcode ID: 60c729ace4a2acda345991a0235e5e5efb14914beeee8d268b42ba28f29a41ef
Instruction ID: 3ab60b2509fd35f4bfb5a0e1ec0e90f81211962acf8f0cfeb9a8ad648e3b2c73
Opcode Fuzzy Hash: 60c729ace4a2acda345991a0235e5e5efb14914beeee8d268b42ba28f29a41ef
Instruction Fuzzy Hash: 69C28A71E00205CFCB24DF98C886AAEBBF1BF49704F248569E946AB391D375ED41CB91

Function 01032B28 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01032BF9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01032E1F

Memory Dump Source

Source File: 00000000.00000002.2114520144.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: d387af026533b52c450bce24b9df3bdc4215ffc6b58abb9443aed1def711155a
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 69A13C70E00209EBDB14DF94C898BEEBBB9FF88305F208599E545BB280D7759A41CF54

Function 00532C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00532C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00532CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00531CAD,?), ref: 00532CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00531CAD,?), ref: 00532CCF

Strings

AutoIt v3, xrefs: 00532C89, 00532C8E, 00532C8F
edit, xrefs: 00532CAC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 209ec1151fddd999cb6f9000259831b6b89b71fe091bf72ab3733705c185988a
Instruction ID: db6a0c9ff9def413e1a1659b55ed85062f2ad00097ecab1f1142495c09583df3
Opcode Fuzzy Hash: 209ec1151fddd999cb6f9000259831b6b89b71fe091bf72ab3733705c185988a
Instruction Fuzzy Hash: 7DF0DA755803907FEB351717AC08E772EBEE7C7F50B00205EF904EA5A0C6B11855DAB0

Function 01032908 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010327F8: Sleep.KERNELBASE(000001F4), ref: 01032809

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01032A15

Strings

52NAUXAHBMWDI8DM95PX, xrefs: 01032A78, 01032A7B

Memory Dump Source

Source File: 00000000.00000002.2114520144.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateFileSleep
String ID: 52NAUXAHBMWDI8DM95PX
API String ID: 2694422964-3727761029
Opcode ID: e5e67129ec0cbbf1694b2130d32280ec371ee25dd501bd27416fbd17088ae22f
Instruction ID: a958408df009971ad58543864223f4da38b0c755943f0571ff8b5139ece3a735
Opcode Fuzzy Hash: e5e67129ec0cbbf1694b2130d32280ec371ee25dd501bd27416fbd17088ae22f
Instruction Fuzzy Hash: F2518370D0424DDBEF11DBA4C818BEEBBB9AF55700F044199E6487B2C0D7B90B49CB65

Function 00533B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00533B0F,SwapMouseButtons,00000004,?), ref: 00533B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00533B0F,SwapMouseButtons,00000004,?), ref: 00533B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00533B0F,SwapMouseButtons,00000004,?), ref: 00533B83

Strings

Control Panel\Mouse, xrefs: 00533B3E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5335ec57fe72bf96a4b49e4776c536526e516a66ee6eb675f8f877ff24c40eca
Instruction ID: 2e10c05baff8eedf6e2b2fe2da7de9e879c4812f4cf2a15bdca2c703a1cf6943
Opcode Fuzzy Hash: 5335ec57fe72bf96a4b49e4776c536526e516a66ee6eb675f8f877ff24c40eca
Instruction Fuzzy Hash: 91112AB5510208FFDB218FA5DC58EAEBBB8FF04744F104859E805E7110E2319E44A760

Function 010317F8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01031FB3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01032049
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0103206B

Memory Dump Source

Source File: 00000000.00000002.2114520144.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction ID: 6659394e22069761ed2d0197e58f987777b893f4ab732a35badd9616685c504b
Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction Fuzzy Hash: B162FB34A146589BEB24CFA4C840BDEB776FF98300F1091A9D24DEB390E7759E81CB59

Function 00533923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005733A2

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00533A04

Strings

Line: , xrefs: 005733EB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: d2bb91d9078c2c90c06052b01df004e58568b15755de79a99d79372430da0c6d
Instruction ID: a73d82a853b9eb1fcd26a02786141ebe1f0377d4802812156e659eda1b810c49
Opcode Fuzzy Hash: d2bb91d9078c2c90c06052b01df004e58568b15755de79a99d79372430da0c6d
Instruction Fuzzy Hash: 8E31D471448305ABC725EB20DC49BEBBBD8BB81710F10892EF59987091EB749A48C7C2

Function 00532DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00572C8C

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

Part of subcall function 00532DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00532DC4

Strings

`e_, xrefs: 00572C85
X, xrefs: 00572C5A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e_
API String ID: 779396738-1251496921
Opcode ID: c936c0ff457254d9075cd5c9eb9a7d36e0fbb4eb8626390d62362e6f199f4e76
Instruction ID: 0d74d839585bd5094bbedddecc3b95725d8ac7a13e9f0b9319375bfdbae10f7e
Opcode Fuzzy Hash: c936c0ff457254d9075cd5c9eb9a7d36e0fbb4eb8626390d62362e6f199f4e76
Instruction Fuzzy Hash: 2F218171A00258AFCB01AF94D849BEE7FFCBF89304F008059E509A7241DBB85A499FA1

Function 0054FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00550668

Part of subcall function 005532A4: RaiseException.KERNEL32(?,?,?,0055068A,?,00601444,?,?,?,?,?,?,0055068A,00531129,005F8738,00531129), ref: 00553304

__CxxThrowException@8.LIBVCRUNTIME ref: 00550685

Strings

Unknown exception, xrefs: 00550692

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 47ea1b297d719d3dc996f95503e99b06edc444234c3d9e39ba03a2411118639a
Instruction ID: 62b118057f8fea4f57b26609c2b6f4e0e00973c69a8c83a8c5609caf074bfe6f
Opcode Fuzzy Hash: 47ea1b297d719d3dc996f95503e99b06edc444234c3d9e39ba03a2411118639a
Instruction Fuzzy Hash: 04F0283490020E77CF00B6A8D86ECAD7F6C7E80355B604432BD14C58D1EF71DA6DCA80

Function 005B7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005B82F5
TerminateProcess.KERNEL32(00000000), ref: 005B82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 005B84DD

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: f65693b0042832eb7791b99bba1228f6f4908ee1e0bf8899ae73fc408fe146fa
Instruction ID: 9e12fe615700d508ef6e956a8c2435c064be47809bbd0e171736df9b7510fa9a
Opcode Fuzzy Hash: f65693b0042832eb7791b99bba1228f6f4908ee1e0bf8899ae73fc408fe146fa
Instruction Fuzzy Hash: E3126B719083429FC724DF28C484B6ABBE5BF89318F14895DE8998B352DB31ED45CF92

Function 005310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00531BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00531BF4
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00531BFC
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00531C07
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00531C12
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00531C1A
Part of subcall function 00531BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00531C22

Part of subcall function 00531B4A: RegisterWindowMessageW.USER32(00000004,?,005312C4), ref: 00531BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0053136A
OleInitialize.OLE32 ref: 00531388
CloseHandle.KERNEL32(00000000,00000000), ref: 005724AB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1b603769cf9afc0d4208183e84221c5f2390ed45b81c6759833f69c9ebfd29ad
Instruction ID: 5518d19fc1f049ec5803fc888f3f02440dcbf0918c799ccaee6d9449d28ce8d9
Opcode Fuzzy Hash: 1b603769cf9afc0d4208183e84221c5f2390ed45b81c6759833f69c9ebfd29ad
Instruction Fuzzy Hash: 4C719AF49912018FC38ADF79AC596573FE2FB8A344B54A22EE04ADF2B1EB3045018F54

Function 005686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005685CC,?,005F8CC8,0000000C), ref: 00568704
GetLastError.KERNEL32(?,005685CC,?,005F8CC8,0000000C), ref: 0056870E
__dosmaperr.LIBCMT ref: 00568739

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: f49674fce78b9f474046152a840c2f3451bd48e34ca3f1bea7cb2c26f16cf41b
Instruction ID: d1f6b4cd4f98aaead833917eb7e9a46891023a92ac578acec07a86a4741a56ca
Opcode Fuzzy Hash: f49674fce78b9f474046152a840c2f3451bd48e34ca3f1bea7cb2c26f16cf41b
Instruction Fuzzy Hash: B3014E327456601AD7346734E849B7E6F49BBE1BB4F390719F9188B2D2EEA1CC819250

Function 00541310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005417F6

Strings

CALL, xrefs: 005417C6

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 4ed139032c6ba7d00fdcfc60661bcebb3115cbec8833ffddb10986192c4421a0
Instruction ID: 2475ca78ffef3943cce0df34c2ab688493591d6e3ec486e15219978122d30cff
Opcode Fuzzy Hash: 4ed139032c6ba7d00fdcfc60661bcebb3115cbec8833ffddb10986192c4421a0
Instruction Fuzzy Hash: 86227B706086029FC714DF14C498AAABFF1BF85318F14891DF8969B3A2D771E885CB96

Function 00533837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00533908

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 719a05775ad0b47026c6258be822600ee8f57a0b3e1cd345376e78862db8f03e
Instruction ID: 88762ccdd2b1f6d0218e6482a20b8b6e232f681309ce7f96c602874010a76208
Opcode Fuzzy Hash: 719a05775ad0b47026c6258be822600ee8f57a0b3e1cd345376e78862db8f03e
Instruction Fuzzy Hash: B431A270505701DFD720DF24D88479BBFE8FB49709F00092EF59997280E771AA48CB92

Function 00535745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0053949C,?,00008000), ref: 00535773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0053949C,?,00008000), ref: 00574052

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 376e100e355e09c4e9cac25c60a532377a7580f21bcf42e3e4d435d758044ca4
Instruction ID: 88c7ac77744ecb7ffcd9f30294a2b22bb5ca48fcec9d1f953987932628a0f128
Opcode Fuzzy Hash: 376e100e355e09c4e9cac25c60a532377a7580f21bcf42e3e4d435d758044ca4
Instruction Fuzzy Hash: 53014031145625BAE7314A2ADC0EF977F98EF027B0F148210BA9C9A1E0D7B45854DB90

Function 010317F5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01031FB3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01032049
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0103206B

Memory Dump Source

Source File: 00000000.00000002.2114520144.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 645d033fefcc9c339322cca6c93c33e26230f4a64f65acf6db2e1611299ccf6f
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 8312EE20E24658C6EB24DF64D8507DEB232FF68300F1090E9914DEB7A5E77A4E81CF5A

Function 005B709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: ef5386af482a1e28bb36b1eee40dc4c900c88a7351e1bae9ed2acbe02c8510c5
Instruction ID: 0b42838dd6c7e53eac85bade173c74ed66be2d8bfc98f8308f7384372030d6c6
Opcode Fuzzy Hash: ef5386af482a1e28bb36b1eee40dc4c900c88a7351e1bae9ed2acbe02c8510c5
Instruction Fuzzy Hash: 1ED13975A0420AEFCF14EF98C8859EDBFB5FF88314F144459E915AB291EB30AD91CB90

Function 0054FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0054FD1F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b1d4432ba347fe0f7777989fbf348570bc5a5c5c76177f38e1f843d3dd97798f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9231E074A041099BC718CF5DD4C4AA9FBA2FB49308B2486A5E80ACF656D731EDC1DBD0

Function 00534ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00534E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E9C
Part of subcall function 00534E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00534EAE
Part of subcall function 00534E90: FreeLibrary.KERNEL32(00000000,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534EFD

Part of subcall function 00534E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E62
Part of subcall function 00534E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00534E74
Part of subcall function 00534E59: FreeLibrary.KERNEL32(00000000,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E87

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4660e3e7560bead4446a15b139a2f0464ce07b3ca2c0632a2ef5404e6d2819b5
Instruction ID: 828ea8b83a10d2d860f678fd82bf4cb699dcdbfce052e73c37d9874900fb7e84
Opcode Fuzzy Hash: 4660e3e7560bead4446a15b139a2f0464ce07b3ca2c0632a2ef5404e6d2819b5
Instruction Fuzzy Hash: 5A112731600306AACF15ABA4DC0AFAD7FA9BF80710F14842DF442A62C1EE70AE05AF50

Function 00568402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00568440

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7e12258bd9611352c47c3904ab543ae59fc268ab57987d1c13ce91f81e172ad6
Instruction ID: 06c7b5381f99c43cb92eb2af9897f6df345e6eafab3cb93a2d282fb875204a7a
Opcode Fuzzy Hash: 7e12258bd9611352c47c3904ab543ae59fc268ab57987d1c13ce91f81e172ad6
Instruction Fuzzy Hash: 8E11487190410AAFCF15DF58E940AAA7BF5FF48304F104199F808AB312DB31DA11CBA4

Function 00565000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00564C7D: RtlAllocateHeap.NTDLL(00000008,00531129,00000000,?,00562E29,00000001,00000364,?,?,?,0055F2DE,00563863,00601444,?,0054FDF5,?), ref: 00564CBE

_free.LIBCMT ref: 0056506C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 4a639a223ce5741d3d4cdf37194d186ac661e357093ad6eaaa723a39a5edba88
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: AB0126722447056BE3318F65D889A5AFFE8FBC9370F65051DE18483280EA30A845C6B4

Function 0055E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 59005984572fff2bc5c27c1a9ca67408d7a7a83b3b503f0181b413e30046d80f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 06F0F932510A119AC7353A65AC2EB5A3F99BFD23B3F100B17FC25931D1CB70D90A86A5

Function 00564C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00531129,00000000,?,00562E29,00000001,00000364,?,?,?,0055F2DE,00563863,00601444,?,0054FDF5,?), ref: 00564CBE

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3dd7888f6e3b48c4531692e69e9df84dd5851a1fb1aca427cdc8fd1205f21999
Instruction ID: 8545a6ecbb120ff1387cb78f452a7b041a256101ae1899d9a53bf91b83fdd2f1
Opcode Fuzzy Hash: 3dd7888f6e3b48c4531692e69e9df84dd5851a1fb1aca427cdc8fd1205f21999
Instruction Fuzzy Hash: 90F0E93160262567FB215F669C09F5B3F89BFC17A1B144122FC19EB781CA30DC019EE0

Function 00563820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3e8c5b7e8aa3ad1fac7a7d7fb25e2eb2c7f95973e30171a9baa50fb2f8e2cfd6
Instruction ID: a810d3d73900a656d6437a9862730166bb0ad01b123ed477ec4e8ac512e347c4
Opcode Fuzzy Hash: 3e8c5b7e8aa3ad1fac7a7d7fb25e2eb2c7f95973e30171a9baa50fb2f8e2cfd6
Instruction Fuzzy Hash: D6E0ED31102225AAE7212AA7DC29BDB3E49BF827B1F090122BC0597981CB20DE0287E1

Function 00534F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534F6D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e29bdbc54739d17583c8a90db58aa3e09be2f90185a007ec1b2769a0ef892227
Instruction ID: a204191f33d8a29f4c8e7478f1117c1c6123efedf1b05b4d322b8cdbaf742e70
Opcode Fuzzy Hash: e29bdbc54739d17583c8a90db58aa3e09be2f90185a007ec1b2769a0ef892227
Instruction Fuzzy Hash: 46F01C71105752CFDB349F65D494812BFE4BF1431971889AEE1DA82611C731A848DF50

Function 0059CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0057EE51,005F3630,00000002), ref: 0059CD26

Part of subcall function 0059CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0059CD19,?,?,?), ref: 0059CC59
Part of subcall function 0059CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0059CD19,?,?,?,?,0057EE51,005F3630,00000002), ref: 0059CC6E
Part of subcall function 0059CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0059CD19,?,?,?,?,0057EE51,005F3630,00000002), ref: 0059CC7A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: ba5fb65f10e14a8ffbeff49c8f9ffd6153a926960974e0acd935d10440955782
Instruction ID: 72a4099946f4f1ae2d1583170caa0ac2a404a5f7fc657242bd520bd4d2268345
Opcode Fuzzy Hash: ba5fb65f10e14a8ffbeff49c8f9ffd6153a926960974e0acd935d10440955782
Instruction Fuzzy Hash: 73E0397A400704EFCB219F8AD9048AABFF8FF85260710852FE99682510D3B1AA14DB60

Function 00532DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00532DC4

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8da805589d3aab65a48023b99c8c9fe42b2084c2017d59582bb8b5e829f3cf60
Instruction ID: 25fe72b4cef41877e076734ad1989071590254a09b8b8a8077021cf5dc9137f6
Opcode Fuzzy Hash: 8da805589d3aab65a48023b99c8c9fe42b2084c2017d59582bb8b5e829f3cf60
Instruction Fuzzy Hash: FAE0CD76A001245BC71092589C09FDA7BDDEFC8790F044075FD0DD7248D960AD84C650

Function 00532B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00533837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00533908

Part of subcall function 0053D730: GetInputState.USER32 ref: 0053D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00532B6B

Part of subcall function 005330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0053314E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: a12614918644ac9a2b8ccb38ea6beee952d3cac64b07cb606adc2ddc2c3a11af
Instruction ID: 50ff3c3ab68551fff2ff479b787cf91319316baae697cab1ad374f3fd14197d3
Opcode Fuzzy Hash: a12614918644ac9a2b8ccb38ea6beee952d3cac64b07cb606adc2ddc2c3a11af
Instruction Fuzzy Hash: 3DE0863170424606C708BB74A85A5AEEF9ABBE2351F40193EF146471A2CF6546494261

Function 0057039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00570704,?,?,00000000,?,00570704,00000000,0000000C), ref: 005703B7

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cb3af69c495824ee51eb46c5990f5a659be68665483b9985d8ca56c66d50df7f
Instruction ID: cb2dc5d94b29eed45b440059c493faab4edd1bda38a07ebc83ac2c497e8491c9
Opcode Fuzzy Hash: cb3af69c495824ee51eb46c5990f5a659be68665483b9985d8ca56c66d50df7f
Instruction Fuzzy Hash: 08D06C3204010DBFDF028F85DD06EDA3FAAFB48714F014000FE1856020C736E821EB90

Function 00531CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00531CBC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e45c569dc7f00e4046e18638d7643bda891d77b2d50891da5e103270f1cd461c
Instruction ID: ebd8e00b703ecad3123148afaf5f59faa9d27f001141d9adf2e645fce0868d79
Opcode Fuzzy Hash: e45c569dc7f00e4046e18638d7643bda891d77b2d50891da5e103270f1cd461c
Instruction Fuzzy Hash: 26C0923A2C0305AFF3198B80BC5EF127B66E758B00F04A001F60DA95E3C3A22821EA54

Function 005A744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00535745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0053949C,?,00008000), ref: 00535773

GetLastError.KERNEL32(00000002,00000000), ref: 005A76DE

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: f08fbfd5366e9a0b015e50b93ec036ebaf93d01dfda1f0aed34a3699e9e92fc6
Instruction ID: f6c337b6dc94e0cabad431db4be1c2fad367325d9fd8f97aa22df98a04f0376f
Opcode Fuzzy Hash: f08fbfd5366e9a0b015e50b93ec036ebaf93d01dfda1f0aed34a3699e9e92fc6
Instruction Fuzzy Hash: 648190306087069FCB15EF28C895B6EBBE1BF89310F04495DF8865B2A2DB30ED45CB52

Function 010327F4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01032809

Memory Dump Source

Source File: 00000000.00000002.2114520144.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: d002e45b8721f6b256846087a15972961a6ad64a484d6449a86f2a1286d043c1
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 26E0BF7494120DEFDB00DFA4D5496DD7BB4EF04311F1005A1FD05D7680DB309E548A62

Function 00536246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,005724E0), ref: 00536266

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ef24f54f3e09e321b9491389826a83af7e7527233cc583b29a85c7176279b115
Instruction ID: 7292b116bb07729ab26c838b46476f7c78a01533e3ce91698c9dd21898d50605
Opcode Fuzzy Hash: ef24f54f3e09e321b9491389826a83af7e7527233cc583b29a85c7176279b115
Instruction Fuzzy Hash: 10E0B679400B01DFC3314F1AE804412FBF6FFE17613218E2EE1E592660D3B0588A9F50

Function 010327F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01032809

Memory Dump Source

Source File: 00000000.00000002.2114520144.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1030000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c297cf0618da6369942ad6926ed1cf98fc90d2723aa97538f9737efbc9f41dcd
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 35E0BF7494120DDFDB00DFA4D54969D7BB4EF04301F100561FD0192280D63099508A62

Non-executed Functions

Function 005C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005C96C9
SendMessageW.USER32 ref: 005C96F2
GetKeyState.USER32(00000011), ref: 005C978B
GetKeyState.USER32(00000009), ref: 005C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005C97AE
GetKeyState.USER32(00000010), ref: 005C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005C97E9
SendMessageW.USER32 ref: 005C9810
SendMessageW.USER32(?,00001030,?,005C7E95), ref: 005C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005C9941
SetCapture.USER32(?), ref: 005C994A
ClientToScreen.USER32(?,?), ref: 005C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005C99D6
ReleaseCapture.USER32 ref: 005C99E1
GetCursorPos.USER32(?), ref: 005C9A19
ScreenToClient.USER32(?,?), ref: 005C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005C9A80
SendMessageW.USER32 ref: 005C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005C9AEB
SendMessageW.USER32 ref: 005C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005C9B4A
GetCursorPos.USER32(?), ref: 005C9B68
ScreenToClient.USER32(?,?), ref: 005C9B75
GetParent.USER32(?), ref: 005C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005C9BFA
SendMessageW.USER32 ref: 005C9C2B
ClientToScreen.USER32(?,?), ref: 005C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005C9CDE
SendMessageW.USER32 ref: 005C9D01
ClientToScreen.USER32(?,?), ref: 005C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005C9D82

Part of subcall function 00549944: GetWindowLongW.USER32(?,000000EB), ref: 00549952

GetWindowLongW.USER32(?,000000F0), ref: 005C9E05

Strings

p#`, xrefs: 005C9990
F, xrefs: 005C9D07
@GUI_DRAGID, xrefs: 005C997D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#`
API String ID: 3429851547-2797331669
Opcode ID: b8d070964a64ca6c9d8208ebdd959d8a388df8dcf040a09a4088ac949bc1020c
Instruction ID: 1c6632e07adaffee7d99af84c9a874457fa0e676f069c14a1704c822c5ead45d
Opcode Fuzzy Hash: b8d070964a64ca6c9d8208ebdd959d8a388df8dcf040a09a4088ac949bc1020c
Instruction Fuzzy Hash: EE427D34204241AFDB24CFA8CC48FAABFE5FF89314F14061DF5999B2A1D7319994DB91

Function 005C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005C4A7E
IsMenu.USER32(?), ref: 005C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005C4B20
GetWindowLongW.USER32(?,000000F0), ref: 005C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005C4C82
wsprintfW.USER32 ref: 005C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005C4D5A

Strings

%d/%02d/%02d, xrefs: 005C4CA8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b944245b59172e91714030c26c1cc71ca100be39b69d2984f77672e88fe0bccd
Instruction ID: a9ac880ac67e6844b318a719f46d78f60dd427e7fc7246f6864418b10af1577c
Opcode Fuzzy Hash: b944245b59172e91714030c26c1cc71ca100be39b69d2984f77672e88fe0bccd
Instruction Fuzzy Hash: 6312DC71A00215AFEB248FA8CC59FAE7FB8BF85310F10452DF51AEA2A1DB749941CF50

Function 0054F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0054F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0058F474
IsIconic.USER32(00000000), ref: 0058F47D
ShowWindow.USER32(00000000,00000009), ref: 0058F48A
SetForegroundWindow.USER32(00000000), ref: 0058F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0058F4AA
GetCurrentThreadId.KERNEL32 ref: 0058F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0058F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0058F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0058F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0058F4DE
SetForegroundWindow.USER32(00000000), ref: 0058F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F4F6
keybd_event.USER32(00000012,00000000), ref: 0058F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F50B
keybd_event.USER32(00000012,00000000), ref: 0058F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F519
keybd_event.USER32(00000012,00000000), ref: 0058F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058F528
keybd_event.USER32(00000012,00000000), ref: 0058F52D
SetForegroundWindow.USER32(00000000), ref: 0058F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0058F557

Strings

Shell_TrayWnd, xrefs: 0058F46F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6f81a9e0ba2dd59c2f7282ca7184fcd4b4bce3bae8f16c9a515576a5de11f1d7
Instruction ID: 4069f2d4d9ff276b6b98815d4fe50647537e69181846488e473352163979c7b4
Opcode Fuzzy Hash: 6f81a9e0ba2dd59c2f7282ca7184fcd4b4bce3bae8f16c9a515576a5de11f1d7
Instruction Fuzzy Hash: B7314F71A40218BFEB206BB55C4AFBF7E6CFB58B50F10046AFA05F61D1C6B55D01ABA0

Function 00591201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0059170D
Part of subcall function 005916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0059173A
Part of subcall function 005916C3: GetLastError.KERNEL32 ref: 0059174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00591286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005912A8
CloseHandle.KERNEL32(?), ref: 005912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005912D1
GetProcessWindowStation.USER32 ref: 005912EA
SetProcessWindowStation.USER32(00000000), ref: 005912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00591310

Part of subcall function 005910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005911FC), ref: 005910D4
Part of subcall function 005910BF: CloseHandle.KERNEL32(?,?,005911FC), ref: 005910E9

Strings

default, xrefs: 0059130B
, xrefs: 0059125A
winsta0, xrefs: 005912CC
Z_, xrefs: 00591392

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z_
API String ID: 22674027-136207353
Opcode ID: a4f05658cb4d7f4cb5af52e38f375dc95b49018b6447bff9c7ff83cb07e29175
Instruction ID: 408816e79e51f306f1533f4fbbdb363510762321c625f73fa35442ab2ec02b09
Opcode Fuzzy Hash: a4f05658cb4d7f4cb5af52e38f375dc95b49018b6447bff9c7ff83cb07e29175
Instruction Fuzzy Hash: D481BE7190061AAFEF209FA8DC49FEE7FB9FF08704F144129FA18A61A0D7358944DB24

Function 00590B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00591114
Part of subcall function 005910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591120
Part of subcall function 005910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 0059112F
Part of subcall function 005910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591136
Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0059114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00590BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00590C00
GetLengthSid.ADVAPI32(?), ref: 00590C17
GetAce.ADVAPI32(?,00000000,?), ref: 00590C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00590C6D
GetLengthSid.ADVAPI32(?), ref: 00590C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00590C8C
HeapAlloc.KERNEL32(00000000), ref: 00590C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00590CB4
CopySid.ADVAPI32(00000000), ref: 00590CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00590CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00590D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00590D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590D45
HeapFree.KERNEL32(00000000), ref: 00590D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590D55
HeapFree.KERNEL32(00000000), ref: 00590D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590D65
HeapFree.KERNEL32(00000000), ref: 00590D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00590D78
HeapFree.KERNEL32(00000000), ref: 00590D7F

Part of subcall function 00591193: GetProcessHeap.KERNEL32(00000008,00590BB1,?,00000000,?,00590BB1,?), ref: 005911A1
Part of subcall function 00591193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00590BB1,?), ref: 005911A8
Part of subcall function 00591193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00590BB1,?), ref: 005911B7

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0f655b356d8e9669596dffb175cbc1bb1a23eb5a485541941d80571d0f4f1d58
Instruction ID: b49e43295721a941fb30b262249f62717193ae0c84c0ed25279c66432d8c5bcd
Opcode Fuzzy Hash: 0f655b356d8e9669596dffb175cbc1bb1a23eb5a485541941d80571d0f4f1d58
Instruction Fuzzy Hash: 3571687290020AAFDF10DFA5DC48FAEBFBCFF14304F044915E919A6291D775AA09DBA0

Function 005AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005CCC08), ref: 005AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 005AEB37
GetClipboardData.USER32(0000000D), ref: 005AEB43
CloseClipboard.USER32 ref: 005AEB4F
GlobalLock.KERNEL32(00000000), ref: 005AEB87
CloseClipboard.USER32 ref: 005AEB91
GlobalUnlock.KERNEL32(00000000), ref: 005AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 005AEBC9
GetClipboardData.USER32(00000001), ref: 005AEBD1
GlobalLock.KERNEL32(00000000), ref: 005AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 005AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 005AEC38
GetClipboardData.USER32(0000000F), ref: 005AEC44
GlobalLock.KERNEL32(00000000), ref: 005AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 005AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005AECD2
GlobalUnlock.KERNEL32(00000000), ref: 005AECF3
CountClipboardFormats.USER32 ref: 005AED14
CloseClipboard.USER32 ref: 005AED59

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7c86c4764f8502bf67454fad3a0f210a104f6a17cf60b56cc7f8fea93dfa074f
Instruction ID: 58eeefeb174d7e732cb5895af92f1cab4875b4c31cccf77e29b9e5969bfbcf18
Opcode Fuzzy Hash: 7c86c4764f8502bf67454fad3a0f210a104f6a17cf60b56cc7f8fea93dfa074f
Instruction Fuzzy Hash: EF61E234204206AFD300EF24D88AF6EBFA4BF96714F14451DF49A972A1CB71DD4ADB62

Function 005A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005A69BE
FindClose.KERNEL32(00000000), ref: 005A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005A6A75

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 005A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 005A6ADF

Strings

%02d, xrefs: 005A6C00, 005A6C0A, 005A6C5A, 005A6CAA, 005A6CFA, 005A6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 005A6B6A
%4d, xrefs: 005A6BB1
%03d, xrefs: 005A6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 005A6B32

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d34e10b49b8abe8bacaf839136c4b735a72c7e2901a2b12ddecc0fcfba09fc52
Instruction ID: 5a1a69e8a97207b1e98fd5005119fd960b60389031f928392ff1b7cc7c10932b
Opcode Fuzzy Hash: d34e10b49b8abe8bacaf839136c4b735a72c7e2901a2b12ddecc0fcfba09fc52
Instruction Fuzzy Hash: 6AD150B2508305AFC714DBA4C889EAFBBECBF89704F04491DF585D6291EB74DA44CB62

Function 005A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005A9663
GetFileAttributesW.KERNEL32(?), ref: 005A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 005A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 005A96D3
FindClose.KERNEL32(00000000), ref: 005A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 005A974A
SetCurrentDirectoryW.KERNEL32(005F6B7C), ref: 005A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 005A9772
FindClose.KERNEL32(00000000), ref: 005A977F
FindClose.KERNEL32(00000000), ref: 005A978F

Strings

*.*, xrefs: 005A96F5

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 938f54696e87e921be1f7196e5dde71ee7c3380a389411d88171db2e27891bb1
Instruction ID: 6eba99497a6b6a3cd595c5250e03f7d8091d7e6826313db34f7969cdce0407cd
Opcode Fuzzy Hash: 938f54696e87e921be1f7196e5dde71ee7c3380a389411d88171db2e27891bb1
Instruction Fuzzy Hash: 4131B23650062A6EDB14AFB4DC08EEE7FACFF4A321F104596E915E2090EB34DD448A60

Function 005A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 005A9819
FindClose.KERNEL32(00000000), ref: 005A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 005A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 005A9890
SetCurrentDirectoryW.KERNEL32(005F6B7C), ref: 005A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005A98B8
FindClose.KERNEL32(00000000), ref: 005A98C5
FindClose.KERNEL32(00000000), ref: 005A98D5

Part of subcall function 0059DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0059DB00

Strings

*.*, xrefs: 005A983B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: cfc4db99d38f7261a890e802ca23c4c49820f19227d925e855a02816e24fab4c
Instruction ID: 082c8bdc676ff88449e7719a03d6324fde629fa49aa3ff2f8f1b01362311863c
Opcode Fuzzy Hash: cfc4db99d38f7261a890e802ca23c4c49820f19227d925e855a02816e24fab4c
Instruction Fuzzy Hash: AB31903550062A6EDB10EFA4EC58EEE7FACFF47320F144596E954A2190DB38DA49CB60

Function 005BBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 005BBFA9
RegCloseKey.ADVAPI32(00000000), ref: 005BBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005BC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005BC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 005BC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005BC382
RegCloseKey.ADVAPI32(00000000), ref: 005BC38F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a3879d941a86c294ed23939043f39ed52fef787ad16df9365a9c28af395e6e93
Instruction ID: 7ab0335f52af1fa806c029c157796df33e0a2670487d883ce84bd531175be3ae
Opcode Fuzzy Hash: a3879d941a86c294ed23939043f39ed52fef787ad16df9365a9c28af395e6e93
Instruction Fuzzy Hash: 2A025B71604201AFD714CF28C895E6ABFE5BF89308F58889DF84ADB2A2D731EC45CB51

Function 005A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 005A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8395

Strings

*.*, xrefs: 005A839B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 807222bc8efaf8e33e6b86c35e425f85c15b7b8cec5a698c2a62d4ce3d712ae3
Instruction ID: 12fbb57c1ff0ff38461eda1e05416bf4d9632f50463dcdcf8905b26032414e97
Opcode Fuzzy Hash: 807222bc8efaf8e33e6b86c35e425f85c15b7b8cec5a698c2a62d4ce3d712ae3
Instruction Fuzzy Hash: 01616C765043069FCB10EF60C844AAEBBE8FF89310F044D1EF98997251EB35E949CB92

Function 0059D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

Part of subcall function 0059E199: GetFileAttributesW.KERNEL32(?,0059CF95), ref: 0059E19A

FindFirstFileW.KERNEL32(?,?), ref: 0059D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0059D1DD
MoveFileW.KERNEL32(?,?), ref: 0059D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0059D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0059D237

Part of subcall function 0059D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0059D21C,?,?), ref: 0059D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0059D253
FindClose.KERNEL32(00000000), ref: 0059D264

Strings

\*.*, xrefs: 0059D0CD, 0059D0D6, 0059D0EB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: f66d759641fc61b2247403b9d5814019cc39159d71b6e23935862d543f971453
Instruction ID: f7198b95078611fa5f52e4781b49776e1f7ee5dd9ca17fd4c55d6ba8bb1dba99
Opcode Fuzzy Hash: f66d759641fc61b2247403b9d5814019cc39159d71b6e23935862d543f971453
Instruction Fuzzy Hash: 31617B7180510EAECF05EBE0CA969EDBFB5BF94300F204065E442771A1EB30AF09DB60

Function 005AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005AED91
EmptyClipboard.USER32 ref: 005AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 005AEDAC
CloseClipboard.USER32 ref: 005AEEA3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fbdccc248e202849f611f42d159af39c36b5248f9b9896cc8cf811d0966cefa0
Instruction ID: ab7076436686094cf56dbc721f6b2446176548b735bd40f12b2d00f0671b1997
Opcode Fuzzy Hash: fbdccc248e202849f611f42d159af39c36b5248f9b9896cc8cf811d0966cefa0
Instruction Fuzzy Hash: 43418B35604611AFE720CF19E88AF1ABFA5FF45319F14C09DE4598B662C735EC42CB90

Function 0059E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0059170D
Part of subcall function 005916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0059173A
Part of subcall function 005916C3: GetLastError.KERNEL32 ref: 0059174A

ExitWindowsEx.USER32(?,00000000), ref: 0059E932

Strings

, xrefs: 0059E920
@, xrefs: 0059E925
SeShutdownPrivilege, xrefs: 0059E902
, xrefs: 0059E95C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e597b68cb68c6700977c1036a9dd26a7749a4d2e8f724af561e26b366127647b
Instruction ID: fb0fae795708b757432c5c3390c145b2206bfe1ab3b23920ee3bc5c693711ba1
Opcode Fuzzy Hash: e597b68cb68c6700977c1036a9dd26a7749a4d2e8f724af561e26b366127647b
Instruction Fuzzy Hash: AC01F972A10612AFEF54A6B49C8BFBF7E6CB714B50F150821FD03E21D1D9A15C449194

Function 005B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005B1276
WSAGetLastError.WSOCK32 ref: 005B1283
bind.WSOCK32(00000000,?,00000010), ref: 005B12BA
WSAGetLastError.WSOCK32 ref: 005B12C5
closesocket.WSOCK32(00000000), ref: 005B12F4
listen.WSOCK32(00000000,00000005), ref: 005B1303
WSAGetLastError.WSOCK32 ref: 005B130D
closesocket.WSOCK32(00000000), ref: 005B133C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d15dab7d67f5105a949f171bc5ace76acd1a35242c60d412d5008a8a3025cf2b
Instruction ID: 7d99a4ccb53984085fa112b35d659da14a7bca4cf3b828a041538492066c2825
Opcode Fuzzy Hash: d15dab7d67f5105a949f171bc5ace76acd1a35242c60d412d5008a8a3025cf2b
Instruction Fuzzy Hash: 4E419E35A005019FD710DF24C498B6ABFE6BF86318F588098E8569F292C771FD85CBE0

Function 0056B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0056B9D4
_free.LIBCMT ref: 0056B9F8
_free.LIBCMT ref: 0056BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005D3700), ref: 0056BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0060121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0056BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00601270,000000FF,?,0000003F,00000000,?), ref: 0056BC36
_free.LIBCMT ref: 0056BD4B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b07161c0845eb7cf544a7fcb85f8739947fd062f29dae2f6a5d0866c5a59ddf6
Instruction ID: 0dd21c7ee0a9d7221f3e1984fd42e6ea7055f4abde3476ebbf824e6033fae34c
Opcode Fuzzy Hash: b07161c0845eb7cf544a7fcb85f8739947fd062f29dae2f6a5d0866c5a59ddf6
Instruction Fuzzy Hash: B8C10771A04206AFEB249F68CC55BAE7FB9FF81350F14459AE494DB291EB309EC1CB50

Function 0059D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

Part of subcall function 0059E199: GetFileAttributesW.KERNEL32(?,0059CF95), ref: 0059E19A

FindFirstFileW.KERNEL32(?,?), ref: 0059D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0059D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0059D481
FindClose.KERNEL32(00000000), ref: 0059D498
FindClose.KERNEL32(00000000), ref: 0059D4A1

Strings

\*.*, xrefs: 0059D3F2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4464deaeb1e025d84a41c35daa0ed411cb26731aa4283f298e8e4fba5cb53251
Instruction ID: 64ac2a63995b77d5f9b98d4143dfdcb153b05998b4f780ff3e5a6ec8baffad04
Opcode Fuzzy Hash: 4464deaeb1e025d84a41c35daa0ed411cb26731aa4283f298e8e4fba5cb53251
Instruction Fuzzy Hash: EB3170710083469FC701EF64D8559AFBFA8BED1310F444E1DF4D9531A1EB60AA09DB63

Function 0056E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0056E645

Strings

1#SNAN, xrefs: 0056F844
1#QNAN, xrefs: 0056F84B
1#IND, xrefs: 0056F83D
1#INF, xrefs: 0056F852

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ded6f5fba7589ff9ea726830356ad94507c41a6b260e9e7ebdd514fb0cf06591
Instruction ID: 58cd3b018e5fdd1d670e6a68685f7c3796287b74916642846f258812ed0f771c
Opcode Fuzzy Hash: ded6f5fba7589ff9ea726830356ad94507c41a6b260e9e7ebdd514fb0cf06591
Instruction Fuzzy Hash: 9FC26A71E096288FDB25CE28DD457EABBB5FB84305F1445EAD80EE7241E774AE818F40

Function 005A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005A64DC
CoInitialize.OLE32(00000000), ref: 005A6639
CoCreateInstance.OLE32(005CFCF8,00000000,00000001,005CFB68,?), ref: 005A6650
CoUninitialize.OLE32 ref: 005A68D4

Strings

.lnk, xrefs: 005A64BA, 005A6524, 005A65E0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9a4cc76cf2653a74a9f546eaa499ade2b9a5594602b0c1a20e5f84062e874885
Instruction ID: 6ecf306a04d3b43991b13eeb85b99c3d67382ea46d91a05887036b82c2c4d3c9
Opcode Fuzzy Hash: 9a4cc76cf2653a74a9f546eaa499ade2b9a5594602b0c1a20e5f84062e874885
Instruction Fuzzy Hash: BAD14971508206AFC314EF24C88596BBBE8FFD9704F44496DF5958B291EB70ED09CBA2

Function 005B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005B22E8

Part of subcall function 005AE4EC: GetWindowRect.USER32(?,?), ref: 005AE504

GetDesktopWindow.USER32 ref: 005B2312
GetWindowRect.USER32(00000000), ref: 005B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005B2355
GetCursorPos.USER32(?), ref: 005B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005B23DF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9a87e2fd27060e860dd6b021724c4a24d7a637272cdc777e049626a2bbe84a6d
Instruction ID: 729e994ca8d462b7706a28b4aa8addc52430e15b01fb9d9bb67cd1718fd3c044
Opcode Fuzzy Hash: 9a87e2fd27060e860dd6b021724c4a24d7a637272cdc777e049626a2bbe84a6d
Instruction Fuzzy Hash: 1831B072505715AFDB20DF54C849F9BBBE9FF88314F000919F98997191DB34E909CBA2

Function 005A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005A9C8B

Part of subcall function 005A3874: GetInputState.USER32 ref: 005A38CB
Part of subcall function 005A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005A9C75

Strings

*.*, xrefs: 005A9B5D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 868cb627b9a877b41e429910d8c6c61a46f9b1f6fd0635967e0d6a3c106c1886
Instruction ID: 29552ff74baa5025a4051151589572475b08144957134ef8b8b67902fb238f90
Opcode Fuzzy Hash: 868cb627b9a877b41e429910d8c6c61a46f9b1f6fd0635967e0d6a3c106c1886
Instruction Fuzzy Hash: 3A41717194461A9FCF14DFA4CC99AEEBFB8FF46310F248556E905A2191EB309E44CF60

Function 0054997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00549A4E
GetSysColor.USER32(0000000F), ref: 00549B23
SetBkColor.GDI32(?,00000000), ref: 00549B36

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: da9e473d2dbefbc961a4606edde17c4547749cade8e1d4f41ac7d695f5957f07
Instruction ID: ba5687f402b1adf00ae9822e47bb3c0ba3d97bf1c06d6c2c1a4412e08f914c22
Opcode Fuzzy Hash: da9e473d2dbefbc961a4606edde17c4547749cade8e1d4f41ac7d695f5957f07
Instruction Fuzzy Hash: 34A11C70108458BEE728BA3E8C8EEFB3E9EFBC6358B244609F502D6591CA25DD01D371

Function 005B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005B307A
Part of subcall function 005B304E: _wcslen.LIBCMT ref: 005B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005B185D
WSAGetLastError.WSOCK32 ref: 005B1884
bind.WSOCK32(00000000,?,00000010), ref: 005B18DB
WSAGetLastError.WSOCK32 ref: 005B18E6
closesocket.WSOCK32(00000000), ref: 005B1915

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f6f7607c94b333d29bfde4d19243ac29e8e034e9c254168fe636ac1db56c7ff8
Instruction ID: d904f055904bf23b7dae8a7199eb0ab08aeb15e91b74f0c4dd0c0591c9f1877d
Opcode Fuzzy Hash: f6f7607c94b333d29bfde4d19243ac29e8e034e9c254168fe636ac1db56c7ff8
Instruction Fuzzy Hash: 2851C675A00600AFDB10AF24C89AF6A7FE5BB84718F54845CFA066F3D3D771AD418BA1

Function 005C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005C1CC0
IsWindowEnabled.USER32 ref: 005C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 005C1CDB
IsIconic.USER32 ref: 005C1CE9
IsZoomed.USER32 ref: 005C1CF7

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c9639260fcea709bd45d82128ac703e58e79c2eeacb4c5db7734503163b9dfe2
Instruction ID: c3da2e9af779f553c2d237041e9bec11e1172f4d4772a7eae67edc49253f4e81
Opcode Fuzzy Hash: c9639260fcea709bd45d82128ac703e58e79c2eeacb4c5db7734503163b9dfe2
Instruction Fuzzy Hash: A5219131740A115FD7208F6AC884F6A7FA5FF96315F19806CE84A8B352CB71DC42CB98

Function 00538060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 005383FA
VUUU, xrefs: 0053843C
ERCP, xrefs: 0053813C
VUUU, xrefs: 005383E8
VUUU, xrefs: 00575DF0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0d4b8f4fe90b7b295217d5955296f2dcac17a20b36c52015c25ef733bf2f669a
Instruction ID: 6178ecbd4093db09f1ab751afec0169d66788a03586c5a3dfade5aca58c224c0
Opcode Fuzzy Hash: 0d4b8f4fe90b7b295217d5955296f2dcac17a20b36c52015c25ef733bf2f669a
Instruction Fuzzy Hash: A8A29175E0061ACBDF28CF58D8457BEBBB1BF54310F2485A9E819A7281EB709D81DF90

Function 00598298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005982AA

Strings

(, xrefs: 005982F0
tb_, xrefs: 005984F4
|, xrefs: 005982DA

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: lstrlen
String ID: ($tb_$|
API String ID: 1659193697-2948932382
Opcode ID: f54327e9c7e60fba959f78590d283466b6197851d8523fe59b6c10d1331ccd25
Instruction ID: a84be03eb5a41674355c0a4d7ad721082d8db5bee6c8e3531ed057a794044d00
Opcode Fuzzy Hash: f54327e9c7e60fba959f78590d283466b6197851d8523fe59b6c10d1331ccd25
Instruction Fuzzy Hash: 9B322575A007059FCB28CF59C481A6ABBF0FF48710B15C96EE59ADB3A1EB70E941CB50

Function 005BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 005BA6BA

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Process32NextW.KERNEL32(00000000,?), ref: 005BA79C
CloseHandle.KERNEL32(00000000), ref: 005BA7AB

Part of subcall function 0054CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00573303,?), ref: 0054CE8A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 80717b53b6661c4f0aa5f6dc08f4a28a675b950c929a81ba06221a56ce94f27e
Instruction ID: 1dec77b49abc72662b37d27f214360caa205787d2e99d3cf97af0b1f385375db
Opcode Fuzzy Hash: 80717b53b6661c4f0aa5f6dc08f4a28a675b950c929a81ba06221a56ce94f27e
Instruction Fuzzy Hash: D3511BB5508301AFD710EF25C88AA6BBBE8FFC9754F40891DF58997251EB70E904CB92

Function 0059AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0059AAAC
SetKeyboardState.USER32(00000080), ref: 0059AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0059AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0059AB88

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b16351bc598b9e14603edb51dae708e4f629a198d7fb91107ba3c7cb3dc72c66
Instruction ID: 35943875445bb3a9e5cbc94f3e4540dfe2ae31590ba7b298a46f69f21c8142bd
Opcode Fuzzy Hash: b16351bc598b9e14603edb51dae708e4f629a198d7fb91107ba3c7cb3dc72c66
Instruction Fuzzy Hash: FD310330A40648AFFF358A698C09BFA7FABFB94320F04421AE585961D0D7749985D7F2

Function 005ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 005ACE89
GetLastError.KERNEL32(?,00000000), ref: 005ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 005ACEFE

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 65deb118840dd7fb2164835a6b673ca0894cf62f92b3e0db513293adf3037039
Instruction ID: 8140ef4360215328d8641d7105dd2c94bf59280d1ffa4cb598815f56cbbebaa5
Opcode Fuzzy Hash: 65deb118840dd7fb2164835a6b673ca0894cf62f92b3e0db513293adf3037039
Instruction Fuzzy Hash: 5E21AC71500705AFEB218F65C948BAA7FFCFB52354F10482EE64692151E774EA08DBA0

Function 0059DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00575222), ref: 0059DBCE
GetFileAttributesW.KERNEL32(?), ref: 0059DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0059DBEE
FindClose.KERNEL32(00000000), ref: 0059DBFA

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: e19bb763b5ca37efb9224b3547f669d8a8f571e4949479e042447d7469d94bbb
Instruction ID: 508186b1cebb55f3dab201a3b18cf360b39a78c453abd91144dd50bff3d04cd3
Opcode Fuzzy Hash: e19bb763b5ca37efb9224b3547f669d8a8f571e4949479e042447d7469d94bbb
Instruction Fuzzy Hash: C8F0A0308109105B8A206B78EC0D8AA7F7CAF41334B144702F87AC20E0EBB05D59DAA5

Function 005A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 005A5D17
FindClose.KERNEL32(?), ref: 005A5D5F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c03c520e1019dfe69caf787c5cb7bfb74ce418e2a9e170e5d1addc16f3e7db78
Instruction ID: 4dcd40c29c9e837b8b63e1d1c3a23e977fc0fc219f9a3c05ca4c895e738a385d
Opcode Fuzzy Hash: c03c520e1019dfe69caf787c5cb7bfb74ce418e2a9e170e5d1addc16f3e7db78
Instruction Fuzzy Hash: 6C519D75604A029FC714CF28C498E9ABBE4FF4A324F14855DE99A8B3A1DB30ED05CF91

Function 00562622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0056271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00562724
UnhandledExceptionFilter.KERNEL32(?), ref: 00562731

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 60e151217e543206fc223b4d41381fc90c304ef4d82d0f281ffd68f441e77086
Instruction ID: 90f38b31ffc5499197474e43d0993141ed2f6c5164e48ed193c22cc9a427cba7
Opcode Fuzzy Hash: 60e151217e543206fc223b4d41381fc90c304ef4d82d0f281ffd68f441e77086
Instruction Fuzzy Hash: EB31C47490121D9BCB21DF64DC88B9CBBB8BF58311F5042EAE80CA7260E7309F858F44

Function 005A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005A5238
SetErrorMode.KERNEL32(00000000), ref: 005A52A1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2ffb85dd6213b6e6bb938c12fa86955ee63fdc8ad760a1e76acff554ddf0b0cc
Instruction ID: b07415c9b68b942f5a315c57cf1eb45941f77cdb2eb0f5f17ed709bfd228488d
Opcode Fuzzy Hash: 2ffb85dd6213b6e6bb938c12fa86955ee63fdc8ad760a1e76acff554ddf0b0cc
Instruction Fuzzy Hash: B6311A75A00619DFDB00DF55D888EADBFB5FF49314F088099E809AB362DB31E859CB90

Function 005916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0054FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00550668
Part of subcall function 0054FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00550685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0059170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0059173A
GetLastError.KERNEL32 ref: 0059174A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 34cdcc4f3d958e205c55c4a8a3bc24941f8179446b9b592a5dbe018d951f948e
Instruction ID: bded61cca824259fe81efc52cf3375da4c6a69a491bd9da84e3d43bc2610301c
Opcode Fuzzy Hash: 34cdcc4f3d958e205c55c4a8a3bc24941f8179446b9b592a5dbe018d951f948e
Instruction Fuzzy Hash: 5E11C4B1800706AFD7189F54DC8AD6ABBB9FF44714B24852EE05657241EB70BC418B24

Function 0059D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0059D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0059D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0059D650

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9fcb6e5836256554a77874ceb40322c83583fd35d663bbb03a7f013cc97e20b6
Instruction ID: 1a6ee7a2c21a1ea882ffb5649d1cb559330ba4f6bd851f2394d82cf21488e7e6
Opcode Fuzzy Hash: 9fcb6e5836256554a77874ceb40322c83583fd35d663bbb03a7f013cc97e20b6
Instruction Fuzzy Hash: 3B115E75E05228BFDB108F95EC45FAFBFBCEB45B50F108155F908E7290D6704A059BA1

Function 00591663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0059168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005916A1
FreeSid.ADVAPI32(?), ref: 005916B1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5d4cd2a123877c90376dedb3c37724521dcf630aba6210c88fc61af88842bbe9
Instruction ID: ce61423ff6eac54c591612bafdd2e1046ace923dabbcbea6a968ae31972d1438
Opcode Fuzzy Hash: 5d4cd2a123877c90376dedb3c37724521dcf630aba6210c88fc61af88842bbe9
Instruction Fuzzy Hash: C4F0F471950309FFDF00DFE4DD89EAEBBBCFB08604F504565E901E2181E774AA489A54

Function 00554CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005628E9,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002,00000000,?,005628E9), ref: 00554D09
TerminateProcess.KERNEL32(00000000,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002,00000000,?,005628E9), ref: 00554D10
ExitProcess.KERNEL32 ref: 00554D22

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a18287f16340ec5087e99b64f20129c96fed477c18cf54791637dd82cb0b2577
Instruction ID: ae9e3389b5ebf07b9c7a53a483c03c45ec7d81b34f2193eaf210fb23f01e616b
Opcode Fuzzy Hash: a18287f16340ec5087e99b64f20129c96fed477c18cf54791637dd82cb0b2577
Instruction Fuzzy Hash: 9EE0B631400548AFCF11AF54EE1DE583F79FB91B86B144419FC098B122CB36DD8ADE90

Function 0056C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0056C36C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 6916d2bb1669c3175067e47278fd2142a090c0d93fdb2f668a3921605d055281
Instruction ID: e1da56c959855819b1f2734516d7ec567a79b6c98346a4725386483fd563f106
Opcode Fuzzy Hash: 6916d2bb1669c3175067e47278fd2142a090c0d93fdb2f668a3921605d055281
Instruction Fuzzy Hash: 4E412676600219ABCB209FB9CC4CDBB7F78FB84315F104669F945C7280E6709D418B50

Function 0058D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0058D28C

Strings

X64, xrefs: 0058D2A8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: dc205bcd19553f172fc066163105b234840b41359d71392497b1f491ed9d2c19
Instruction ID: 5ec5e61f3c1f1d2a881c39f0f98553a058c7603a517b806648e5705bd20d43c2
Opcode Fuzzy Hash: dc205bcd19553f172fc066163105b234840b41359d71392497b1f491ed9d2c19
Instruction Fuzzy Hash: 62D0C9B480111DEECB90DB90EC8CDDDBBBCBB14305F100551F50AB2040D73495489F20

Function 0055CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 93d4a4be2c81a4d74f69ba06201c4ec82d3feed8c5913770442c474069e51d19
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7021A71E002199FDF14CFA9D8906ADBFF5FF88315F25816AD819EB280D731AE458B84

Function 0053CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00580C40
p#`, xrefs: 0053CF7F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#`
API String ID: 0-476173941
Opcode ID: 39ddf6f0d02f560120bd874a45c9aaa2047de06f4363c10daf306eb088b0875a
Instruction ID: 78decce972184a916ee2f037ca4b16ff4b17993a615b0056982179579c7dd598
Opcode Fuzzy Hash: 39ddf6f0d02f560120bd874a45c9aaa2047de06f4363c10daf306eb088b0875a
Instruction Fuzzy Hash: 4732BD74900219DFDF14EF94C889AEEBFB9BF45304F109459E806BB292D731AE49CB60

Function 005A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005A6918
FindClose.KERNEL32(00000000), ref: 005A6961

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1a1d8ed57308b26b993e9cbff591f631be5d7e2193a4d0066e8f5145e4d914e3
Instruction ID: ff90bb2646bbe5529864fa78d5d12a183237a1f9cb56fec4bf42421a31df87c6
Opcode Fuzzy Hash: 1a1d8ed57308b26b993e9cbff591f631be5d7e2193a4d0066e8f5145e4d914e3
Instruction Fuzzy Hash: 831190756046019FC710DF29D488A1ABFE5FF89328F18C699E4698F7A2CB30EC05CB91

Function 005A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005B4891,?,?,00000035,?), ref: 005A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005B4891,?,?,00000035,?), ref: 005A37F4

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 44e0bc1c0d6ed213eedd945c8224c021209de9aa55be2b0b9b4248d1c100f820
Instruction ID: 25d936b7a4c310ea2e32da44971c8e5600fbd135700aef961e4bb991f16c0002
Opcode Fuzzy Hash: 44e0bc1c0d6ed213eedd945c8224c021209de9aa55be2b0b9b4248d1c100f820
Instruction Fuzzy Hash: EDF0E5B16043292AE720576A9C4DFEB3FAEFFC5B65F000175F509D2281D9A09E08C6B0

Function 0059B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0059B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0059B270

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 7790f1d3c2214aca535f79cefaee8fca809ea7852b38ca16249992dc2aa75817
Instruction ID: a4cad9c650d922e705e2c6b7f03205714ca52ae6d0db30ec9babc06d452e2bbe
Opcode Fuzzy Hash: 7790f1d3c2214aca535f79cefaee8fca809ea7852b38ca16249992dc2aa75817
Instruction Fuzzy Hash: 75F01D7580424DAFEF059FA0D805BAE7FB4FF04305F04841AF955A5191C37996159F94

Function 005910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005911FC), ref: 005910D4
CloseHandle.KERNEL32(?,?,005911FC), ref: 005910E9

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b2996907098d33ad0704e289b0f017f19fb4f14be859b8618c7170c41cc74252
Instruction ID: 9c806700ccab2ee070c3ff7653242f32ea32472c9a08096378e8c0514811d81c
Opcode Fuzzy Hash: b2996907098d33ad0704e289b0f017f19fb4f14be859b8618c7170c41cc74252
Instruction Fuzzy Hash: D2E04F32004A11AFE7252B15FC09EB77FA9FB04314B14882DF4A6804B1DB626CA0EB14

Function 0056676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00566766,?,?,00000008,?,?,0056FEFE,00000000), ref: 00566998

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 20a65de963de62a08cd71c49484f58b36d8776eb7e082bd505d150b78aedf0ef
Instruction ID: e63160baddd065d779955c4dcb073c539c64682ea262053c0210ecbd46a0733d
Opcode Fuzzy Hash: 20a65de963de62a08cd71c49484f58b36d8776eb7e082bd505d150b78aedf0ef
Instruction Fuzzy Hash: 81B12A35610609DFD719CF28C48AB657FE0FF45364F298658E89ACF2A2C735E991CB40

Function 0054B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0058851F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 90443bf64c661e66fea4c75ef0302f4461c12e87f40e00fdfa8315e5b88fabfe
Instruction ID: 77b0cdc8163ea53c587b51f6ffd77613e2323187242587f6aacbba9227cbc6ec
Opcode Fuzzy Hash: 90443bf64c661e66fea4c75ef0302f4461c12e87f40e00fdfa8315e5b88fabfe
Instruction Fuzzy Hash: C7125E759002299FDF24DF58C880AFEBBB5FF48714F54859AE849EB251DB309E81CB90

Function 005AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005AEABD

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5d0463f3012bb61cae696cb3daf9580fe52b76b8b214db2560f36535104ba76e
Instruction ID: 32b6b0981d0fd9757268db949d22c30d86934d29dac2ad6c6258cef8bc374b4e
Opcode Fuzzy Hash: 5d0463f3012bb61cae696cb3daf9580fe52b76b8b214db2560f36535104ba76e
Instruction Fuzzy Hash: 09E01A362002059FD710EF59D809E9ABFE9BF99760F00841AFD49DB351DA70AC408B90

Function 005509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005503EE), ref: 005509DA

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 73eab3242910cd9331c2001dd2fa0f4a8793f02224dab76abe74ab31b1e99bf2
Instruction ID: a7b725e22165d86fc76c17b365799dd26105aac28ccb5d5d170bee8933d89a29
Opcode Fuzzy Hash: 73eab3242910cd9331c2001dd2fa0f4a8793f02224dab76abe74ab31b1e99bf2
Instruction Fuzzy Hash:

Function 0055781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0055798B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 686535a04cdb9aac4bb46bac1d27b7d98d43c89b06121340ee68798be5655630
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3F516B7160C64E5BDB384568A87D7BE2FA5BB5E303F18090BDC82D7282C611DE0DD365

Function 005A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&`, xrefs: 005A2053

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: 0&`
API String ID: 0-1430707966
Opcode ID: 516ec4b8b32618cd5575ed5e7c9fded708af8570f587e4e6a6ede3544b7fa7bd
Instruction ID: e1c2ab94a17faa6e5c8a71b817ddba7c49c4e0aac11bd1a5273a35c033a6a345
Opcode Fuzzy Hash: 516ec4b8b32618cd5575ed5e7c9fded708af8570f587e4e6a6ede3544b7fa7bd
Instruction Fuzzy Hash: 2021A8326605118BD728CE79C82767F77E5BB54310F15862EE4A7C37D1DE76A904C740

Function 00566DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028a837af8875613bf317439a196f2bb373368695a3f6d46b2976750d0610af4
Instruction ID: e4e5947a90d91c54c73c8954c7a5ee2f31631525153d4658fc357c5c243a602c
Opcode Fuzzy Hash: 028a837af8875613bf317439a196f2bb373368695a3f6d46b2976750d0610af4
Instruction Fuzzy Hash: DA321531D2AF454ED7239634C8223356B89AFBB3C9F15D737E81AB69A5EF29C4835100

Function 0054CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2bb758735bdcb668109b61f7b41f5a9006120040d8622d57f06de453c21c3f
Instruction ID: bf80821b35de457aaab942f6f1125a15817f369a510ce0a927d5599928632802
Opcode Fuzzy Hash: 2a2bb758735bdcb668109b61f7b41f5a9006120040d8622d57f06de453c21c3f
Instruction Fuzzy Hash: 77324731A001458BDF28EF29C4D46BD7FB1FB85304F28856ADDAAEB691D234DD81DB60

Function 00537920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15af10ca5ecf2db742b215e6818252843f99939f51233a40926a0c48dfe2c63
Instruction ID: 76e31dad329a97c0a2eb4f630bfb2cc7e06112e14c814ec88aefbc92a3c35072
Opcode Fuzzy Hash: c15af10ca5ecf2db742b215e6818252843f99939f51233a40926a0c48dfe2c63
Instruction Fuzzy Hash: BE22B2B0E0460ADFDF14CF64D885AAEBBF6FF48300F108529E816A7291EB75AD15DB50

Function 005391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e137023e35043b45a3578aa10c6098752a4c45c997109140677657291a4d94e3
Instruction ID: 75f10e99ca41e3fc96f1dc7b014dc424fa3d7ae09d64d6ecccc778df037d64a5
Opcode Fuzzy Hash: e137023e35043b45a3578aa10c6098752a4c45c997109140677657291a4d94e3
Instruction Fuzzy Hash: 1602C9B0E00206EBDB05DF54D846AAEBFB5FF48304F108569E81ADB291E7719D14DB91

Function 00557A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c007464a36057c5b5226844177c831c2d266a0169bbded44dffafe94e22131a
Instruction ID: 7d88fa4d857f0d83e212c5c5263627acc453106dd17c6fd769b713f139bb83c3
Opcode Fuzzy Hash: 9c007464a36057c5b5226844177c831c2d266a0169bbded44dffafe94e22131a
Instruction Fuzzy Hash: 3961487160870E56DA345928B8B9BBE2F94FF8D723F14091BEC42DB281E911AE4E8355

Function 00557CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ed58495e3eca33165464dde831607f9cca34afe2a5f13ad38dcec532bf2aa1
Instruction ID: ba6ef7efe75d00e9a6e93d5277e8c48a35e158455d342d16a0e8cb4894fa50bd
Opcode Fuzzy Hash: 78ed58495e3eca33165464dde831607f9cca34afe2a5f13ad38dcec532bf2aa1
Instruction Fuzzy Hash: 28616D7120870E56DE344938787ABBE2FA8FF4D703F50095BED43DB281E612AD4E8255

Function 005B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005B2B30
DeleteObject.GDI32(00000000), ref: 005B2B43
DestroyWindow.USER32 ref: 005B2B52
GetDesktopWindow.USER32 ref: 005B2B6D
GetWindowRect.USER32(00000000), ref: 005B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 005B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 005B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2CF8
GetClientRect.USER32(00000000,?), ref: 005B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D80
GlobalLock.KERNEL32(00000000), ref: 005B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2D98
GlobalUnlock.KERNEL32(00000000), ref: 005B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2DA8
GlobalFree.KERNEL32(00000000), ref: 005B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005CFC38,00000000), ref: 005B2DDB
GlobalFree.KERNEL32(00000000), ref: 005B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 005B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 005B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005B303F

Strings

, xrefs: 005B2FC5
AutoIt v3, xrefs: 005B2CF2
static, xrefs: 005B2D3A, 005B2E91
DISPLAY, xrefs: 005B2EA2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: bb0f12c473b802c02dc598b69b50571c70687a352bbd2a8bf29322c484c4709e
Instruction ID: 2b3a62c444acb9c3f2437c71537170054bc3dece16cbac5c0541b04e6049ae1b
Opcode Fuzzy Hash: bb0f12c473b802c02dc598b69b50571c70687a352bbd2a8bf29322c484c4709e
Instruction Fuzzy Hash: 55026975900209AFDB14DFA4CC89EAE7FB9FF49310F048558F919AB2A1DB74AD05CB60

Function 005C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005C712F
GetSysColorBrush.USER32(0000000F), ref: 005C7160
GetSysColor.USER32(0000000F), ref: 005C716C
SetBkColor.GDI32(?,000000FF), ref: 005C7186
SelectObject.GDI32(?,?), ref: 005C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005C71C0
GetSysColor.USER32(00000010), ref: 005C71C8
CreateSolidBrush.GDI32(00000000), ref: 005C71CF
FrameRect.USER32(?,?,00000000), ref: 005C71DE
DeleteObject.GDI32(00000000), ref: 005C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005C7230
FillRect.USER32(?,?,?), ref: 005C7262
GetWindowLongW.USER32(?,000000F0), ref: 005C7284

Part of subcall function 005C73E8: GetSysColor.USER32(00000012), ref: 005C7421
Part of subcall function 005C73E8: SetTextColor.GDI32(?,?), ref: 005C7425
Part of subcall function 005C73E8: GetSysColorBrush.USER32(0000000F), ref: 005C743B
Part of subcall function 005C73E8: GetSysColor.USER32(0000000F), ref: 005C7446
Part of subcall function 005C73E8: GetSysColor.USER32(00000011), ref: 005C7463
Part of subcall function 005C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005C7471
Part of subcall function 005C73E8: SelectObject.GDI32(?,00000000), ref: 005C7482
Part of subcall function 005C73E8: SetBkColor.GDI32(?,00000000), ref: 005C748B
Part of subcall function 005C73E8: SelectObject.GDI32(?,?), ref: 005C7498
Part of subcall function 005C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005C74B7
Part of subcall function 005C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005C74CE
Part of subcall function 005C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005C74DB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 29be500e545816fe725335960fd2b0ada5863754462357e7044dc4a7c222b094
Instruction ID: 0869e2289ac11bfc93662e5b887fd9af814a525ff9a7a95e8a8c60210b24049a
Opcode Fuzzy Hash: 29be500e545816fe725335960fd2b0ada5863754462357e7044dc4a7c222b094
Instruction Fuzzy Hash: 3EA1BE72008705AFDB009FA4DC48E6BBFA9FB98320F140A1DF966961E1D730E948DF51

Function 005B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 005B2900
GetClientRect.USER32(00000000,?), ref: 005B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005B2964
GetStockObject.GDI32(00000011), ref: 005B2974
SelectObject.GDI32(00000000,00000000), ref: 005B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005B2991
DeleteDC.GDI32(00000000), ref: 005B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 005B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 005B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005B2A77
GetStockObject.GDI32(00000011), ref: 005B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005B2A97

Strings

AutoIt v3, xrefs: 005B28F8
static, xrefs: 005B294F, 005B2A71
DISPLAY, xrefs: 005B295A
msctls_progress32, xrefs: 005B2A13

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a5a1ad36e44128fc9055aa4dd99e7c5f8663cd90c1b183bb11f7bfd811ec6352
Instruction ID: d3dae37a9450de2fd13c8867e9bea6133f29aa37fd82987cb24f52f3572f8233
Opcode Fuzzy Hash: a5a1ad36e44128fc9055aa4dd99e7c5f8663cd90c1b183bb11f7bfd811ec6352
Instruction Fuzzy Hash: 03B14DB1A40619AFEB14DFA8CC49FAF7BA9FB49710F004115FA15EB290D774AD40CBA4

Function 005A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A4AED
GetDriveTypeW.KERNEL32(?,005CCB68,?,\\.\,005CCC08), ref: 005A4BCA
SetErrorMode.KERNEL32(00000000,005CCB68,?,\\.\,005CCC08), ref: 005A4D36

Strings

Removable, xrefs: 005A4C10, 005A4C15
USB, xrefs: 005A4CB4
CDROM, xrefs: 005A4BFB
Network, xrefs: 005A4C02
ATA, xrefs: 005A4C98
PhysicalDrive, xrefs: 005A4B76
Virtual, xrefs: 005A4CE5
ATAPI, xrefs: 005A4C91
MMC, xrefs: 005A4CDE
SCSI, xrefs: 005A4C8A
SSD, xrefs: 005A4C4A
SSA, xrefs: 005A4CA6
FileBackedVirtual, xrefs: 005A4CEC
iSCSI, xrefs: 005A4CC2
1394, xrefs: 005A4C9F
RAID, xrefs: 005A4CBB
Fibre, xrefs: 005A4CAD
RAMDisk, xrefs: 005A4BF4
SAS, xrefs: 005A4CC9
Unknown, xrefs: 005A4BED, 005A4C83
SATA, xrefs: 005A4CD0
\\.\, xrefs: 005A4B3F
Fixed, xrefs: 005A4C09

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8a3f35e13f96a3dd2183bb3c0921953792fa22393c5372ded9ac70f1c0e76807
Instruction ID: caf5ad04ae03914d90e8a9be458395f028de5147fd4af1be2c064f69f7f3b85b
Opcode Fuzzy Hash: 8a3f35e13f96a3dd2183bb3c0921953792fa22393c5372ded9ac70f1c0e76807
Instruction Fuzzy Hash: 1B61D13060520A9BCB04DFA4CA96D7C7FB0BBC6350B248815F90AEB651DBB9ED41DF51

Function 005C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005C7421
SetTextColor.GDI32(?,?), ref: 005C7425
GetSysColorBrush.USER32(0000000F), ref: 005C743B
GetSysColor.USER32(0000000F), ref: 005C7446
CreateSolidBrush.GDI32(?), ref: 005C744B
GetSysColor.USER32(00000011), ref: 005C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005C7471
SelectObject.GDI32(?,00000000), ref: 005C7482
SetBkColor.GDI32(?,00000000), ref: 005C748B
SelectObject.GDI32(?,?), ref: 005C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005C7572
DrawFocusRect.USER32(?,?), ref: 005C757D
GetSysColor.USER32(00000011), ref: 005C758E
SetTextColor.GDI32(?,00000000), ref: 005C7596
DrawTextW.USER32(?,005C70F5,000000FF,?,00000000), ref: 005C75A8
SelectObject.GDI32(?,?), ref: 005C75BF
DeleteObject.GDI32(?), ref: 005C75CA
SelectObject.GDI32(?,?), ref: 005C75D0
DeleteObject.GDI32(?), ref: 005C75D5
SetTextColor.GDI32(?,?), ref: 005C75DB
SetBkColor.GDI32(?,?), ref: 005C75E5

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: bf4c06b3aff4a0340383f79d82a7f3641af1284b45a4c955620d41548b2457de
Instruction ID: c7181ddc5042074ffcb4a127a5e2a0b8dd33567afedcdb3260a12d6b18dfc489
Opcode Fuzzy Hash: bf4c06b3aff4a0340383f79d82a7f3641af1284b45a4c955620d41548b2457de
Instruction Fuzzy Hash: 74615972900618AFDF019FA8DC49EEEBFB9FB08320F154515F91AAB2A1D7709940DF90

Function 005C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005C1128
GetDesktopWindow.USER32 ref: 005C113D
GetWindowRect.USER32(00000000), ref: 005C1144
GetWindowLongW.USER32(?,000000F0), ref: 005C1199
DestroyWindow.USER32(?), ref: 005C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005C1245
IsWindowVisible.USER32(00000000), ref: 005C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005C12D0
GetWindowRect.USER32(00000000,?), ref: 005C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005C130E
GetMonitorInfoW.USER32(00000000,?), ref: 005C1328
CopyRect.USER32(?,?), ref: 005C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005C13AA

Strings

tooltips_class32, xrefs: 005C11E6
0, xrefs: 005C10D3
(, xrefs: 005C131B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 4c853b0ba73efb747f456a5369381dddb6b102a5449326fa8337ffd35b1b9e07
Instruction ID: 45819abec64ab79e3b7c8c404de13300a2a6b8aff01c8511b8686d676ecba11f
Opcode Fuzzy Hash: 4c853b0ba73efb747f456a5369381dddb6b102a5449326fa8337ffd35b1b9e07
Instruction Fuzzy Hash: 45B16771608741AFD700DF68C988F6ABFE4FB89744F00891CF9999B262D771E844CB95

Function 005C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005C02E5
_wcslen.LIBCMT ref: 005C031F
_wcslen.LIBCMT ref: 005C0389
_wcslen.LIBCMT ref: 005C03F1
_wcslen.LIBCMT ref: 005C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005C0504

Part of subcall function 0054F9F2: _wcslen.LIBCMT ref: 0054F9FD

Part of subcall function 0059223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00592258
Part of subcall function 0059223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0059228A

Strings

SELECTALL, xrefs: 005C0515
DESELECT, xrefs: 005C059C
GETSELECTED, xrefs: 005C05E1
SELECT, xrefs: 005C0548
GETSELECTEDCOUNT, xrefs: 005C0470, 005C048B
ISSELECTED, xrefs: 005C04DD
SELECTCLEAR, xrefs: 005C052D
FINDITEM, xrefs: 005C0627
GETTEXT, xrefs: 005C03EC, 005C0407
GETSUBITEMCOUNT, xrefs: 005C0384, 005C039F
GETITEMCOUNT, xrefs: 005C0316, 005C0337
SELECTINVERT, xrefs: 005C057E
VIEWCHANGE, xrefs: 005C0675

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 58273b59902b8f887d6644b5e3ca333cd0795e5150323243d41809819aa74759
Instruction ID: 90b512d5113eac7a2b2c2aba55cbe2563fa83d5c9df937100edb541352eda1f0
Opcode Fuzzy Hash: 58273b59902b8f887d6644b5e3ca333cd0795e5150323243d41809819aa74759
Instruction Fuzzy Hash: A3E19A31208202DFCB18DF68C590E2ABBE6BFC8714F14595CF8969B2A1DB30ED45CB81

Function 00548891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00548968
GetSystemMetrics.USER32(00000007), ref: 00548970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0054899B
GetSystemMetrics.USER32(00000008), ref: 005489A3
GetSystemMetrics.USER32(00000004), ref: 005489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00548A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00548A3C
GetClientRect.USER32(00000000,000000FF), ref: 00548A5A
GetStockObject.GDI32(00000011), ref: 00548A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00548A81

Part of subcall function 0054912D: GetCursorPos.USER32(?), ref: 00549141
Part of subcall function 0054912D: ScreenToClient.USER32(00000000,?), ref: 0054915E
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000001), ref: 00549183
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000002), ref: 0054919D

SetTimer.USER32(00000000,00000000,00000028,005490FC), ref: 00548AA8

Strings

AutoIt v3 GUI, xrefs: 00548A20

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: bf170a87714a13a03530076460430b0e6291d7abb39cfbd9f2095a7a046a7064
Instruction ID: f9f0f731fe2aabada6314d6e5717f70b0c269bda94e46d53661b24ec3cddfe46
Opcode Fuzzy Hash: bf170a87714a13a03530076460430b0e6291d7abb39cfbd9f2095a7a046a7064
Instruction Fuzzy Hash: 2AB15A71A4020A9FDB14DFA8DD49BEE3FB5FB48314F104229FA19EB290DB70A941CB51

Function 00590D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00591114
Part of subcall function 005910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591120
Part of subcall function 005910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 0059112F
Part of subcall function 005910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591136
Part of subcall function 005910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0059114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00590DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00590E29
GetLengthSid.ADVAPI32(?), ref: 00590E40
GetAce.ADVAPI32(?,00000000,?), ref: 00590E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00590E96
GetLengthSid.ADVAPI32(?), ref: 00590EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00590EB5
HeapAlloc.KERNEL32(00000000), ref: 00590EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00590EDD
CopySid.ADVAPI32(00000000), ref: 00590EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00590F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00590F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00590F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590F6E
HeapFree.KERNEL32(00000000), ref: 00590F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590F7E
HeapFree.KERNEL32(00000000), ref: 00590F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00590F8E
HeapFree.KERNEL32(00000000), ref: 00590F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00590FA1
HeapFree.KERNEL32(00000000), ref: 00590FA8

Part of subcall function 00591193: GetProcessHeap.KERNEL32(00000008,00590BB1,?,00000000,?,00590BB1,?), ref: 005911A1
Part of subcall function 00591193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00590BB1,?), ref: 005911A8
Part of subcall function 00591193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00590BB1,?), ref: 005911B7

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f58508341889ee57d17483a5408f7789fab1856a56b11b8117863b76346accdb
Instruction ID: 0a4e09a676da9c561ee34493323b2ad1de5254acb4bd59cc34932f5e4ad10a03
Opcode Fuzzy Hash: f58508341889ee57d17483a5408f7789fab1856a56b11b8117863b76346accdb
Instruction Fuzzy Hash: FD71587290061AAFDF20DFA5DC48FAEBFB8FF14300F148515F919A6291D7319A09CB60

Function 005BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005CCC08,00000000,?,00000000,?,?), ref: 005BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005BC5A4
_wcslen.LIBCMT ref: 005BC5F4
_wcslen.LIBCMT ref: 005BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 005BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005BC84D
RegCloseKey.ADVAPI32(?), ref: 005BC881
RegCloseKey.ADVAPI32(00000000), ref: 005BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005BC960

Strings

REG_MULTI_SZ, xrefs: 005BC6F5
REG_DWORD, xrefs: 005BC804
REG_QWORD, xrefs: 005BC8C3
REG_BINARY, xrefs: 005BC913
REG_SZ, xrefs: 005BC644
REG_EXPAND_SZ, xrefs: 005BC5CD

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8b68b5d0955cbea23431062e63ac810ee318a497174f519db2b6d94d2d05efff
Instruction ID: 2d436524994179ed384e89d6c26660360165fe104be405fd3d11435166e53c0d
Opcode Fuzzy Hash: 8b68b5d0955cbea23431062e63ac810ee318a497174f519db2b6d94d2d05efff
Instruction Fuzzy Hash: 8B1244756042029FDB24DF14C895A6ABFE5FF88714F04885DF88A9B2A2DB31FD41CB85

Function 005C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005C09C6
_wcslen.LIBCMT ref: 005C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005C0A54
_wcslen.LIBCMT ref: 005C0A8A
_wcslen.LIBCMT ref: 005C0B06
_wcslen.LIBCMT ref: 005C0B81

Part of subcall function 0054F9F2: _wcslen.LIBCMT ref: 0054F9FD

Part of subcall function 00592BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00592BFA

Strings

ISCHECKED, xrefs: 005C0CE1
UNCHECK, xrefs: 005C0D3E
COLLAPSE, xrefs: 005C0B01, 005C0B1C
GETTEXT, xrefs: 005C0C97
CHECK, xrefs: 005C0A85, 005C0AA0
EXISTS, xrefs: 005C0B7C, 005C0B97
EXPAND, xrefs: 005C0BF8
GETSELECTED, xrefs: 005C0C4E
GETTOTALCOUNT, xrefs: 005C09F2, 005C0A17
SELECT, xrefs: 005C0D11
GETITEMCOUNT, xrefs: 005C0C1E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4fdfdb5448f8c02961840ca4cb40a2f84403082f6f46aa06a51e08657cd496ee
Instruction ID: 8e3433f50ff2c12ab9dbc128aace2417059c73e62577bdfa7887ebd976197bf9
Opcode Fuzzy Hash: 4fdfdb5448f8c02961840ca4cb40a2f84403082f6f46aa06a51e08657cd496ee
Instruction Fuzzy Hash: C2E16835208706DFCB14DF68C450A2ABBE1BF98318F14895DF8969B3A2DB31ED45CB81

Function 005BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
_wcslen.LIBCMT ref: 005BC9F1
_wcslen.LIBCMT ref: 005BCA68
_wcslen.LIBCMT ref: 005BCA9E
_wcslen.LIBCMT ref: 005BCAF9
_wcslen.LIBCMT ref: 005BCB2F
_wcslen.LIBCMT ref: 005BCB7F

Strings

HKEY_CURRENT_USER, xrefs: 005BCBBD
HKCR, xrefs: 005BCB29, 005BCB2E
HKEY_CLASSES_ROOT, xrefs: 005BCAF3, 005BCAF8
HKEY_USERS, xrefs: 005BCBDF
HKLM, xrefs: 005BCA98, 005BCA9D
HKCU, xrefs: 005BCBCE
HKEY_LOCAL_MACHINE, xrefs: 005BCA62, 005BCA67
HKU, xrefs: 005BCBF0
HKCC, xrefs: 005BCBAC
HKEY_CURRENT_CONFIG, xrefs: 005BCB79, 005BCB7E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 836eb1b7f986428d9c279ec65a5544efde898d05aaeb5d4644a1affb40806528
Instruction ID: c4496f53a124772a1fa01ad2fe1e341caf2086ddab0938af21b6d2fc152e8963
Opcode Fuzzy Hash: 836eb1b7f986428d9c279ec65a5544efde898d05aaeb5d4644a1affb40806528
Instruction Fuzzy Hash: C971F43260012B8BCB20DE6CCD515FF3F91BBA5754F650529FC66AB284E634ED8483A8

Function 005C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005C835A
_wcslen.LIBCMT ref: 005C836E
_wcslen.LIBCMT ref: 005C8391
_wcslen.LIBCMT ref: 005C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005C5BF2), ref: 005C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005C8501
FreeLibrary.KERNEL32(?), ref: 005C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005C851D
DestroyIcon.USER32(?,?,?,?,?,005C5BF2), ref: 005C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005C8555

Strings

.dll, xrefs: 005C83AB
.exe, xrefs: 005C8388
.icl, xrefs: 005C8368

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ec036bd47a50715fdd1acae6348811444516dcbbc69feb928bb7f632192775b9
Instruction ID: bd598b08457eca460381ee76279e201ba026e64ca126ada906ea30a3cab6d549
Opcode Fuzzy Hash: ec036bd47a50715fdd1acae6348811444516dcbbc69feb928bb7f632192775b9
Instruction Fuzzy Hash: AB61E37150061ABEEB14CFA4CC85FBE7FA8FB48B11F10450AF915D61D1DBB4A984DBA0

Function 00537778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 0057519A
Unterminated group of comments, xrefs: 0057528C
#requireadmin, xrefs: 005377FF
#ce, xrefs: 005378ED
', xrefs: 00575169
#comments-start, xrefs: 0053785F, 005378B1
#cs, xrefs: 00537873, 005378C5
#comments-end, xrefs: 005378D9
#OnAutoItStartRegister, xrefs: 00537817
#pragma compile, xrefs: 005377D3
#include-once, xrefs: 0053782F
#notrayicon, xrefs: 005377E7
", xrefs: 00575153
Cannot parse #include, xrefs: 00575279
#include, xrefs: 00537847

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7344cb35b4b8c99aee559a4a971557383ce5f893c730bbcb5c335d49e87e293c
Instruction ID: c9acbb9a6f00c8e2cd2a4e1695aaa173be04019e8e90f8c1f77a1e45df467603
Opcode Fuzzy Hash: 7344cb35b4b8c99aee559a4a971557383ce5f893c730bbcb5c335d49e87e293c
Instruction Fuzzy Hash: B881FBB1A0460ABFDB21AF60DC46FBE7FA8FF58300F044425F909AA192EB70D915D791

Function 00595A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00595A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00595A40
SetWindowTextW.USER32(?,?), ref: 00595A57
GetDlgItem.USER32(?,000003EA), ref: 00595A6C
SetWindowTextW.USER32(00000000,?), ref: 00595A72
GetDlgItem.USER32(?,000003E9), ref: 00595A82
SetWindowTextW.USER32(00000000,?), ref: 00595A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00595AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00595AC3
GetWindowRect.USER32(?,?), ref: 00595ACC
_wcslen.LIBCMT ref: 00595B33
SetWindowTextW.USER32(?,?), ref: 00595B6F
GetDesktopWindow.USER32 ref: 00595B75
GetWindowRect.USER32(00000000), ref: 00595B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00595BD3
GetClientRect.USER32(?,?), ref: 00595BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00595C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00595C2F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d874444061762aa0c3f93a56c9a6b931061bffcaacef490cc60e7dab9ddd4981
Instruction ID: 87070ff37b4f14ce82e7dfbddfc15616cdce8f87abca38364bc9160fb3769e18
Opcode Fuzzy Hash: d874444061762aa0c3f93a56c9a6b931061bffcaacef490cc60e7dab9ddd4981
Instruction Fuzzy Hash: F6718C31900B09AFDF21DFA8CE89E6EBFF5FF48705F104918E586A25A0E774A954CB50

Function 005930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059318D
_wcslen.LIBCMT ref: 005931F8

Strings

CLASS, xrefs: 00593188, 005931A5
TEXT, xrefs: 0059347C
NAME, xrefs: 00593335, 00593346
CLASSNN, xrefs: 005931F3, 00593204
[_, xrefs: 0059339A
REGEXPCLASS, xrefs: 00593255, 00593266
INSTANCE, xrefs: 00593453

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[_
API String ID: 176396367-468327195
Opcode ID: 267ec238485f05878a68fa3a1b884a1711255ade69eaffe2d24d9790f6e2eb1b
Instruction ID: 50e3bbee71b93f7550331867094bb0025617c209d1557053c75ce0f78c5c8907
Opcode Fuzzy Hash: 267ec238485f05878a68fa3a1b884a1711255ade69eaffe2d24d9790f6e2eb1b
Instruction Fuzzy Hash: E5E1F432A00516EBCF189FA8C4556FEFFB0BF44710F55852AE556B7250EB30AE89CB90

Function 005500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005500C6

Part of subcall function 005500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0060070C,00000FA0,0CD5EFA3,?,?,?,?,005723B3,000000FF), ref: 0055011C
Part of subcall function 005500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005723B3,000000FF), ref: 00550127
Part of subcall function 005500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005723B3,000000FF), ref: 00550138
Part of subcall function 005500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0055014E
Part of subcall function 005500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0055015C
Part of subcall function 005500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0055016A
Part of subcall function 005500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00550195
Part of subcall function 005500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005501A0

___scrt_fastfail.LIBCMT ref: 005500E7

Part of subcall function 005500A3: __onexit.LIBCMT ref: 005500A9

Strings

InitializeConditionVariable, xrefs: 00550148
kernel32.dll, xrefs: 00550133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00550122
SleepConditionVariableCS, xrefs: 00550154
WakeAllConditionVariable, xrefs: 00550162

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e610ecb7385b390d71097dec6c3232690aa99221e620150b3882dd130ea58583
Instruction ID: 1ce5aa71fe78cb3d5ff60faf7c38a5414d49fadc69dc7f72e8d0ba9aab7497e2
Opcode Fuzzy Hash: e610ecb7385b390d71097dec6c3232690aa99221e620150b3882dd130ea58583
Instruction Fuzzy Hash: 23210732644B116FE7105BA4AC19F6A3F99FB44B62F04012BFC06966D1DF649C08CA91

Function 005A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005CCC08), ref: 005A4527
_wcslen.LIBCMT ref: 005A453B
_wcslen.LIBCMT ref: 005A4599
_wcslen.LIBCMT ref: 005A45F4
_wcslen.LIBCMT ref: 005A463F
_wcslen.LIBCMT ref: 005A46A7

Part of subcall function 0054F9F2: _wcslen.LIBCMT ref: 0054F9FD

GetDriveTypeW.KERNEL32(?,005F6BF0,00000061), ref: 005A4743

Strings

ramdisk, xrefs: 005A46F1
fixed, xrefs: 005A4635, 005A463A
unknown, xrefs: 005A4708
cdrom, xrefs: 005A458F, 005A4594
all, xrefs: 005A4531, 005A4536
network, xrefs: 005A469D, 005A46A2
removable, xrefs: 005A45EA, 005A45EF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1484c722d87794a32ab710f134fd037316823dd6b10a324290dda19c0c4def7c
Instruction ID: 5438b9e8ec06bad4e2fe19e43226d6712da62c01e7efa65430f44813fb325daa
Opcode Fuzzy Hash: 1484c722d87794a32ab710f134fd037316823dd6b10a324290dda19c0c4def7c
Instruction Fuzzy Hash: ECB1EE716083029BC710DF68C894A6EBFE5BFEA720F50491DF59687291E7B0D845CF62

Function 005C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

DragQueryPoint.SHELL32(?,?), ref: 005C9147

Part of subcall function 005C7674: ClientToScreen.USER32(?,?), ref: 005C769A
Part of subcall function 005C7674: GetWindowRect.USER32(?,?), ref: 005C7710
Part of subcall function 005C7674: PtInRect.USER32(?,?,005C8B89), ref: 005C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005C9277
DragFinish.SHELL32(?), ref: 005C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005C9371

Strings

p#`, xrefs: 005C92BB
@GUI_DRAGFILE, xrefs: 005C9320
@GUI_DRAGID, xrefs: 005C92E9
@GUI_DROPID, xrefs: 005C929E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#`
API String ID: 221274066-1039879429
Opcode ID: 280d1e60719bdd67d32ef5ba20c78b54c2d5c574bd7f3aac17c47c6308dbb621
Instruction ID: 3f9651f9f728ecd2dae8301645719c0ddaad37998db1bcc06db3d5eb70c9e94c
Opcode Fuzzy Hash: 280d1e60719bdd67d32ef5ba20c78b54c2d5c574bd7f3aac17c47c6308dbb621
Instruction Fuzzy Hash: 4C615971108305AFC701DF54D889EABBFE9FBD9750F00091EF595962A0DB709A49CB52

Function 005BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005BB1D4
_wcslen.LIBCMT ref: 005BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005BB236
_wcslen.LIBCMT ref: 005BB332

Part of subcall function 005A05A7: GetStdHandle.KERNEL32(000000F6), ref: 005A05C6

_wcslen.LIBCMT ref: 005BB34B
_wcslen.LIBCMT ref: 005BB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005BB3B6
GetLastError.KERNEL32(00000000), ref: 005BB407
CloseHandle.KERNEL32(?), ref: 005BB439
CloseHandle.KERNEL32(00000000), ref: 005BB44A
CloseHandle.KERNEL32(00000000), ref: 005BB45C
CloseHandle.KERNEL32(00000000), ref: 005BB46E
CloseHandle.KERNEL32(?), ref: 005BB4E3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1e83b097883c720a65daf1e03ef0c3df267bed31b5fec02224c2fbe641a1c34e
Instruction ID: 71d9779d5491242e0eb6cf436a9d8f3912f41d1ae63f11e709d5696f33adde81
Opcode Fuzzy Hash: 1e83b097883c720a65daf1e03ef0c3df267bed31b5fec02224c2fbe641a1c34e
Instruction Fuzzy Hash: 02F19A715042059FDB24EF24C895BAEBFE1BF85314F14885DF8998B2A2DBB1EC44CB52

Function 0053326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00601990), ref: 00572F8D
GetMenuItemCount.USER32(00601990), ref: 0057303D
GetCursorPos.USER32(?), ref: 00573081
SetForegroundWindow.USER32(00000000), ref: 0057308A
TrackPopupMenuEx.USER32(00601990,00000000,?,00000000,00000000,00000000), ref: 0057309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005730A9

Strings

0, xrefs: 0053327D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5c116b8b197b90b256214c52ed0217820b7202d2e86a082b77dfae6830eba045
Instruction ID: 5c97da3af83890d1be6de1fd4968be4b9d215739d6b9c05e3e90e89d5ac890ab
Opcode Fuzzy Hash: 5c116b8b197b90b256214c52ed0217820b7202d2e86a082b77dfae6830eba045
Instruction Fuzzy Hash: 0071F731644206BEFB218F64DC4EFAABF64FF05364F208216F5186A1E0C7B1AD54EB90

Function 005C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 005C6DEB

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005C6E94
DestroyWindow.USER32(?), ref: 005C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00530000,00000000), ref: 005C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005C6EFD
GetDesktopWindow.USER32 ref: 005C6F16
GetWindowRect.USER32(00000000), ref: 005C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005C6F4D

Part of subcall function 00549944: GetWindowLongW.USER32(?,000000EB), ref: 00549952

Strings

tooltips_class32, xrefs: 005C6E58, 005C6EDD
0, xrefs: 005C6D98

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 2f1607d8ba586af2e8c9c6d7b4e6378fa353d7a709ebb3ba57a075fabc826e41
Instruction ID: b92f32b644f63f14534df0497e0aeedf73c90c403d977fc84f14f164c582896c
Opcode Fuzzy Hash: 2f1607d8ba586af2e8c9c6d7b4e6378fa353d7a709ebb3ba57a075fabc826e41
Instruction Fuzzy Hash: 28715874144245AFDB21CF58D898FABBFE9FF89304F04041EF9998B261C770AA49DB11

Function 005AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005AC5F0
InternetCloseHandle.WININET(00000000), ref: 005AC5FB

Strings

, xrefs: 005AC575

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 72900a12706e7e53325d15489805f5c1c432741f32929d14fdeda3e8cac703cd
Instruction ID: fdcd249dbd171ca0a897169532de3578557fde499f766bd3ae98b3e1ef8badcd
Opcode Fuzzy Hash: 72900a12706e7e53325d15489805f5c1c432741f32929d14fdeda3e8cac703cd
Instruction Fuzzy Hash: 9B513BB1500605BFDB219F64C948EAE7FFCFF1A754F004419F94996610EB34E948ABA0

Function 005C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 005C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85BA
GlobalLock.KERNEL32(00000000), ref: 005C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85D7
GlobalUnlock.KERNEL32(00000000), ref: 005C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,005CFC38,?), ref: 005C8611
GlobalFree.KERNEL32(00000000), ref: 005C8621
GetObjectW.GDI32(?,00000018,?), ref: 005C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005C8671
DeleteObject.GDI32(?), ref: 005C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005C86AF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1c6753a82469b6fdce0cf301028b6dced35b690017bb488d0ef2d5158dbbbf14
Instruction ID: a45763729a90a2816d69118993c75d16857f314e1ecae9ca9316a6f6ac450d2d
Opcode Fuzzy Hash: 1c6753a82469b6fdce0cf301028b6dced35b690017bb488d0ef2d5158dbbbf14
Instruction Fuzzy Hash: EA414975600604BFDB118FA5CC88EAA7FB8FF99B11F144058F909E7260DB709D45DB20

Function 005A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005A1502
VariantCopy.OLEAUT32(?,?), ref: 005A150B
VariantClear.OLEAUT32(?), ref: 005A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 005A1657
VariantInit.OLEAUT32(?), ref: 005A1708
SysFreeString.OLEAUT32(?), ref: 005A178C
VariantClear.OLEAUT32(?), ref: 005A17D8
VariantClear.OLEAUT32(?), ref: 005A17E7
VariantInit.OLEAUT32(00000000), ref: 005A1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005A1625
Default, xrefs: 005A16AF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: abcb951a681ea957c4ee3710377868dec9eeec4ec0bd9ce8a3c16bee47851757
Instruction ID: 5b9030c6af092063e8cb1c955d7023ffcbd101d96d13eaf8dc3f58392a487c49
Opcode Fuzzy Hash: abcb951a681ea957c4ee3710377868dec9eeec4ec0bd9ce8a3c16bee47851757
Instruction Fuzzy Hash: 83D10071E00906EBDB049FA5E899BBDBFB5BF8A700F10845AE446AB180DB30DC45DF65

Function 005BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 005BB80A
RegCloseKey.ADVAPI32(?), ref: 005BB87E
RegCloseKey.ADVAPI32(?), ref: 005BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 005BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 005BB922
FreeLibrary.KERNEL32(00000000), ref: 005BB983
RegCloseKey.ADVAPI32(00000000), ref: 005BB994

Strings

RegDeleteKeyExW, xrefs: 005BB8FE
advapi32.dll, xrefs: 005BB8ED

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: aec7f50bf865981b98f349273f6637967f13cb1898130ed86defbf9218246bf0
Instruction ID: 41410f737803db3f849b57660e290b0e942d35fcfb5d54b3ca09676543d64767
Opcode Fuzzy Hash: aec7f50bf865981b98f349273f6637967f13cb1898130ed86defbf9218246bf0
Instruction Fuzzy Hash: 02C16935208202AFE714DF14C499F6ABFE5FF84318F14855CE49A9B2A2CBB1ED45CB91

Function 005B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005B25E8
CreateCompatibleDC.GDI32(?), ref: 005B25F4
SelectObject.GDI32(00000000,?), ref: 005B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005B26D0
SelectObject.GDI32(?,?), ref: 005B26D8
DeleteObject.GDI32(?), ref: 005B26E1
DeleteDC.GDI32(?), ref: 005B26E8
ReleaseDC.USER32(00000000,?), ref: 005B26F3

Strings

(, xrefs: 005B268D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 191b39bb6353f83387b4147d2c870f62d5a556f1cc6c94a1c2d0e36522c8f6d2
Instruction ID: 0349a762db71da15f00645fe6d3e8b2e625519405023a5578657343fece066a3
Opcode Fuzzy Hash: 191b39bb6353f83387b4147d2c870f62d5a556f1cc6c94a1c2d0e36522c8f6d2
Instruction Fuzzy Hash: 1461E175D00219EFCF04CFA8D888EAEBBB5FF58310F248529E95AA7250D770A951DF60

Function 0056DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0056DAA1

Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D659
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D66B
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D67D
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D68F
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6A1
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6B3
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6C5
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6D7
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6E9
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D6FB
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D70D
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D71F
Part of subcall function 0056D63C: _free.LIBCMT ref: 0056D731

_free.LIBCMT ref: 0056DA96

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056DAB8
_free.LIBCMT ref: 0056DACD
_free.LIBCMT ref: 0056DAD8
_free.LIBCMT ref: 0056DAFA
_free.LIBCMT ref: 0056DB0D
_free.LIBCMT ref: 0056DB1B
_free.LIBCMT ref: 0056DB26
_free.LIBCMT ref: 0056DB5E
_free.LIBCMT ref: 0056DB65
_free.LIBCMT ref: 0056DB82
_free.LIBCMT ref: 0056DB9A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 40a92d9030ef1744269eb7eeed42fa56c052f53f50a5d09671bd2673514293b4
Instruction ID: a82217adb9bbb4a8bbe444820504ea8dc60ef9be7bbef34d4b40bc9ec464e19c
Opcode Fuzzy Hash: 40a92d9030ef1744269eb7eeed42fa56c052f53f50a5d09671bd2673514293b4
Instruction Fuzzy Hash: 12312A31B046069FEB25AA79E849B6A7FF9FF80350F154829E449D71A5DE35AC80CB30

Function 0059365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0059369C
_wcslen.LIBCMT ref: 005936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00593797
GetClassNameW.USER32(?,?,00000400), ref: 0059380C
GetDlgCtrlID.USER32(?), ref: 0059385D
GetWindowRect.USER32(?,?), ref: 00593882
GetParent.USER32(?), ref: 005938A0
ScreenToClient.USER32(00000000), ref: 005938A7
GetClassNameW.USER32(?,?,00000100), ref: 00593921
GetWindowTextW.USER32(?,?,00000400), ref: 0059395D

Strings

%s%u, xrefs: 00593734

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ba36e584deb5888745da5a5b1fd406cd96be6d6cb0ededfeadf56941ac3d0cca
Instruction ID: df43088617da633b96874a34057f823c391a912bcf2900b2cb5b0399c78b8359
Opcode Fuzzy Hash: ba36e584deb5888745da5a5b1fd406cd96be6d6cb0ededfeadf56941ac3d0cca
Instruction Fuzzy Hash: 4791A371204606EFDB19DF64C895FAAFFA8FF44354F008529F999D2190DB30EA49CB91

Function 00594954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00594994
GetWindowTextW.USER32(?,?,00000400), ref: 005949DA
_wcslen.LIBCMT ref: 005949EB
CharUpperBuffW.USER32(?,00000000), ref: 005949F7
_wcsstr.LIBVCRUNTIME ref: 00594A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00594A64
GetWindowTextW.USER32(?,?,00000400), ref: 00594A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00594AE6
GetClassNameW.USER32(?,?,00000400), ref: 00594B20
GetWindowRect.USER32(?,?), ref: 00594B8B

Strings

ThumbnailClass, xrefs: 00594A6F, 00594AF1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 806797d3bcc0c483663129d45e5340fe3806f9cdd0983a753cddb6a5b332b713
Instruction ID: 26f4b1c9bcc62b886844817a8196fb3069de2e02047705bab01b89a6297b0708
Opcode Fuzzy Hash: 806797d3bcc0c483663129d45e5340fe3806f9cdd0983a753cddb6a5b332b713
Instruction Fuzzy Hash: 81918A710042069FDF04CF14C995FAA7FE9FB84314F04846AED899A196EB34ED4ACFA1

Function 005C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005C8D5A
GetFocus.USER32 ref: 005C8D6A
GetDlgCtrlID.USER32(00000000), ref: 005C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005C8ECF
GetMenuItemCount.USER32(?), ref: 005C8EEC
GetMenuItemID.USER32(?,00000000), ref: 005C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005C8FA1

Strings

0, xrefs: 005C8E9F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6207cd7ed25af6a63ba4bb80c7e7dfc73e196aa2aaee6f8fe4eca3cd1b289ba4
Instruction ID: 7c4ec4db40486a9cd9669de4f9ef8e7fcd7bfa18843448bada1446f9f5eeb8c4
Opcode Fuzzy Hash: 6207cd7ed25af6a63ba4bb80c7e7dfc73e196aa2aaee6f8fe4eca3cd1b289ba4
Instruction Fuzzy Hash: 08815571508301AFDB108F64C888EBBBBE9BB89354F14095DF98997291DB70D905DBA2

Function 0059DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0059DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0059DC46
_wcslen.LIBCMT ref: 0059DC50
_wcsstr.LIBVCRUNTIME ref: 0059DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0059DCBC

Strings

StringFileInfo\, xrefs: 0059DC8F
04090000, xrefs: 0059DCF2
DefaultLangCodepage, xrefs: 0059DD1F
\VarFileInfo\Translation, xrefs: 0059DCB4
%u.%u.%u.%u, xrefs: 0059DD9A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3cf8d3c6889707f8471f5c499fe5449a7460940da0bbdc5c223729ca3e071b75
Instruction ID: c0ac722f5a13eab9168849c1d3b6bd15fc15e4b5d8cbf0c8b383dcd4a47b426f
Opcode Fuzzy Hash: 3cf8d3c6889707f8471f5c499fe5449a7460940da0bbdc5c223729ca3e071b75
Instruction Fuzzy Hash: BC4122729402067ADB14ABB48C0BEFF7FBCFF91751F10046AF904A6192EB68990597B4

Function 005BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 005BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005BCD48

Part of subcall function 005BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 005BCCAA
Part of subcall function 005BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 005BCCBD
Part of subcall function 005BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005BCCCF
Part of subcall function 005BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005BCD05
Part of subcall function 005BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 005BCCF3

Strings

RegDeleteKeyExW, xrefs: 005BCCC9
advapi32.dll, xrefs: 005BCCB8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: cb10ad81c33ca2e95f20f7658c5d40e9d4f1a1b4d67f476f1ee011a6ba2d669f
Instruction ID: b40677c191cab97b6a7954581aa495653ee715d1813fa10ebebf6e215a3a6e10
Opcode Fuzzy Hash: cb10ad81c33ca2e95f20f7658c5d40e9d4f1a1b4d67f476f1ee011a6ba2d669f
Instruction Fuzzy Hash: DA316E75901129BFDB208B55DC88EFFBF7CFF65750F000165E909E6240DA34AE49EAA4

Function 005A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005A3D40
_wcslen.LIBCMT ref: 005A3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 005A3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005A3DBE
RemoveDirectoryW.KERNEL32(?), ref: 005A3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005A3E55
CloseHandle.KERNEL32(00000000), ref: 005A3E60
CloseHandle.KERNEL32(00000000), ref: 005A3E6B

Strings

\, xrefs: 005A3D77
\??\%s, xrefs: 005A3D5B
:, xrefs: 005A3D82

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 821ac692a5e1e1fb5dba9f40c651cc0bf3618d6347c880814b3fbd94c59bb1d1
Instruction ID: 9a8ab9726b4cfc653a30c9cc0a3facf56467c8b0f14fba7e0ad4f3400ea64231
Opcode Fuzzy Hash: 821ac692a5e1e1fb5dba9f40c651cc0bf3618d6347c880814b3fbd94c59bb1d1
Instruction Fuzzy Hash: 513194B690010AABDB219BA0DC49FEF3BBCFF89744F1041B5F509D6160E77497488B64

Function 0059E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0059E6B4

Part of subcall function 0054E551: timeGetTime.WINMM(?,?,0059E6D4), ref: 0054E555

Sleep.KERNEL32(0000000A), ref: 0059E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0059E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0059E727
SetActiveWindow.USER32 ref: 0059E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0059E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0059E773
Sleep.KERNEL32(000000FA), ref: 0059E77E
IsWindow.USER32 ref: 0059E78A
EndDialog.USER32(00000000), ref: 0059E79B

Strings

BUTTON, xrefs: 0059E719

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e0719680ffcfd7792ad7aa08414e9be12c302b7e55e8b9d6bf77b12acf1905b7
Instruction ID: 0decd3243bf9ac8c3a9e0846c1b023a20c8ecff4469dd13c1feddc0b12aef880
Opcode Fuzzy Hash: e0719680ffcfd7792ad7aa08414e9be12c302b7e55e8b9d6bf77b12acf1905b7
Instruction Fuzzy Hash: 09219370240646AFEF009F64EC9EE263F6AFB65748F142424F509855A1DB72AC84EB25

Function 0059E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0059EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0059EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0059EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0059EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0059EAA7

Strings

open , xrefs: 0059EA0C
close PlayMe, xrefs: 0059EA6E, 0059EA9B
status PlayMe mode, xrefs: 0059EA58
alias PlayMe, xrefs: 0059EA36
play PlayMe wait, xrefs: 0059EA91
play PlayMe, xrefs: 0059EAA2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 44bcd3d30f457ed2a8028430fa5b66b8d011e90b60f7f331d6b79b12185427c2
Instruction ID: 84a7a9473d53167ed89ca24f2841cd1b69a746f4df657ff5c78fb56adb2a1386
Opcode Fuzzy Hash: 44bcd3d30f457ed2a8028430fa5b66b8d011e90b60f7f331d6b79b12185427c2
Instruction Fuzzy Hash: 85111F61A9025E79DB20E7A1DD4EEFB6F7CFBD1B40F400429B511A20E1EAB45945C6B0

Function 00595CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00595CE2
GetWindowRect.USER32(00000000,?), ref: 00595CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00595D59
GetDlgItem.USER32(?,00000002), ref: 00595D69
GetWindowRect.USER32(00000000,?), ref: 00595D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00595DCF
GetDlgItem.USER32(?,000003E9), ref: 00595DDD
GetWindowRect.USER32(00000000,?), ref: 00595DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00595E31
GetDlgItem.USER32(?,000003EA), ref: 00595E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00595E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00595E67

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 80c20c181b94a78fc543f1319f8205e779288228df5a1e3b4824a612f7939540
Instruction ID: 72df9c01c6ad39335927be00a3509835334bb4b1f1530240c6f468eb8606d58b
Opcode Fuzzy Hash: 80c20c181b94a78fc543f1319f8205e779288228df5a1e3b4824a612f7939540
Instruction Fuzzy Hash: 6D51FFB1A00605AFDF19CF68DD89EAE7FB9FB58300F548129F51AE6290E7709E14CB50

Function 00548BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00548F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00548BE8,?,00000000,?,?,?,?,00548BBA,00000000,?), ref: 00548FC5

DestroyWindow.USER32(?), ref: 00548C81
KillTimer.USER32(00000000,?,?,?,?,00548BBA,00000000,?), ref: 00548D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00586973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00548BBA,00000000,?), ref: 005869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00548BBA,00000000,?), ref: 005869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00548BBA,00000000), ref: 005869D4
DeleteObject.GDI32(00000000), ref: 005869E6

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c55ee7c463be929ddf3ed8a25a5de7d065c217b9e898ed20413c548d39290795
Instruction ID: f6ffaa30c16bc84f225d0460ffd282aca25e6a82a7d8f9bef3381e02ffcbebfa
Opcode Fuzzy Hash: c55ee7c463be929ddf3ed8a25a5de7d065c217b9e898ed20413c548d39290795
Instruction Fuzzy Hash: AA617A30502A11DFCB25AF14D988BBA7FF2FB5131AF145919E446AA5A0CB31AD84DF90

Function 00549838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00549944: GetWindowLongW.USER32(?,000000EB), ref: 00549952

GetSysColor.USER32(0000000F), ref: 00549862

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0c73aa85ecb902c3d9fde0704a1c7a869feea2e9e48f5ba63a126efca5fcb9f5
Instruction ID: 4951025a8b0963a06e26914b31cc6f9c43acae57e942424c56a84ee52ff63364
Opcode Fuzzy Hash: 0c73aa85ecb902c3d9fde0704a1c7a869feea2e9e48f5ba63a126efca5fcb9f5
Instruction Fuzzy Hash: AB419F31104A049FDB209B3C9C89FFA3F65FB56324F284655FAA6971E1D7309842EB10

Function 00568D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.U, xrefs: 0056903A, 00568FD0, 00568FF2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: .U
API String ID: 0-2997353397
Opcode ID: cfcaf17f1b0ea850f85db2016d3bb9130034a0d8a183fbb56ed16e01f51b505a
Instruction ID: 31df2f2938c69ca84d3b07f6e07b645109babbff1a5159a10fdfe7953a7ae396
Opcode Fuzzy Hash: cfcaf17f1b0ea850f85db2016d3bb9130034a0d8a183fbb56ed16e01f51b505a
Instruction Fuzzy Hash: C7C10578D0424AAFDF11DFA8D849BBDBFB9BF49320F144199E815A7392CB309941CB61

Function 005996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0057F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00599717
LoadStringW.USER32(00000000,?,0057F7F8,00000001), ref: 00599720

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0057F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00599742
LoadStringW.USER32(00000000,?,0057F7F8,00000001), ref: 00599745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00599866

Strings

Error: , xrefs: 0059981D
Line %d (File "%s"):, xrefs: 0059978F
^ ERROR, xrefs: 005997FB
Line %d:, xrefs: 005997A0
%s (%d) : ==> %s: %s %s, xrefs: 0059984A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: eb741d72700a64992cdb176868ac2b4627dbbb89b20795508d1fdfe4bbcf5ccc
Instruction ID: 5210451fb5f77f41235c522029456d10b61717fae482efb2db6e2602bbd7c105
Opcode Fuzzy Hash: eb741d72700a64992cdb176868ac2b4627dbbb89b20795508d1fdfe4bbcf5ccc
Instruction Fuzzy Hash: 0741407280410AAACF05EBE4CD8ADEEBB78FF95340F104429F60572092EB755F48CB61

Function 005906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00590804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0059082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00590837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0059083C

Strings

\IPC$, xrefs: 00590784
SOFTWARE\Classes\, xrefs: 0059070E
\CLSID, xrefs: 00590724

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5bae1bf80962cc4d76405089ed40453366aa10cddfe78d36eff923a17d24420b
Instruction ID: 77a1d42ce4ea5be2dfa896639aa6c78b0ca6e62d73127ba96f0fc98ce1267d29
Opcode Fuzzy Hash: 5bae1bf80962cc4d76405089ed40453366aa10cddfe78d36eff923a17d24420b
Instruction Fuzzy Hash: F5410572800229AFDF15EBA4DC99CEDBB78FF84350F144529E905A21A0EA709A04CB90

Function 005B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B3C5C
CoInitialize.OLE32(00000000), ref: 005B3C8A
CoUninitialize.OLE32 ref: 005B3C94
_wcslen.LIBCMT ref: 005B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 005B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 005B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 005B3F0E
CoGetObject.OLE32(?,00000000,005CFB98,?), ref: 005B3F2D
SetErrorMode.KERNEL32(00000000), ref: 005B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005B3FC4
VariantClear.OLEAUT32(?), ref: 005B3FD8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: c09bed7b32885f2356f9466623b8e1c934d91ec8d488275dd96e02b6da113aa1
Instruction ID: 78b9275e094f25bf4c0a4fdf8df581f31401bd3402d9f1b55052616d029be2c8
Opcode Fuzzy Hash: c09bed7b32885f2356f9466623b8e1c934d91ec8d488275dd96e02b6da113aa1
Instruction Fuzzy Hash: 02C146B16083059FD700DF68C88496BBBE9FF89748F14491DF98AAB251DB30EE05CB52

Function 005A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 005A7BA3
CoCreateInstance.OLE32(005CFD08,00000000,00000001,005F6E6C,?), ref: 005A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005A7C74
CoTaskMemFree.OLE32(?,?), ref: 005A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 005A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005A7D7A
CoTaskMemFree.OLE32(00000000), ref: 005A7D81
CoTaskMemFree.OLE32(00000000), ref: 005A7DD6
CoUninitialize.OLE32 ref: 005A7DDC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a109c0f7a3aecae9c6d6c82998c123cec821f6e35efb39e742b05adf0048ac3e
Instruction ID: d2797c58269062bae7fce7eb63a0a4d690e50071c74319e60f99211662c2702c
Opcode Fuzzy Hash: a109c0f7a3aecae9c6d6c82998c123cec821f6e35efb39e742b05adf0048ac3e
Instruction Fuzzy Hash: 41C13A75A04109AFCB14DFA4C898DAEBFF9FF49314F148498E81A9B261D730EE45CB90

Function 005C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005C5515
CharNextW.USER32(00000158), ref: 005C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005C55AC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1f9af240760281b554f76b32755f81ed0d7c3e3ae887dc71bfc9edc3094dc6cb
Instruction ID: 3d4dd0e76e55369f0eb45981cd146d1a627bf608223de231b2a96cb49f367d3e
Opcode Fuzzy Hash: 1f9af240760281b554f76b32755f81ed0d7c3e3ae887dc71bfc9edc3094dc6cb
Instruction Fuzzy Hash: BA615A31900609AFDF119FD4CC84EBE7FB9FB09720F104549F925AA291E774AAC4DBA0

Function 0058FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0058FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0058FB08
VariantInit.OLEAUT32(?), ref: 0058FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0058FB3A
VariantCopy.OLEAUT32(?,?), ref: 0058FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0058FBA1
VariantClear.OLEAUT32(?), ref: 0058FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0058FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0058FBCC
VariantClear.OLEAUT32(?), ref: 0058FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0058FBE9

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 03ca029563987f9c903d9a366518b1f37699a452379d827319bda246ec0f6529
Instruction ID: 78af28701d5bea581b7b1b018025cdba1ed334bd459554cd0e39aad099594b60
Opcode Fuzzy Hash: 03ca029563987f9c903d9a366518b1f37699a452379d827319bda246ec0f6529
Instruction Fuzzy Hash: 57414035A002199FCF04EF64C898DAEBFB9FF58355F008069E94AA7261DB70A945DF90

Function 00599C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00599CA1
GetAsyncKeyState.USER32(000000A0), ref: 00599D22
GetKeyState.USER32(000000A0), ref: 00599D3D
GetAsyncKeyState.USER32(000000A1), ref: 00599D57
GetKeyState.USER32(000000A1), ref: 00599D6C
GetAsyncKeyState.USER32(00000011), ref: 00599D84
GetKeyState.USER32(00000011), ref: 00599D96
GetAsyncKeyState.USER32(00000012), ref: 00599DAE
GetKeyState.USER32(00000012), ref: 00599DC0
GetAsyncKeyState.USER32(0000005B), ref: 00599DD8
GetKeyState.USER32(0000005B), ref: 00599DEA

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b437969e4351127e5eca46262f08b98366404981b6c1c60d1ca0ed72c50a6712
Instruction ID: 706cffc5a7f6e0a5ca6605a8dd4469ad0e6487019c066ece568fac4899871ba4
Opcode Fuzzy Hash: b437969e4351127e5eca46262f08b98366404981b6c1c60d1ca0ed72c50a6712
Instruction Fuzzy Hash: 9041C834504BC96EFF31976888447B5BEA07F22344F08805EDAC6575C2EBA59DC8C7A2

Function 005B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005B05BC
inet_addr.WSOCK32(?), ref: 005B061C
gethostbyname.WSOCK32(?), ref: 005B0628
IcmpCreateFile.IPHLPAPI ref: 005B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005B07B9
WSACleanup.WSOCK32 ref: 005B07BF

Strings

Ping, xrefs: 005B0676

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a6c5f83ae0ef636c0437e57806f1341ea3e6c0036c3a69711fc202adcd8a6e44
Instruction ID: a4b85d82c27104b850398d93bd45610d82c33ef9d2f0e51b67dd6d8cacb62c1c
Opcode Fuzzy Hash: a6c5f83ae0ef636c0437e57806f1341ea3e6c0036c3a69711fc202adcd8a6e44
Instruction Fuzzy Hash: 4C9159756042019FD720DF15C888F5ABFE4FB84318F1499A9E46A9B6A2CB30FD45CF91

Function 005B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 005B8CF3

Part of subcall function 00598E54: _wcslen.LIBCMT ref: 00598E77

_wcslen.LIBCMT ref: 005B8D4E
_wcslen.LIBCMT ref: 005B8D9C
_wcslen.LIBCMT ref: 005B8DDC
_wcslen.LIBCMT ref: 005B8E6E

Strings

winapi, xrefs: 005B8D96, 005B8D9B
stdcall, xrefs: 005B8DD6, 005B8DDB
cdecl, xrefs: 005B8D48, 005B8D4D
none, xrefs: 005B8E65, 005B8E6A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0b3194dac332221505a21703630697b9d7c42209ff703657ecea516b756ceedc
Instruction ID: ff13b722eb5183458dabae688a62a79150b65204a6238f5cc6d9c620d4b5d5f4
Opcode Fuzzy Hash: 0b3194dac332221505a21703630697b9d7c42209ff703657ecea516b756ceedc
Instruction Fuzzy Hash: 5751A171A041179BCF14DF68C9519FEBBA9BFA4324B20562AE826E72C4DB30ED40C790

Function 005B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005B3774
CoUninitialize.OLE32 ref: 005B377F
CoCreateInstance.OLE32(?,00000000,00000017,005CFB78,?), ref: 005B37D9
IIDFromString.OLE32(?,?), ref: 005B384C
VariantInit.OLEAUT32(?), ref: 005B38E4
VariantClear.OLEAUT32(?), ref: 005B3936

Strings

Invalid parameter, xrefs: 005B3865
Failed to create object, xrefs: 005B37E4, 005B389A
NULL Pointer assignment, xrefs: 005B381E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3d38987ec17df3ad2b8348fd74f6132496a56900a8e04022f4c6b20316af9a1d
Instruction ID: 3e3ff7b164549c9b9957170bbb6db8904b94c0650021dedcd8dd87978a1c2407
Opcode Fuzzy Hash: 3d38987ec17df3ad2b8348fd74f6132496a56900a8e04022f4c6b20316af9a1d
Instruction Fuzzy Hash: 67617DB1608701AFD710DF54C889BAABFE8FF89714F104819F585A7291D770EE49CB92

Function 005C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

Part of subcall function 0054912D: GetCursorPos.USER32(?), ref: 00549141
Part of subcall function 0054912D: ScreenToClient.USER32(00000000,?), ref: 0054915E
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000001), ref: 00549183
Part of subcall function 0054912D: GetAsyncKeyState.USER32(00000002), ref: 0054919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005C8B6B
ImageList_EndDrag.COMCTL32 ref: 005C8B71
ReleaseCapture.USER32 ref: 005C8B77
SetWindowTextW.USER32(?,00000000), ref: 005C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005C8CFF

Strings

@GUI_DRAGFILE, xrefs: 005C8C9A
@GUI_DROPID, xrefs: 005C8C51
p#`, xrefs: 005C8C71

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#`
API String ID: 1924731296-825576821
Opcode ID: eeb3cc414e964beed82eebfb9514de4c6e34fc273f2f8f83f80c922632577a7a
Instruction ID: 9456e36bd461044cdd1adf0208d4336b0682a0a5088751552804ea8a361d28ff
Opcode Fuzzy Hash: eeb3cc414e964beed82eebfb9514de4c6e34fc273f2f8f83f80c922632577a7a
Instruction Fuzzy Hash: DE515971104205AFD704DF64D89AFAB7BE5FB88714F00062DF996AB2E1CB709D44CB62

Function 005A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005A33CF

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005A33F0

Strings

Incorrect parameters to object property !, xrefs: 005A34AB
Error: , xrefs: 005A34D1
Line %d (File "%s"):, xrefs: 005A3443, 005A345C
"%s" (%d) : ==> %s:, xrefs: 005A3522
"%s" (%d) : ==> %s:%s%s, xrefs: 005A3504
^ ERROR , xrefs: 005A349E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 28ca3e548369eedf4df7158dd82e23e26ee348a84aaec2ae9cbe83e7c2629efe
Instruction ID: d34cc118c3973e580cba7a5c5bd28a394645c4f9266585948b3a1daa94fb1bed
Opcode Fuzzy Hash: 28ca3e548369eedf4df7158dd82e23e26ee348a84aaec2ae9cbe83e7c2629efe
Instruction Fuzzy Hash: 3F519F7180020AAADF19EBA4CD4AEEEBB79BF89300F104465F10572061EB752F58DB60

Function 0059B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0059B5FC
_wcslen.LIBCMT ref: 0059B608
_wcslen.LIBCMT ref: 0059B64D
_wcslen.LIBCMT ref: 0059B68C
_wcslen.LIBCMT ref: 0059B6C7

Strings

KEYS, xrefs: 0059B647, 0059B64C
EXISTS, xrefs: 0059B686, 0059B68B
APPEND, xrefs: 0059B6C1, 0059B6C6
REMOVE, xrefs: 0059B602, 0059B607

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0f4186d1d3f6266fb12e1408fe39671451b5a942d61e7ebd1e5e081bd4bf5114
Instruction ID: 9f0fd93e0e5e72877d23dbb927ada1f21e78a3e8f4d3694db02b97f6d249b806
Opcode Fuzzy Hash: 0f4186d1d3f6266fb12e1408fe39671451b5a942d61e7ebd1e5e081bd4bf5114
Instruction Fuzzy Hash: 8D41E532A010279AFF106F7DDA905BE7FB5FBA0794B244229E421D7284E735ED81C790

Function 005A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005A5416
GetLastError.KERNEL32 ref: 005A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 005A54A7

Strings

INVALID, xrefs: 005A5459
NOTREADY, xrefs: 005A544B
READY, xrefs: 005A5460, 005A5468
UNKNOWN, xrefs: 005A5444
READONLY, xrefs: 005A5452

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c5d4afb09810c1a1f09071950e038193aa8df24fd4e5dbe1d6de6e711dfa1b51
Instruction ID: 5988ec489ba2ce3c3780ad89841bdcf8576fdf8e7ca9196a514fce81f35f93fe
Opcode Fuzzy Hash: c5d4afb09810c1a1f09071950e038193aa8df24fd4e5dbe1d6de6e711dfa1b51
Instruction Fuzzy Hash: A631AE75A006099FCB10DF68C488EAEBFB4FF5A305F188065E505DB292E774DD86CB90

Function 005C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005C3C79
SetMenu.USER32(?,00000000), ref: 005C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C3D10
IsMenu.USER32(?), ref: 005C3D24
CreatePopupMenu.USER32 ref: 005C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005C3D5B
DrawMenuBar.USER32 ref: 005C3D63

Strings

F, xrefs: 005C3D4E
0, xrefs: 005C3C54

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: adb2228a14607002d534ef09aa8a3dcd7cbb81927eb8d893766c79b2d234050b
Instruction ID: d518c2a9dafff6f429f9a39234265b40aa0c08eaaf15e2033d9839958a2c0bca
Opcode Fuzzy Hash: adb2228a14607002d534ef09aa8a3dcd7cbb81927eb8d893766c79b2d234050b
Instruction Fuzzy Hash: F3416875A01609AFDB14CFA4D894FAA7FB5FF4A350F14402DF94AA7360D730AA14DB90

Function 005C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005C3C13

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: fd1dc4228d37af214a286393aa884e3d8576df67b55cc1a06bacf3c2735ffea3
Instruction ID: 333c9504dc6ae172b5bbeb15a5764d4a51351f3c83467ae0023e0345fb00076e
Opcode Fuzzy Hash: fd1dc4228d37af214a286393aa884e3d8576df67b55cc1a06bacf3c2735ffea3
Instruction Fuzzy Hash: E0616775A00208AFDB10DFA8CC81EEE7BB8FF49704F104199FA15AB2A1C774AE45DB50

Function 00562C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00562C94

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 00562CA0
_free.LIBCMT ref: 00562CAB
_free.LIBCMT ref: 00562CB6
_free.LIBCMT ref: 00562CC1
_free.LIBCMT ref: 00562CCC
_free.LIBCMT ref: 00562CD7
_free.LIBCMT ref: 00562CE2
_free.LIBCMT ref: 00562CED
_free.LIBCMT ref: 00562CFB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3bc42bd911245bd28516d130c7862ea996efc7b9bd5818303baf74d9c509329b
Instruction ID: 9ba79bd06b68d3e70a6fc41a34493952d0ec961bccf6b70020eff9e298c91d6b
Opcode Fuzzy Hash: 3bc42bd911245bd28516d130c7862ea996efc7b9bd5818303baf74d9c509329b
Instruction Fuzzy Hash: 42119376600509BFCB06EF54D886CDD3FA5FF85390F4145A5FA489B232DA31EE909B90

Function 00531410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00531459
OleUninitialize.OLE32(?,00000000), ref: 005314F8
UnregisterHotKey.USER32(?), ref: 005316DD
DestroyWindow.USER32(?), ref: 005724B9
FreeLibrary.KERNEL32(?), ref: 0057251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0057254B

Strings

close all, xrefs: 00531454

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 59c81f5c68f6a42884e02a8d1704a72cb1b721edcc5f723f9fc4d7c0f3761506
Instruction ID: 2d810e5f9d0e41fc47d51fff1f43fd6b9b3fe1a616c43b2db34f3f7312d518fd
Opcode Fuzzy Hash: 59c81f5c68f6a42884e02a8d1704a72cb1b721edcc5f723f9fc4d7c0f3761506
Instruction Fuzzy Hash: 6BD17B31701612CFCB29EF64D499A69FFA4BF45704F1482ADE44EAB252CB30AD22DF54

Function 005A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 005A7FC1
GetFileAttributesW.KERNEL32(?), ref: 005A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 005A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 005A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005A80B0

Strings

*.*, xrefs: 005A8066

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7fe98bebdf8cefd5a84f3d4d42c815e882235d0d38caf34ae26695c4347b74be
Instruction ID: 39d3e2b5bfe69c37f74891f46456726082e54e8763459eee7ad6f6386e019293
Opcode Fuzzy Hash: 7fe98bebdf8cefd5a84f3d4d42c815e882235d0d38caf34ae26695c4347b74be
Instruction Fuzzy Hash: E68190725082499BCB24EF24C8589BEBBE8BF8A310F144C5EF885D7251EB35DD49CB52

Function 00535BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00535C7A

Part of subcall function 00535D0A: GetClientRect.USER32(?,?), ref: 00535D30
Part of subcall function 00535D0A: GetWindowRect.USER32(?,?), ref: 00535D71
Part of subcall function 00535D0A: ScreenToClient.USER32(?,?), ref: 00535D99

GetDC.USER32 ref: 005746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00574708
SelectObject.GDI32(00000000,00000000), ref: 00574716
SelectObject.GDI32(00000000,00000000), ref: 0057472B
ReleaseDC.USER32(?,00000000), ref: 00574733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005747C4

Strings

U, xrefs: 00574693

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9684a28637ce36e7c2c563eb860164837a302f4208ebc03299350ac4afc4381a
Instruction ID: ed0fe032dbf50fd09587c3462dd9dafaefef4dc0addbe93f715d39c6fee13667
Opcode Fuzzy Hash: 9684a28637ce36e7c2c563eb860164837a302f4208ebc03299350ac4afc4381a
Instruction Fuzzy Hash: E171F130400209DFCF268F64D984EBA3FB5FF4A314F149269ED595A166D3309C82EF50

Function 005A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005A35E4

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

LoadStringW.USER32(00602390,?,00000FFF,?), ref: 005A360A

Strings

Error: , xrefs: 005A36EF
Line %d (File "%s"):, xrefs: 005A366B
"%s" (%d) : ==> %s:, xrefs: 005A3742
^ ERROR, xrefs: 005A36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 005A3724

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0f45e007907cfb1f5d5c26066ef41c570ad152b7059ea57103b1466b2fb109fa
Instruction ID: 901b1f0657ffb5f377237798383e3f16e0b5a3e5ed4436ccb6f61762875d1f1c
Opcode Fuzzy Hash: 0f45e007907cfb1f5d5c26066ef41c570ad152b7059ea57103b1466b2fb109fa
Instruction Fuzzy Hash: BB515EB184020ABACF15EBA0DC4AEEEBF79FF85304F145125F105721A1EB711B99DB60

Function 005AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005AC2CA
GetLastError.KERNEL32 ref: 005AC322
SetEvent.KERNEL32(?), ref: 005AC336
InternetCloseHandle.WININET(00000000), ref: 005AC341

Strings

, xrefs: 005AC2BB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a9ae66ee3b88e0488869fbf73625edc60ec3bfcf3a62c7227a337d76d0c097fe
Instruction ID: c576f20227f0b7c98ba2d957398de95c1aef9a77c78310ffa1601c8416b7d3dc
Opcode Fuzzy Hash: a9ae66ee3b88e0488869fbf73625edc60ec3bfcf3a62c7227a337d76d0c097fe
Instruction Fuzzy Hash: 87314DB5500604AFDB219F649888AAF7FFCFB5A744F14891EF48A92201DB34DD099B61

Function 0059989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00573AAF,?,?,Bad directive syntax error,005CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005998BC
LoadStringW.USER32(00000000,?,00573AAF,?), ref: 005998C3

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00599987

Strings

Line %d (File "%s"):, xrefs: 0059992D
., xrefs: 0059996D
Error: , xrefs: 00599955
Line %d:, xrefs: 00599912
%s (%d) : ==> %s.: %s %s, xrefs: 005998F1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a1283cbbd18e78c94d5f354cafc4c8836f80ea826fcb95d4c62f9f3fbaeedbba
Instruction ID: 86f6db2206d2cc067a453ee2ace0d5bfe3206d59a81945836aeaabc879cd98c5
Opcode Fuzzy Hash: a1283cbbd18e78c94d5f354cafc4c8836f80ea826fcb95d4c62f9f3fbaeedbba
Instruction Fuzzy Hash: 81218D3184021EABCF15AF90CC4AEEE7F79FF58300F044829F619660A2EB759A18DB10

Function 0059209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0059214D

Strings

list, xrefs: 0059212F
smallicons, xrefs: 00592115
SHELLDLL_DefView, xrefs: 005920CC
details, xrefs: 005920FB
largeicons, xrefs: 005920E1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7bd1fd606246b51cbc2037b12aca8367099be6143fd3db623f25f1e53228d79c
Instruction ID: f26b21773f194c74e8bf48337ba3bd81555f1d161311f186f6dcc1daa1a0371b
Opcode Fuzzy Hash: 7bd1fd606246b51cbc2037b12aca8367099be6143fd3db623f25f1e53228d79c
Instruction Fuzzy Hash: F311297A68870BBAFE016224DC1BDF63F9DFB14329F20001BFB05A50D1FE656895BA14

Function 0056CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0056CEB7
_free.LIBCMT ref: 0056CF22
_free.LIBCMT ref: 0056CF48
_free.LIBCMT ref: 0056CF71
_free.LIBCMT ref: 0056CFA9
_free.LIBCMT ref: 0056CFDA
_free.LIBCMT ref: 0056D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0056D09C
_free.LIBCMT ref: 0056D0B5

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: e4e75aa2ac8f1d320bab4d748ea6a3d635a4dc4b221fa8a70621b744cba5630a
Instruction ID: 99d3beb5b320415ad90db124b4804a1f122aca58f5f930d4be0d00bafd5652f7
Opcode Fuzzy Hash: e4e75aa2ac8f1d320bab4d748ea6a3d635a4dc4b221fa8a70621b744cba5630a
Instruction Fuzzy Hash: EA616A71A04302AFDB25AFB49C89B7ABFA6FF45360F04456DF98597281E6329D01C7A0

Function 005C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005C5186
ShowWindow.USER32(?,00000000), ref: 005C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005C51D1

Part of subcall function 005C6FBA: DeleteObject.GDI32(00000000), ref: 005C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 005C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005C5296

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: f2bdc71d33a3aae15eb9e85221d0ab4ac207978c1c288b48a8738967f42b9d19
Instruction ID: 90f0791e140aed53eddff02c5e7b5feee43b55a1f00dfddbf60f560e293f5e62
Opcode Fuzzy Hash: f2bdc71d33a3aae15eb9e85221d0ab4ac207978c1c288b48a8738967f42b9d19
Instruction Fuzzy Hash: 4A51AD34A40A09AEEF209FE4CC4AFD93FA5FB45324F584009F6559A2E0E775B9C0DB40

Function 00548B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00586890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00548874,00000000,00000000,00000000,000000FF,00000000), ref: 00586901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0058691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00548874,00000000,00000000,00000000,000000FF,00000000), ref: 0058692D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2c30de1a78557ca6247d3ed48aae219adc8a770ac7c130e169e5fe7d8eba2007
Instruction ID: 583eb1c8b70c746899e65b9311e37dd20e16d5c1c046930c4719c29a6172381c
Opcode Fuzzy Hash: 2c30de1a78557ca6247d3ed48aae219adc8a770ac7c130e169e5fe7d8eba2007
Instruction Fuzzy Hash: 80516770A00609EFDB20DF24CC95FAA7FB6FB98754F104518F956AB2A0DB70E990DB50

Function 005AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005AC182
GetLastError.KERNEL32 ref: 005AC195
SetEvent.KERNEL32(?), ref: 005AC1A9

Part of subcall function 005AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005AC272
Part of subcall function 005AC253: GetLastError.KERNEL32 ref: 005AC322
Part of subcall function 005AC253: SetEvent.KERNEL32(?), ref: 005AC336
Part of subcall function 005AC253: InternetCloseHandle.WININET(00000000), ref: 005AC341

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4695315e1b4214df103c21acd41f5efda61f8588191401eb4b29ba287664ac78
Instruction ID: 56241146ad334849b2fcdfadceb7245435adcaf94b99203f8210c6edc570f414
Opcode Fuzzy Hash: 4695315e1b4214df103c21acd41f5efda61f8588191401eb4b29ba287664ac78
Instruction Fuzzy Hash: 03319075200B05AFDB219FA5DD48A6ABFF9FF6A300B04441DF99A86610D731E814EFA0

Function 005925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00593A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00593A57
Part of subcall function 00593A3D: GetCurrentThreadId.KERNEL32 ref: 00593A5E
Part of subcall function 00593A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005925B3), ref: 00593A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00592601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00592605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0059260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00592623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00592627

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3c9bfb68d2c7f358da2e2cce6a493abef706e9c144b4586dc2e7faee5022f1bf
Instruction ID: 02f1206f07d3da964443518b4be19c96660ab213e78fda96bc03e7752c020cf3
Opcode Fuzzy Hash: 3c9bfb68d2c7f358da2e2cce6a493abef706e9c144b4586dc2e7faee5022f1bf
Instruction Fuzzy Hash: 6E01D430790610BBFB106769DC8EF593F69EB9EB12F110001F318AE1D1C9E22448DAA9

Function 00591803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00591449,?,?,00000000), ref: 0059180C
HeapAlloc.KERNEL32(00000000,?,00591449,?,?,00000000), ref: 00591813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00591449,?,?,00000000), ref: 00591828
GetCurrentProcess.KERNEL32(?,00000000,?,00591449,?,?,00000000), ref: 00591830
DuplicateHandle.KERNEL32(00000000,?,00591449,?,?,00000000), ref: 00591833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00591449,?,?,00000000), ref: 00591843
GetCurrentProcess.KERNEL32(00591449,00000000,?,00591449,?,?,00000000), ref: 0059184B
DuplicateHandle.KERNEL32(00000000,?,00591449,?,?,00000000), ref: 0059184E
CreateThread.KERNEL32(00000000,00000000,00591874,00000000,00000000,00000000), ref: 00591868

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2d83cb45779c2ed3a87820a7eb5e9129b09c99a87a1833578ddca877d582935d
Instruction ID: 86326e5387e297135412f7a26d5c3d97f28c758b12ba0abfaddc646c415c03eb
Opcode Fuzzy Hash: 2d83cb45779c2ed3a87820a7eb5e9129b09c99a87a1833578ddca877d582935d
Instruction Fuzzy Hash: A401BBB5240748BFE710ABA6DC4DF6B3FACEB99B11F044411FA09DB1A1CA749804DB20

Function 005BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0059D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0059D501
Part of subcall function 0059D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0059D50F
Part of subcall function 0059D4DC: CloseHandle.KERNEL32(00000000), ref: 0059D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005BA16D
GetLastError.KERNEL32 ref: 005BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 005BA268
GetLastError.KERNEL32(00000000), ref: 005BA273
CloseHandle.KERNEL32(00000000), ref: 005BA2C4

Strings

SeDebugPrivilege, xrefs: 005BA18F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 148de97c05cfc2278d8b07fcafd6dde4e7649a3cdaf5d12988ae4ce22d599cda
Instruction ID: eb34abc725bce092e63304681fd521eb37045b71468cbaafe44e9b68a6f3b906
Opcode Fuzzy Hash: 148de97c05cfc2278d8b07fcafd6dde4e7649a3cdaf5d12988ae4ce22d599cda
Instruction Fuzzy Hash: 70617D34204642AFD710DF19C498F55BFA1BF94318F18849CE4564BBA2C772EC49CB92

Function 005C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005C3954
_wcslen.LIBCMT ref: 005C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005C39F4

Strings

SysListView32, xrefs: 005C38F7

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 298ce30edf814bb0708c3b545daaebd9da0cfdbb7840c17941a3a76094c2dcf5
Instruction ID: 283327e0fa1bf89ceca79109924c84f4853b9c65a7cd9c75aa9abf65e8eb3104
Opcode Fuzzy Hash: 298ce30edf814bb0708c3b545daaebd9da0cfdbb7840c17941a3a76094c2dcf5
Instruction Fuzzy Hash: 8B41B231A0021DAFDB219FA4CC49FEA7FA9FF48350F10452AF958E7281D7759A84CB90

Function 0059BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0059BCFD
IsMenu.USER32(00000000), ref: 0059BD1D
CreatePopupMenu.USER32 ref: 0059BD53
GetMenuItemCount.USER32(00D54DB0), ref: 0059BDA4
InsertMenuItemW.USER32(00D54DB0,?,00000001,00000030), ref: 0059BDCC

Strings

0, xrefs: 0059BCA8
2, xrefs: 0059BD37

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: aa7b1586d52c27663997457358085b241176be843f15748b73408b9eed815ed8
Instruction ID: fd7f49a52baa116a48ba9e93b1c51c406050ab5311f18dacff39d33f3d78a3ca
Opcode Fuzzy Hash: aa7b1586d52c27663997457358085b241176be843f15748b73408b9eed815ed8
Instruction Fuzzy Hash: 0251BE70A0030A9BFF20CFA8EA88BAEBFF8BF95314F144559E405E7290D7709945CB61

Function 00552D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00552D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00552D53
_ValidateLocalCookies.LIBCMT ref: 00552DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00552E0C
_ValidateLocalCookies.LIBCMT ref: 00552E61

Strings

csm, xrefs: 00552DF6
&HU, xrefs: 00552DFE, 00552E07, 00552E18

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HU$csm
API String ID: 1170836740-1876588605
Opcode ID: 2e69164f73a246e196471141d3e3e0ac4c985b2223f128718f5645e5ef72cac0
Instruction ID: ae0c54f988806b349cce5d11d8478a1a9b4d4ab5fe7b1a305ad962a832d03862
Opcode Fuzzy Hash: 2e69164f73a246e196471141d3e3e0ac4c985b2223f128718f5645e5ef72cac0
Instruction Fuzzy Hash: AB419834A01209ABCF14DF68C869A9EBFB5BF46355F148157EC186B352D731AE0ACBD0

Function 0059C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0059C913

Strings

warning, xrefs: 0059C8FC
stop, xrefs: 0059C8E4
blank, xrefs: 0059C895
question, xrefs: 0059C8CC
info, xrefs: 0059C8B4

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 27da4acfa2e99ed8114f098ade9ea0ba0747cd131103a92d88f5f1f4f04102fc
Instruction ID: 50edd027cee30b2c031a03bb56cc889e678ba1a8b9347f1c3c491536a8fc0bc5
Opcode Fuzzy Hash: 27da4acfa2e99ed8114f098ade9ea0ba0747cd131103a92d88f5f1f4f04102fc
Instruction Fuzzy Hash: 2811EB3168970BBFAF056B54DC82CAA7F9CFF15759B20042BF904A6182D7646D405764

Function 0059ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0059ED2A
_wcslen.LIBCMT ref: 0059ED3B
_wcslen.LIBCMT ref: 0059ED79
_wcslen.LIBCMT ref: 0059EDAF
_wcslen.LIBCMT ref: 0059EDDF
_wcslen.LIBCMT ref: 0059EDEF
_wcslen.LIBCMT ref: 0059EE2B
_wcslen.LIBCMT ref: 0059EE5A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 3e3b183f9592013fc74a3a544cb76921bec591b0813d21128e2e8bf46b5f3e13
Instruction ID: 5bd57fb207335634cbd382e3ce7f0af4c71ce3589b8abd32688e1b64209b24be
Opcode Fuzzy Hash: 3e3b183f9592013fc74a3a544cb76921bec591b0813d21128e2e8bf46b5f3e13
Instruction Fuzzy Hash: E641926AC1021965CB11EBB4888F9CFBBBCBF85311F508467E914E3122EB34D249C7A5

Function 0054F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 0054F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 0058F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 0058F454

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4c59e49fd565b0bc4aeb50c99ac3cd8560b0a18a9583f467cfe52de80e86626b
Instruction ID: 3412a467e16c275d8900986fc33d946f859ae3204e13cb62cc05688cf3dcc9e0
Opcode Fuzzy Hash: 4c59e49fd565b0bc4aeb50c99ac3cd8560b0a18a9583f467cfe52de80e86626b
Instruction Fuzzy Hash: A1410B31608640BED7399F2DD988BAB7FD2BF9A318F14483DE48B67560D731A880D711

Function 005C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005C2D1B
GetDC.USER32(00000000), ref: 005C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005C2DE1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 029abd8c993cec23e5ec31c6cb2c2d2c3eb0f6ece8287b922db3daf0c0714017
Instruction ID: f99143e817fd859f11772767282d3f496d7f4e065983551ada65fb1ffb6d057a
Opcode Fuzzy Hash: 029abd8c993cec23e5ec31c6cb2c2d2c3eb0f6ece8287b922db3daf0c0714017
Instruction Fuzzy Hash: ED318B72201614BFEB118F548C8AFEB3FA9FB19711F084055FE099A291C6759C41CBA0

Function 00595622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00595637
_memcmp.LIBVCRUNTIME ref: 00595659
_memcmp.LIBVCRUNTIME ref: 00595671
_memcmp.LIBVCRUNTIME ref: 00595684
_memcmp.LIBVCRUNTIME ref: 0059569E
_memcmp.LIBVCRUNTIME ref: 005956B1
_memcmp.LIBVCRUNTIME ref: 005956C9
_memcmp.LIBVCRUNTIME ref: 005956E4

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 613a9b5c39761da3356457dcf6dfed67dce5de59bdc8ddf2d594c556b7c03b8e
Instruction ID: 57964b20773d7cf7381492ebfe5872dd2c1ef7aafd7583f1132b3648b28662b6
Opcode Fuzzy Hash: 613a9b5c39761da3356457dcf6dfed67dce5de59bdc8ddf2d594c556b7c03b8e
Instruction Fuzzy Hash: 77214961740E0A7BDA065E20DEA2FFA3F5DBF60385F000425FD069A581F720EE3483A8

Function 005B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 005B502E, 005B5383
Not an Object type, xrefs: 005B5007

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2f5bdb6dd0b7f1d0d0fbd02ab53d254d546323664b8fdccd4e6ed265487b0450
Instruction ID: dd36d497420baee71869b99ac22db02642cf1f626388f6c4a84b311c88990fff
Opcode Fuzzy Hash: 2f5bdb6dd0b7f1d0d0fbd02ab53d254d546323664b8fdccd4e6ed265487b0450
Instruction Fuzzy Hash: AED1C171A0060A9FDF18DFA8C885FEEBBB5BF48344F148469E915AB281E770ED45CB50

Function 00571522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00571651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005717FB,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005716FB

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00571777
__freea.LIBCMT ref: 005717A2
__freea.LIBCMT ref: 005717AE

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: de88c4648d232f75ca2ee1ce596337444402e30bd930d6a68e8e33073b16ea60
Instruction ID: 538d18a5d96710c73651271e72c3c8cbaf0135395151da80b3b307134bc28abb
Opcode Fuzzy Hash: de88c4648d232f75ca2ee1ce596337444402e30bd930d6a68e8e33073b16ea60
Instruction Fuzzy Hash: 4991D471E00A069EDB288E78E885AEE7FB5FF45710F188519E80AE7141D725DC44EBA4

Function 005B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B4648
VariantInit.OLEAUT32(?), ref: 005B4749
VariantClear.OLEAUT32(?), ref: 005B4753
VariantClear.OLEAUT32(?), ref: 005B47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005B45D8, 005B4706, 005B47BE
Incorrect Object type in FOR..IN loop, xrefs: 005B472C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8e7aedb2ccb3e4069083970319bf877bac9b592b62f831452fd3e2df0c2c97b6
Instruction ID: ef754b131ef9e8cd631c2ccb7f4892562793a5fe088552e472ec319210d598e4
Opcode Fuzzy Hash: 8e7aedb2ccb3e4069083970319bf877bac9b592b62f831452fd3e2df0c2c97b6
Instruction Fuzzy Hash: 1E916F71A00219ABDF24CFA5C848FEE7FB8FF46715F108559E505AB282D770A945CFA0

Function 005A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 005A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 005A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005A1430

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6d189e549235b460d5f1c98130e8ed6dc9511bcf71a62553246f3c37f08ddfc2
Instruction ID: af35e07517434ed1f5720602342add3ede390eff79d644d56baf7be1ed6eb37b
Opcode Fuzzy Hash: 6d189e549235b460d5f1c98130e8ed6dc9511bcf71a62553246f3c37f08ddfc2
Instruction Fuzzy Hash: 69911475A00609AFDB00DF98C889BBEBFB5FF86315F104429E941EB291D774E941CB98

Function 0054948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7c46f4ec269c9d1dd9b44a9c214597e4081fd19c863140c9c5bcc220065bc649
Instruction ID: 306e19ccc55d76bb1d58a11d48f896581c1eadfacd9d24e058983ef78076bada
Opcode Fuzzy Hash: 7c46f4ec269c9d1dd9b44a9c214597e4081fd19c863140c9c5bcc220065bc649
Instruction Fuzzy Hash: 47912571D00219AFCB10CFA9C889AEEBFB8FF89324F244459E915B7251D774A941DB60

Function 005B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B396B
CharUpperBuffW.USER32(?,?), ref: 005B3A7A
_wcslen.LIBCMT ref: 005B3A8A
VariantClear.OLEAUT32(?), ref: 005B3C1F

Part of subcall function 005A0CDF: VariantInit.OLEAUT32(00000000), ref: 005A0D1F
Part of subcall function 005A0CDF: VariantCopy.OLEAUT32(?,?), ref: 005A0D28
Part of subcall function 005A0CDF: VariantClear.OLEAUT32(?), ref: 005A0D34

Strings

Incorrect Parameter format, xrefs: 005B39A6, 005B3BA1
AUTOIT.ERROR, xrefs: 005B3A80, 005B3A85

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0b37291aa72b32ec0fddf86ad13276e6fae85ec6c09fb0009adfca5510f69611
Instruction ID: 85ed66bc567ed492836ba4a08ae9db5c7241a0e01481b4d76049c1248730fae5
Opcode Fuzzy Hash: 0b37291aa72b32ec0fddf86ad13276e6fae85ec6c09fb0009adfca5510f69611
Instruction Fuzzy Hash: F89147756083069FCB14DF28C4859AABBE4FF89314F14882DF889A7351DB30EE45CB92

Function 005B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0059000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?,?,0059035E), ref: 0059002B
Part of subcall function 0059000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590046
Part of subcall function 0059000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590054
Part of subcall function 0059000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?), ref: 00590064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005B4C51
_wcslen.LIBCMT ref: 005B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 005B4DCF
CoTaskMemFree.OLE32(?), ref: 005B4DDA

Strings

NULL Pointer assignment, xrefs: 005B4E23, 005B4E52

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b084c8332b9079b702b873f448bb091f41259205d34eb4fd2612080ecc745c8d
Instruction ID: 19fafcb79f465fd277ead3322b7ed098dc1abb5a862e0a34aa1dfb5ef0485dc8
Opcode Fuzzy Hash: b084c8332b9079b702b873f448bb091f41259205d34eb4fd2612080ecc745c8d
Instruction Fuzzy Hash: 61912771D0021DAFDF24DFA4C895AEEBBB8BF48310F108569E915A7251DB70AE44CFA0

Function 005C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005C2183
GetMenuItemCount.USER32(00000000), ref: 005C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005C21DD
_wcslen.LIBCMT ref: 005C2213
GetMenuItemID.USER32(?,?), ref: 005C224D
GetSubMenu.USER32(?,?), ref: 005C225B

Part of subcall function 00593A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00593A57
Part of subcall function 00593A3D: GetCurrentThreadId.KERNEL32 ref: 00593A5E
Part of subcall function 00593A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005925B3), ref: 00593A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005C22E3

Part of subcall function 0059E97B: Sleep.KERNEL32 ref: 0059E9F3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 173b7cf260beeb640519f45d9db71c5e88f5508cb7854572378f63bf61746d96
Instruction ID: fc08ea5ce1c8bf82b2f3408473bc4a1d3e9b18eba9cb646ef7062ca2f02071ee
Opcode Fuzzy Hash: 173b7cf260beeb640519f45d9db71c5e88f5508cb7854572378f63bf61746d96
Instruction Fuzzy Hash: C9714C79A00215AFCB14EFA8C885EAEBFB5FF88310F148459E916EB351D734AD41CB90

Function 0059AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0059AEF9
GetKeyboardState.USER32(?), ref: 0059AF0E
SetKeyboardState.USER32(?), ref: 0059AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0059AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0059AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0059AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0059B020

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3f087989b849bdaca315e26eea5b5067677bade053ab2e3c53d8893eabbb103b
Instruction ID: 1c4b5378550d577009005a2bebf3c0b64c82fb8abe2517230542af80a365d616
Opcode Fuzzy Hash: 3f087989b849bdaca315e26eea5b5067677bade053ab2e3c53d8893eabbb103b
Instruction Fuzzy Hash: A151A3A4A047D53DFF3683348D49BBA7EA97B06304F088589E1D9558C3D3D9ACC8D7A1

Function 0059ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0059AD19
GetKeyboardState.USER32(?), ref: 0059AD2E
SetKeyboardState.USER32(?), ref: 0059AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0059ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0059ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0059AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0059AE38

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 046ce149928fd2396f76867d55bf7f96b38ab4f6098bc68824e31a4793ec4638
Instruction ID: 8392b14b2e206ba857bd547ccb81ceac2e85928333a3bdc945099269fdcc00fb
Opcode Fuzzy Hash: 046ce149928fd2396f76867d55bf7f96b38ab4f6098bc68824e31a4793ec4638
Instruction Fuzzy Hash: 995193A19047D53DFF3683248C55B7A7EADBB46300F088589E1D9568C2D794EC88E7B2

Function 0056542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00573CD6,?,?,?,?,?,?,?,?,00565BA3,?,?,00573CD6,?,?), ref: 00565470
__fassign.LIBCMT ref: 005654EB
__fassign.LIBCMT ref: 00565506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00573CD6,00000005,00000000,00000000), ref: 0056552C
WriteFile.KERNEL32(?,00573CD6,00000000,00565BA3,00000000,?,?,?,?,?,?,?,?,?,00565BA3,?), ref: 0056554B
WriteFile.KERNEL32(?,?,00000001,00565BA3,00000000,?,?,?,?,?,?,?,?,?,00565BA3,?), ref: 00565584

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a726d4c5b20352eb4e359e706137dbd8704f218a1ac39a4d73d2b60de7f85305
Instruction ID: f8b91d0e290a43eeaf55d10d57f37bc52c5eed61af6d6021fd92f26fe32b1752
Opcode Fuzzy Hash: a726d4c5b20352eb4e359e706137dbd8704f218a1ac39a4d73d2b60de7f85305
Instruction Fuzzy Hash: FA51B0B0A406499FDB10CFA8D849AEEBFF9FF19300F14455AF956E7291E6309A41CB60

Function 005B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005B307A
Part of subcall function 005B304E: _wcslen.LIBCMT ref: 005B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005B1112
WSAGetLastError.WSOCK32 ref: 005B1121
WSAGetLastError.WSOCK32 ref: 005B11C9
closesocket.WSOCK32(00000000), ref: 005B11F9

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f53eacd9201edacae481d5930932e118927fa2b4c99e283e2d6bf59f6031a6b9
Instruction ID: f970bbe3ac1adc5a73f1e2b9e655a6c3a2d79caec036e3ccb1c0ff379817800a
Opcode Fuzzy Hash: f53eacd9201edacae481d5930932e118927fa2b4c99e283e2d6bf59f6031a6b9
Instruction Fuzzy Hash: 1B41F731600904AFDB109F18C898BEABFE9FF85314F148059F9099B291C770BD45CBA4

Function 0059CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0059CF22,?), ref: 0059DDFD

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0059CF22,?), ref: 0059DE16

lstrcmpiW.KERNEL32(?,?), ref: 0059CF45
MoveFileW.KERNEL32(?,?), ref: 0059CF7F
_wcslen.LIBCMT ref: 0059D005
_wcslen.LIBCMT ref: 0059D01B
SHFileOperationW.SHELL32(?), ref: 0059D061

Strings

\*.*, xrefs: 0059CFF3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9deaf0c172044e195aca8ef26d050ea4d7d37b09c3e35a3a0faf19bbaac15958
Instruction ID: 4e6a830924ee0a4200be444c92469827e9c06c6f32a0135172e3a3ff0c9b52b3
Opcode Fuzzy Hash: 9deaf0c172044e195aca8ef26d050ea4d7d37b09c3e35a3a0faf19bbaac15958
Instruction Fuzzy Hash: 9A4146719452195FDF12EBA4D985EDDBFB9BF48380F1000E6E509EB141EA34A688CB50

Function 005C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005C2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 005C2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 005C2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005C2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005C2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 005C2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005C2F0B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 44d06a35d0c0a0e6f000ebee50d0173f07832e01493d3d0dbc03e67cd4b04d95
Instruction ID: 34a9c1e100a5e84088124b8dc2f6d93ad4a8c1f57b7adf87e5cddd24875164c7
Opcode Fuzzy Hash: 44d06a35d0c0a0e6f000ebee50d0173f07832e01493d3d0dbc03e67cd4b04d95
Instruction Fuzzy Hash: 75311530644254AFDB21DF98DD84FA53BE9FB9A710F151168F904AF2B1CB71AC84DB41

Function 00597726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00597769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0059778F
SysAllocString.OLEAUT32(00000000), ref: 00597792
SysAllocString.OLEAUT32(?), ref: 005977B0
SysFreeString.OLEAUT32(?), ref: 005977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005977DE
SysAllocString.OLEAUT32(?), ref: 005977EC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2c7c30eab2fb302be146f2d05f2bd0691b05f9481461090e731686627dc6eaf4
Instruction ID: abc62dad36db5ba786f1210ad426057b66280912930d2a111d5e53bbe9eb28c3
Opcode Fuzzy Hash: 2c7c30eab2fb302be146f2d05f2bd0691b05f9481461090e731686627dc6eaf4
Instruction Fuzzy Hash: 0021907661421DAFDF10DFA9CC88CBB7BACFB097647048426FA19DB260D670DC468760

Function 005977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00597842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00597868
SysAllocString.OLEAUT32(00000000), ref: 0059786B
SysAllocString.OLEAUT32 ref: 0059788C
SysFreeString.OLEAUT32 ref: 00597895
StringFromGUID2.OLE32(?,?,00000028), ref: 005978AF
SysAllocString.OLEAUT32(?), ref: 005978BD

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 85167ba8423be4e337d938f4b4f6dd5114e15ead868be92d7702a931ba9cf1ae
Instruction ID: 5677f257cceaa21f9b79b30788b5994e0e3c2fd74c48febb0cfc07f556c5d3ed
Opcode Fuzzy Hash: 85167ba8423be4e337d938f4b4f6dd5114e15ead868be92d7702a931ba9cf1ae
Instruction Fuzzy Hash: 0C217131618208AFDF109FA8DC8CDAA7BECFB0D7607148126F915CB2A1D670DC45DB64

Function 005A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005A052E

Strings

nul, xrefs: 005A0567

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4113859b4cbf0ec8d830fa1510dee648a188e7a459b6717724fc10375d7428f5
Instruction ID: ef3694c9653df360167717b1edd37176199441b4123ea8a9a210d6e0517753f6
Opcode Fuzzy Hash: 4113859b4cbf0ec8d830fa1510dee648a188e7a459b6717724fc10375d7428f5
Instruction Fuzzy Hash: 71219A74910305AFCF208F29DC48AAE7FF4BF5A760F204A19E8A1D22E0E7709940CF20

Function 005A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005A0601

Strings

nul, xrefs: 005A0639

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 081cf0d66cb75bb82ea47e29c75146db4853d3c00a5923e7192e578ecfa149d4
Instruction ID: 37dbc36e90dbd77e80a23b671892f295f46763d195c734c802e1775e23d25685
Opcode Fuzzy Hash: 081cf0d66cb75bb82ea47e29c75146db4853d3c00a5923e7192e578ecfa149d4
Instruction Fuzzy Hash: 572151755103059FDB209F699C04EAE7FE4BF96724F201A19F9A1E72E0E7709960CB20

Function 005C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0053600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0053604C
Part of subcall function 0053600E: GetStockObject.GDI32(00000011), ref: 00536060
Part of subcall function 0053600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0053606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005C4145

Strings

Msctls_Progress32, xrefs: 005C40E3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f03912ad76be1925a1a0476145c56b05abb0d6acb8904e0c77d001792d67c8bb
Instruction ID: 4d7fa520a7c65c8906b6643016b21771263e2a5e5ba901790e171a9c78e6499e
Opcode Fuzzy Hash: f03912ad76be1925a1a0476145c56b05abb0d6acb8904e0c77d001792d67c8bb
Instruction Fuzzy Hash: 651190B214021EBEEF118EA4CC86EE77F9DFF08798F004111FB18A6050C6729C61DBA4

Function 0056D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0056D7A3: _free.LIBCMT ref: 0056D7CC

_free.LIBCMT ref: 0056D82D

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056D838
_free.LIBCMT ref: 0056D843
_free.LIBCMT ref: 0056D897
_free.LIBCMT ref: 0056D8A2
_free.LIBCMT ref: 0056D8AD
_free.LIBCMT ref: 0056D8B8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 938e3e411e477f433ad6da2642bd2b08e02ec641c1848f6ffb3cd9df275ddb83
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: A3114C71A40B05AAD621BFB0CC4FFCB7FECBF80700F440C25B29DA7092DA69B5458661

Function 0059DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0059DA74
LoadStringW.USER32(00000000), ref: 0059DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0059DA91
LoadStringW.USER32(00000000), ref: 0059DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0059DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0059DAB9

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 13bc33d7716b99ef5ba60cc1be472c8389a7352bc383ca23857255583bad9e9d
Instruction ID: 9c6750ab582e47643b6fa6d8b6b4cda8d125fab980e5b5efc5dfee716d049b72
Opcode Fuzzy Hash: 13bc33d7716b99ef5ba60cc1be472c8389a7352bc383ca23857255583bad9e9d
Instruction Fuzzy Hash: BE0186F25002087FEB10ABA49D89EFB3B6CE708301F400495F74AE2041EA749E889F74

Function 005A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D4ED88,00D4ED88), ref: 005A097B
EnterCriticalSection.KERNEL32(00D4ED68,00000000), ref: 005A098D
TerminateThread.KERNEL32(00D49DC0,000001F6), ref: 005A099B
WaitForSingleObject.KERNEL32(00D49DC0,000003E8), ref: 005A09A9
CloseHandle.KERNEL32(00D49DC0), ref: 005A09B8
InterlockedExchange.KERNEL32(00D4ED88,000001F6), ref: 005A09C8
LeaveCriticalSection.KERNEL32(00D4ED68), ref: 005A09CF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c85ef5297fbbeb439ae5e2d979861de1993fc1f6ddca57390edba648b82c3d6f
Instruction ID: 7af48cf678638b2ffe6df7ca24175171a16a6673181874fd71db71c92c7973f9
Opcode Fuzzy Hash: c85ef5297fbbeb439ae5e2d979861de1993fc1f6ddca57390edba648b82c3d6f
Instruction Fuzzy Hash: DFF01932442A02AFD7415BA4EE88EEABE39FF11702F402025F206918A0C774946ADFA0

Function 005B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005B1DE1
WSAGetLastError.WSOCK32 ref: 005B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 005B1EDB
inet_ntoa.WSOCK32(?), ref: 005B1E8C

Part of subcall function 005939E8: _strlen.LIBCMT ref: 005939F2

Part of subcall function 005B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,005AEC0C), ref: 005B3240

_strlen.LIBCMT ref: 005B1F35

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 85e6ba0940d3aac23f8df778f29875d038510ca26384c6f784d0a68c3f479af3
Instruction ID: 30586435d3a2d7b9bcf62badb001e6bc022a2c12e3f744898dfabf4c3c6edc56
Opcode Fuzzy Hash: 85e6ba0940d3aac23f8df778f29875d038510ca26384c6f784d0a68c3f479af3
Instruction Fuzzy Hash: 5AB1CD30204741AFC324DF24C899EAA7FA5BFC4318FA4894CF5565B2A2DB31ED46CB91

Function 00535D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00535D30
GetWindowRect.USER32(?,?), ref: 00535D71
ScreenToClient.USER32(?,?), ref: 00535D99
GetClientRect.USER32(?,?), ref: 00535ED7
GetWindowRect.USER32(?,?), ref: 00535EF8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a1e729d8b6c8e73c980f8c10c5b7ba23d984d4f82a63491485ac855f42e51452
Instruction ID: a60f866437524d66adb320c820fc611e804bf5c95fa9736db41641a6ce074f09
Opcode Fuzzy Hash: a1e729d8b6c8e73c980f8c10c5b7ba23d984d4f82a63491485ac855f42e51452
Instruction Fuzzy Hash: 34B16B75A00A4ADBDB10CFA9C4407EEBBF5FF54310F14981AE8A9D7250E734AA51EB50

Function 005601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005600D6
__allrem.LIBCMT ref: 005600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0056010B
__allrem.LIBCMT ref: 00560122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00560140

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 0a2682f2066a20971b4c261f7c443a2ee09c3c77797874906632cf3dc3d985ae
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A1810572A00B06ABE7249F68CC55B6B7BE9BF81324F24453AF851D76C1EB70D9448B90

Function 005661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005582D9,005582D9,?,?,?,0056644F,00000001,00000001,8BE85006), ref: 00566258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0056644F,00000001,00000001,8BE85006,?,?,?), ref: 005662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005663D8
__freea.LIBCMT ref: 005663E5

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

__freea.LIBCMT ref: 005663EE
__freea.LIBCMT ref: 00566413

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0636022660774090955b3cbb8c7c7a0a8ce45331dd902e08f70cfaf51afa43bf
Instruction ID: 6ef967b5e2c82bbbb54bf0544e1d8ca394d0f373340f1fb57eb102701b220b7c
Opcode Fuzzy Hash: 0636022660774090955b3cbb8c7c7a0a8ce45331dd902e08f70cfaf51afa43bf
Instruction Fuzzy Hash: 6651AF72B00216ABEB258F64DC95EAF7FA9FB84750F154A29F805DB240EB34DC44D6A0

Function 005BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BBD25
RegCloseKey.ADVAPI32(00000000), ref: 005BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005BBDF3
RegCloseKey.ADVAPI32(?), ref: 005BBDFF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b99e3be2a9482aa7e8073b3b72fab9c9821b20a3a8a14553febe8327f6cced0f
Instruction ID: a9326bd320cfa7af2c24b89e7e0af098482ea95ec415060bc882ccafb706d584
Opcode Fuzzy Hash: b99e3be2a9482aa7e8073b3b72fab9c9821b20a3a8a14553febe8327f6cced0f
Instruction Fuzzy Hash: ED81AF70208242AFD714DF24C895E6ABFE5FF84308F14895CF4994B2A2DBB1ED45CB92

Function 0058F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0058F7B9
SysAllocString.OLEAUT32(00000001), ref: 0058F860
VariantCopy.OLEAUT32(0058FA64,00000000), ref: 0058F889
VariantClear.OLEAUT32(0058FA64), ref: 0058F8AD
VariantCopy.OLEAUT32(0058FA64,00000000), ref: 0058F8B1
VariantClear.OLEAUT32(?), ref: 0058F8BB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f5ed179fe7f3e2b35c90b341d4cccf18347a9e0f8fdda480c8981a4095cece6e
Instruction ID: b1e4ae652ebde1b093284054abc2994afdd12b73889bcf520514552b36a2c91a
Opcode Fuzzy Hash: f5ed179fe7f3e2b35c90b341d4cccf18347a9e0f8fdda480c8981a4095cece6e
Instruction Fuzzy Hash: 6851B771600311BBDF14BB65D899B29BBA8FF99310F249866ED05FF291DB708C40CB66

Function 005A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005A94E5
_wcslen.LIBCMT ref: 005A9506
_wcslen.LIBCMT ref: 005A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 005A9585

Strings

X, xrefs: 005A9412

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: dca027dbb5dc561d1f6eb4e9ffc4496498db97f4a3a3582a722c0740e9517df9
Instruction ID: 9a5820e3f299bd788be51515ce49904b596029689b9dba1fa4dde90eac48ccea
Opcode Fuzzy Hash: dca027dbb5dc561d1f6eb4e9ffc4496498db97f4a3a3582a722c0740e9517df9
Instruction Fuzzy Hash: F7E190719083119FDB24DF24C485A6EBBE4BFC9314F14896DF8899B2A2DB31DD05CB92

Function 0054920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

BeginPaint.USER32(?,?,?), ref: 00549241
GetWindowRect.USER32(?,?), ref: 005492A5
ScreenToClient.USER32(?,?), ref: 005492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005492D3
EndPaint.USER32(?,?,?,?,?), ref: 00549321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005871EA

Part of subcall function 00549339: BeginPath.GDI32(00000000), ref: 00549357

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3612f14497968d205017270065d644c681f440e4213c5869bbb31f0d60527c57
Instruction ID: 446150343bd75af970d65ceb31e9d362849110267a48046696273ff40652292e
Opcode Fuzzy Hash: 3612f14497968d205017270065d644c681f440e4213c5869bbb31f0d60527c57
Instruction Fuzzy Hash: 6B418C70108201AFD721DF24CC89FAB7FA9FB9A324F140669F9949B2A1C7719845DB61

Function 005A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005A0847
EnterCriticalSection.KERNEL32(?), ref: 005A0863
LeaveCriticalSection.KERNEL32(?), ref: 005A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 005A0921

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 02df8f08e4655e73125c0d8c90283c8ae2852a67c4b7b3cb4e5228590aafd922
Instruction ID: b8f628f2d2eb2a9c6563a99c7f6620bb2d648225e8e5940f143c5817a720584d
Opcode Fuzzy Hash: 02df8f08e4655e73125c0d8c90283c8ae2852a67c4b7b3cb4e5228590aafd922
Instruction Fuzzy Hash: 2F418971900206EFDF04AF54DC89AAABBB8FF45300F1440A9ED049A297DB34DE65DBA4

Function 005C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0058F3AB,00000000,?,?,00000000,?,0058682C,00000004,00000000,00000000), ref: 005C824C
EnableWindow.USER32(00000000,00000000), ref: 005C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005C82D1
ShowWindow.USER32(00000000,00000004), ref: 005C82E5
EnableWindow.USER32(00000000,00000001), ref: 005C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005C832F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3995b7330b07fa28a67049727489d39f6ff94749a02e526d3452b6114542b14f
Instruction ID: 3b2126bbeda44873b0d76b94fe38778f8a70170192e520ad67c3a7352ee5294b
Opcode Fuzzy Hash: 3995b7330b07fa28a67049727489d39f6ff94749a02e526d3452b6114542b14f
Instruction Fuzzy Hash: 50417D34601A44AFDB21CF95CC99FB57FE1FB4AB14F1852ADE5084F2A2CB31A845CB50

Function 00594C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00594C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00594CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00594CEA
_wcslen.LIBCMT ref: 00594D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00594D10
_wcsstr.LIBVCRUNTIME ref: 00594D1A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 286ee3d37ba6269030cf33876b399df7963d70ce9e903eb48e71c68ec56b25a6
Instruction ID: 533d5b1561ef722c0070159d5865a867e5c647bbc99b0440bb9d4bbb9455154d
Opcode Fuzzy Hash: 286ee3d37ba6269030cf33876b399df7963d70ce9e903eb48e71c68ec56b25a6
Instruction Fuzzy Hash: 4221F636604201BFEF155B39AD49E7B7FACEF85754F10802AF809CE191EA61DC429BA0

Function 005A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00533AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00533A97,?,?,00532E7F,?,?,?,00000000), ref: 00533AC2

_wcslen.LIBCMT ref: 005A587B
CoInitialize.OLE32(00000000), ref: 005A5995
CoCreateInstance.OLE32(005CFCF8,00000000,00000001,005CFB68,?), ref: 005A59AE
CoUninitialize.OLE32 ref: 005A59CC

Strings

.lnk, xrefs: 005A5876, 005A58C1, 005A5985

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 872b258c1659538feb5d608312bc6ad1b8ae4a57c50c175ca4d3734bde9da6fc
Instruction ID: 5dd87272a128ea3ecdeac1bcc008710f3279db01abcb8b6a31c238f19bd5db94
Opcode Fuzzy Hash: 872b258c1659538feb5d608312bc6ad1b8ae4a57c50c175ca4d3734bde9da6fc
Instruction Fuzzy Hash: FBD151756086069FC714DF24C484E2EBBE5FF8A714F148859F88A9B361EB31EC45CB92

Function 0059175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00590FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00590FCA
Part of subcall function 00590FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00590FD6
Part of subcall function 00590FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00590FE5
Part of subcall function 00590FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00590FEC
Part of subcall function 00590FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00591002

GetLengthSid.ADVAPI32(?,00000000,00591335), ref: 005917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005917BA
HeapAlloc.KERNEL32(00000000), ref: 005917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005917DA
GetProcessHeap.KERNEL32(00000000,00000000,00591335), ref: 005917EE
HeapFree.KERNEL32(00000000), ref: 005917F5

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3c5b2d6b90759eb5bf3743664514af75280eebdd12aad4b33e218e4c1d7066e3
Instruction ID: 6298789c9c8067de21b260bf2e1b68d9c6ef634a775a09f19fa16aa9f0a55b96
Opcode Fuzzy Hash: 3c5b2d6b90759eb5bf3743664514af75280eebdd12aad4b33e218e4c1d7066e3
Instruction Fuzzy Hash: 59119732A00A16EFDF149FA5CC49FAE7FB9FB41355F144418F486A7220C736A948DB68

Function 005914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00591506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00591515
CloseHandle.KERNEL32(00000004), ref: 00591520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00591563

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 38da7e202e71d8ed8ebd5aa6f7ba115066dd50f8ea7f66dd86ef6cc3bb9b3a31
Instruction ID: bc46eb1f685e858d3e53e58b85313fc1bd991670db2f5247c69c1b6642f5246d
Opcode Fuzzy Hash: 38da7e202e71d8ed8ebd5aa6f7ba115066dd50f8ea7f66dd86ef6cc3bb9b3a31
Instruction Fuzzy Hash: E711447250060AAFDF118FA8ED49FDE7FA9FB48744F054028FA09A2060C3758E65AB64

Function 00553382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00553379,00552FE5), ref: 00553390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0055339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005533B7
SetLastError.KERNEL32(00000000,?,00553379,00552FE5), ref: 00553409

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 69b4b713091dda58d8e6bce89767fa2ae4c1feecbc048979436f0165da2a7b58
Instruction ID: 3de00270e9c8584405f566412600aca298d7b7e458ebb6c9fb88bbdbbf9c97d9
Opcode Fuzzy Hash: 69b4b713091dda58d8e6bce89767fa2ae4c1feecbc048979436f0165da2a7b58
Instruction Fuzzy Hash: BB012232208316AEAB1527747CAD96A2E58FB613BB320023FFC18851F0EE111D0EA548

Function 00562D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00565686,00573CD6,?,00000000,?,00565B6A,?,?,?,?,?,0055E6D1,?,005F8A48), ref: 00562D78
_free.LIBCMT ref: 00562DAB
_free.LIBCMT ref: 00562DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0055E6D1,?,005F8A48,00000010,00534F4A,?,?,00000000,00573CD6), ref: 00562DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0055E6D1,?,005F8A48,00000010,00534F4A,?,?,00000000,00573CD6), ref: 00562DEC
_abort.LIBCMT ref: 00562DF2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1061e64d3ea8daa0f390aab2cf962a6d94dcc5ab7e9efccf4c7fd5ca29d28458
Instruction ID: c455e8e0fc66d152c3a90e99d34abf76dda3306d054376d02ea35da2a0efd402
Opcode Fuzzy Hash: 1061e64d3ea8daa0f390aab2cf962a6d94dcc5ab7e9efccf4c7fd5ca29d28458
Instruction Fuzzy Hash: 14F0CD35544E026BC3122734BC1EE5F1D79BFD17A1F250814F828D31D1DF3488479260

Function 005C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00549639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00549693
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496A2
Part of subcall function 00549639: BeginPath.GDI32(?), ref: 005496B9
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005C8A70
LineTo.GDI32(?,00000000,00000003), ref: 005C8A80
EndPath.GDI32(?), ref: 005C8A90
StrokePath.GDI32(?), ref: 005C8AA0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7257fbdb9862bbd2419df9e0f5e99a6565bd06dd04d8aea800c9626bb446bba2
Instruction ID: 89d794e17b7d4e8a9ce29e6dcedabb0d94e8350f7cc3633a550dd8feb61dc148
Opcode Fuzzy Hash: 7257fbdb9862bbd2419df9e0f5e99a6565bd06dd04d8aea800c9626bb446bba2
Instruction Fuzzy Hash: CE11397200010CFFDB129F90DC88EAA7F6DEB09350F008016FA599A1A0C7719D55EFA0

Function 005951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00595218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00595229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00595230
ReleaseDC.USER32(00000000,00000000), ref: 00595238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0059524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00595261

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3b05affc70b3b5b2cf9b852cd882a167d2cbcc27d23485bff2cfc4c8cbb10ce9
Instruction ID: 92363e7fd6a46b70c5ca352ce900686623693093aea7627e18403ab001ead071
Opcode Fuzzy Hash: 3b05affc70b3b5b2cf9b852cd882a167d2cbcc27d23485bff2cfc4c8cbb10ce9
Instruction Fuzzy Hash: 1A018475A01B04BFEF109BA59C49E4EBF78FB58351F044065FA08A7280D6709804DB60

Function 00531BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00531BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00531BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00531C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00531C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00531C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00531C22

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: df7cfe8bc8135b269ffc407111a131babb5558a73e41f9eecbcdaf01772c46bc
Instruction ID: 364d0f1c3d3262b3ed1065f56f45339856a1e95a2b15f06c87b85b1c639435b9
Opcode Fuzzy Hash: df7cfe8bc8135b269ffc407111a131babb5558a73e41f9eecbcdaf01772c46bc
Instruction Fuzzy Hash: 9D016CB0902B597DE3008F5A8C85B52FFA8FF19354F00411BD15C4BA41C7F5A864CBE5

Function 0059EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0059EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0059EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0059EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0059EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0059EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0059EB75

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 4bda8b20ccd75c0c478e3ea69a3bd3e2e5b7f2927081a05624ccc0e371575f5d
Instruction ID: 43f8c4e78050f10a957fb9c629c6e287b330e71be4690480a789862a03333330
Opcode Fuzzy Hash: 4bda8b20ccd75c0c478e3ea69a3bd3e2e5b7f2927081a05624ccc0e371575f5d
Instruction Fuzzy Hash: ADF09A72600958BFE7205B639C0EEEF3E7CEFDAB15F000158F605D1090D7A01A05E6B4

Function 00587439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00587452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00587469
GetWindowDC.USER32(?), ref: 00587475
GetPixel.GDI32(00000000,?,?), ref: 00587484
ReleaseDC.USER32(?,00000000), ref: 00587496
GetSysColor.USER32(00000005), ref: 005874B0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 405fb58a4dca160e89bba7f0b9a819dba06eed7965cc6c6e5bf432d9bdce9430
Instruction ID: c99213512833376631b4de95c1a0243a603e57e5a0fd29cb869549443b6012b1
Opcode Fuzzy Hash: 405fb58a4dca160e89bba7f0b9a819dba06eed7965cc6c6e5bf432d9bdce9430
Instruction Fuzzy Hash: 93018F31400A05EFEB109FA4DC08FAA7FB5FB14311F240060FD19A20B1CB311D46EB50

Function 00591874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0059187F
UnloadUserProfile.USERENV(?,?), ref: 0059188B
CloseHandle.KERNEL32(?), ref: 00591894
CloseHandle.KERNEL32(?), ref: 0059189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005918A5
HeapFree.KERNEL32(00000000), ref: 005918AC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4a11964a178573b812cd437419e516200e7e5a40cae0013ee070814a4b2a422d
Instruction ID: 8664fc03187144d7b08516d4aa354266aef95215d9e74f0b8aefe417dcb55c91
Opcode Fuzzy Hash: 4a11964a178573b812cd437419e516200e7e5a40cae0013ee070814a4b2a422d
Instruction Fuzzy Hash: 39E01A36404901BFDB015FA2ED0CD0ABF79FF69B22B108624F22981470CB329424EF50

Function 0053BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053BEB3

Strings

D%`D%`, xrefs: 0053BCA5
D%`, xrefs: 0053BDED, 0053BD91, 0053BD1B
D%`, xrefs: 0053BCA2
D%`, xrefs: 0053BE9A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%`$D%`$D%`$D%`D%`
API String ID: 1385522511-531244762
Opcode ID: 0ad0f4fd2de7d934747b514dd36bdf4f3af91443c3dd06f60f5967116dc05a93
Instruction ID: bc63fd1243a454109ed32fe597a69bb1b7c64627724b49e1e1fa8e4deb3bd666
Opcode Fuzzy Hash: 0ad0f4fd2de7d934747b514dd36bdf4f3af91443c3dd06f60f5967116dc05a93
Instruction Fuzzy Hash: 09916D75A0020ACFDB28CF58C4A16AABBF2FF58314F24456EDA45AB351D731ED81DB90

Function 005B7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00550242: EnterCriticalSection.KERNEL32(0060070C,00601884,?,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055024D
Part of subcall function 00550242: LeaveCriticalSection.KERNEL32(0060070C,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055028A

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005500A3: __onexit.LIBCMT ref: 005500A9

__Init_thread_footer.LIBCMT ref: 005B7BFB

Part of subcall function 005501F8: EnterCriticalSection.KERNEL32(0060070C,?,?,00548747,00602514), ref: 00550202
Part of subcall function 005501F8: LeaveCriticalSection.KERNEL32(0060070C,?,00548747,00602514), ref: 00550235

Strings

Variable must be of type 'Object'., xrefs: 005B7C3A
+TX, xrefs: 005B7E2E
G, xrefs: 005B7C7F
5, xrefs: 005B7C78

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TX$5$G$Variable must be of type 'Object'.
API String ID: 535116098-619909410
Opcode ID: 04d3302ddad57c3661bae7782bc3be21a0213192abfa3e75bed3ed0c01b181b9
Instruction ID: 17f38cb3bc47b176bc42abb0dcdefc6896780fdc388496750e785929cc7ee57c
Opcode Fuzzy Hash: 04d3302ddad57c3661bae7782bc3be21a0213192abfa3e75bed3ed0c01b181b9
Instruction Fuzzy Hash: 3F918C70A0420AAFCB14EF94D895DEDBFB6FF88304F108459F8169B292DB71AE45CB51

Function 0059C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0059C6EE
_wcslen.LIBCMT ref: 0059C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0059C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0059C7CA

Strings

0, xrefs: 0059C6AF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f4ba6bdd2a2bf51bae5ac917745781c66d37a489b4628ba76848c54d615bc9c3
Instruction ID: 8d701adf38c0b33e71fd89e3b05b8cf126e7f399e3ba27d60c0657cf83df1de2
Opcode Fuzzy Hash: f4ba6bdd2a2bf51bae5ac917745781c66d37a489b4628ba76848c54d615bc9c3
Instruction Fuzzy Hash: 2051AB716043019BDB14DF68C889BABBFE8FF8A354F040A2DF995D71E0DB64D9049B92

Function 005BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 005BAEA3

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

GetProcessId.KERNEL32(00000000), ref: 005BAF38
CloseHandle.KERNEL32(00000000), ref: 005BAF67

Strings

<, xrefs: 005BAE6B
@, xrefs: 005BAE72

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: dcf05f4af7698db7c4fef8e59c027604695fd19250e2c92f8740b47fa95dc826
Instruction ID: dc1895ce9b1d66fe7c832bde8d4c660a10c2a33a0a51be8fda2752a8d24f8bc0
Opcode Fuzzy Hash: dcf05f4af7698db7c4fef8e59c027604695fd19250e2c92f8740b47fa95dc826
Instruction Fuzzy Hash: 9C717775A0061ADFCB14DF64C488A9EBFF4BF48310F048499E856AB3A2DB74ED45CB91

Function 0059719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00597206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0059723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0059724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005972CF

Strings

DllGetClassObject, xrefs: 00597242

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d449f5ba43e1ad72f4c0fce6e67c9813ba5370f13658f3017a6bc15754f67e9d
Instruction ID: 83aa84567c8c8821bca7879429315cec54a6591e82e91c68204b60a3e8ad065f
Opcode Fuzzy Hash: d449f5ba43e1ad72f4c0fce6e67c9813ba5370f13658f3017a6bc15754f67e9d
Instruction Fuzzy Hash: 17416075624208DFDF15CF54C884A9A7FA9FF48710F1584AAFD099F20AD7B0DA44DBA0

Function 005C3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C3E35
IsMenu.USER32(?), ref: 005C3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005C3E92
DrawMenuBar.USER32 ref: 005C3EA5

Strings

0, xrefs: 005C3D89

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d8e8de7148164d1738bc36487d10f1a4a2a90cf1a2d314180c91cf324fe70d65
Instruction ID: 1a6aed27f76a6c740d425bbcaaec1d73b1005d5139b4318ff70588fdd488e375
Opcode Fuzzy Hash: d8e8de7148164d1738bc36487d10f1a4a2a90cf1a2d314180c91cf324fe70d65
Instruction Fuzzy Hash: 76412475A0120DAFDB10DFA0D884EAABFB9FF49354F04812DE905AB250D730AE45DFA0

Function 00591DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00591E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00591E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00591EA9

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Strings

ListBox, xrefs: 00591E25
ComboBox, xrefs: 00591DF0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f38f667779d513a358f47a0f43bc75d1fbc56e7864bdd27f5241f49e7a535a4c
Instruction ID: 3956994361d14dba10889bc4d9660d0b0568a7d9980dfe993820a59065029884
Opcode Fuzzy Hash: f38f667779d513a358f47a0f43bc75d1fbc56e7864bdd27f5241f49e7a535a4c
Instruction Fuzzy Hash: F121E475A0050ABEDF149B64DC49CFFBFACBF85350F104519F925A72E1DB744D099620

Function 005C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005C2F8D
LoadLibraryW.KERNEL32(?), ref: 005C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005C2FA9
DestroyWindow.USER32(?), ref: 005C2FB1

Strings

SysAnimate32, xrefs: 005C2F68

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9b9fc73f66c4fc5af13e453bf9b19f9fac41b598f9e5c11c41f16f02631c3f77
Instruction ID: 99336e43692a16806487530c70c9df99a7436b15191856efe7efd9b3685ef67c
Opcode Fuzzy Hash: 9b9fc73f66c4fc5af13e453bf9b19f9fac41b598f9e5c11c41f16f02631c3f77
Instruction Fuzzy Hash: E921B871200209AFEB208EA49C86FBB3BB9FB59324F10421CFA54D6190D671DC81AB60

Function 00554D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00554D1E,005628E9,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002), ref: 00554D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00554DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00554D1E,005628E9,?,00554CBE,005628E9,005F88B8,0000000C,00554E15,005628E9,00000002,00000000), ref: 00554DC3

Strings

CorExitProcess, xrefs: 00554D98
mscoree.dll, xrefs: 00554D86

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 878a459e10d7188789e707665f4d28cd8e2fe44a6be9c9c92eb56e97955272bc
Instruction ID: 5b25c015e2f7b0828a883115ee47896aafcb4049e608014b21db3998e9b9c300
Opcode Fuzzy Hash: 878a459e10d7188789e707665f4d28cd8e2fe44a6be9c9c92eb56e97955272bc
Instruction Fuzzy Hash: EDF08C30A00208AFDB109B94DC09BAEBFB8FF54712F0400A6EC09A62A0CB305989DF90

Function 00534E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00534EAE
FreeLibrary.KERNEL32(00000000,?,?,00534EDD,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534EC0

Strings

kernel32.dll, xrefs: 00534E94
Wow64DisableWow64FsRedirection, xrefs: 00534EA8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 66eb9bd0beb1260b809d4367fb6b29249561490c8ae0f86984d813d1a3585774
Instruction ID: 42e7716581a0eb25a0c992f80439c47713e5674a5727b4b2f95f9483f77b87c7
Opcode Fuzzy Hash: 66eb9bd0beb1260b809d4367fb6b29249561490c8ae0f86984d813d1a3585774
Instruction Fuzzy Hash: D6E08635A01A225FD22117266C18F6B6F58BF92B62B090115FD08D2210DB74DD0AA4E1

Function 00534E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00534E74
FreeLibrary.KERNEL32(00000000,?,?,00573CDE,?,00601418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00534E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00534E6E
kernel32.dll, xrefs: 00534E5B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: faed529d8e38ffb0654edd781660288b407b9670548ad42ea241de23a578d4ef
Instruction ID: a4fdc5fdd93d930d70be7e1d155bf6b790810c644ec12d9a9d58833752a76d9a
Opcode Fuzzy Hash: faed529d8e38ffb0654edd781660288b407b9670548ad42ea241de23a578d4ef
Instruction Fuzzy Hash: 11D0C232902A215F96231B66AC08E8B2F1CBF81F113090114F908A6110CF30CD06E9D1

Function 005A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005A2C05
DeleteFileW.KERNEL32(?), ref: 005A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005A2CC0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b5f709c966cd1ea9b12362a689ab2dece9a23735efca516160666bc8a7dd8b74
Instruction ID: 0735848d28efb613e53991e1f95d68752ec79329d4eb4860a9900692c1f883f2
Opcode Fuzzy Hash: b5f709c966cd1ea9b12362a689ab2dece9a23735efca516160666bc8a7dd8b74
Instruction Fuzzy Hash: E2B1507290011AABDF25DBA4CC8AEDE7F7DFF49350F1040A6F509E6151EA319E448F61

Function 005BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 005BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005BA468
CloseHandle.KERNEL32(?), ref: 005BA63D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f24799e9661dc39b33fe699f7522925944c9e4b8591be66d0b6e825352164dae
Instruction ID: d12e44a63954d154bc287515fa5af3bde97b2340b15590643e4633bf9da90a2e
Opcode Fuzzy Hash: f24799e9661dc39b33fe699f7522925944c9e4b8591be66d0b6e825352164dae
Instruction Fuzzy Hash: 72A16E71604301AFDB20DF24D886F6ABBE5BF84714F14885DF69A9B2D2D770EC418B92

Function 0056BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005D3700), ref: 0056BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0060121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0056BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00601270,000000FF,?,0000003F,00000000,?), ref: 0056BC36
_free.LIBCMT ref: 0056BB7F

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056BD4B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2c79d36287c9c7409effbc0d877e8e88c262e33c741e6e121a78c9ab8977efba
Instruction ID: 097ed2e0c6eaf7b5be215a172188be3934932afdeb217a4814da591a048e9d87
Opcode Fuzzy Hash: 2c79d36287c9c7409effbc0d877e8e88c262e33c741e6e121a78c9ab8977efba
Instruction Fuzzy Hash: 2451D67190020AAFEB20DF65DC8596EBFB8FB81350B10066AE554DB2A1EB309FC1CB50

Function 0059E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0059CF22,?), ref: 0059DDFD

Part of subcall function 0059DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0059CF22,?), ref: 0059DE16

Part of subcall function 0059E199: GetFileAttributesW.KERNEL32(?,0059CF95), ref: 0059E19A

lstrcmpiW.KERNEL32(?,?), ref: 0059E473
MoveFileW.KERNEL32(?,?), ref: 0059E4AC
_wcslen.LIBCMT ref: 0059E5EB
_wcslen.LIBCMT ref: 0059E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0059E650

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e2202a23f5722cba0abdbf22bd16f8f52fb2035b3bc4568c3e14cb3f7c33f898
Instruction ID: 7797bde78e17b2c3a3167bdbad7e0dbf0f469d5499ace1e07a078484cc6ba6b6
Opcode Fuzzy Hash: e2202a23f5722cba0abdbf22bd16f8f52fb2035b3bc4568c3e14cb3f7c33f898
Instruction Fuzzy Hash: CB5142B24083459BCB24DB90D8959DFBBECBFC4340F00491EF589D3191EE75A588C766

Function 005BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 005BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BB6AE,?,?), ref: 005BC9B5
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BC9F1
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA68
Part of subcall function 005BC998: _wcslen.LIBCMT ref: 005BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005BBB63
RegCloseKey.ADVAPI32(?,?), ref: 005BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 005BBBB3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: aeb2ebe77d7cd7cb8c01fa962d8a75f8c4aba22b21b780e178e15e3d1b29432a
Instruction ID: 94cbfb41a7024b00f0ab1c6ed890c13ec7fefb1cd3af80d9e1f69fefc01aea45
Opcode Fuzzy Hash: aeb2ebe77d7cd7cb8c01fa962d8a75f8c4aba22b21b780e178e15e3d1b29432a
Instruction Fuzzy Hash: F5619F71608241AFD714DF14C894E6ABFE5FF84308F14895CF4998B2A2DBB1ED45CB92

Function 00598BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00598BCD
VariantClear.OLEAUT32 ref: 00598C3E
VariantClear.OLEAUT32 ref: 00598C9D
VariantClear.OLEAUT32(?), ref: 00598D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00598D3B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: dcaa1f8e1f40caae5aed9bf2464556030c7cf764ea08638284907071e68ead18
Instruction ID: d71ce83e84cb9af9a35576298b1263f7ad417aa35ff94398092de6be18de7e3a
Opcode Fuzzy Hash: dcaa1f8e1f40caae5aed9bf2464556030c7cf764ea08638284907071e68ead18
Instruction Fuzzy Hash: 475148B5A00619EFCF14CF68C894EAABBF9FF89314B158559E909DB350E730E911CB90

Function 005A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 005A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005A8C5F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 526625a784ea062ecbd893a6721d11367970ad0ca17c847d4ad11794a8ed8bc5
Instruction ID: 5c35761e5f6e10c2c17bcdc862240d06b30bfb398698c1d4911dfe81e0749c0d
Opcode Fuzzy Hash: 526625a784ea062ecbd893a6721d11367970ad0ca17c847d4ad11794a8ed8bc5
Instruction Fuzzy Hash: 83514875A00219AFCB14DF65C884A6DBBF5FF89314F088058E849AB362DB31ED51CB90

Function 005B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 005B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 005B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 005B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 005B9032
FreeLibrary.KERNEL32(00000000), ref: 005B9052

Part of subcall function 0054F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005A1043,?,7644E610), ref: 0054F6E6
Part of subcall function 0054F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0058FA64,00000000,00000000,?,?,005A1043,?,7644E610,?,0058FA64), ref: 0054F70D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: dc0b767fc09d14111f27f36b62273cbc6f1eca6254d268c326e9fb2a1e632672
Instruction ID: 47139383eac2ff9ab06ce4380d31e7531ab493e092662e2b967d70b2c48883aa
Opcode Fuzzy Hash: dc0b767fc09d14111f27f36b62273cbc6f1eca6254d268c326e9fb2a1e632672
Instruction Fuzzy Hash: 1F510875604205DFCB15EF58C4989E9BFB1FF89314F098099E90A9B362DB31ED86CB90

Function 005C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,005AAB79,00000000,00000000), ref: 005C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005C6CC7

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a48460bfd6f5c9f5682a9ce2b4e2cad0fe39ffd010bd577ddfa59f4c4b2a05e5
Instruction ID: 17a3dd10ac7080cd3a536f6a682067e60eba07771252402e2d17b13c480cc2e6
Opcode Fuzzy Hash: a48460bfd6f5c9f5682a9ce2b4e2cad0fe39ffd010bd577ddfa59f4c4b2a05e5
Instruction Fuzzy Hash: F241D535A04104AFD724CFA8CD58FAA7FA5FB09350F14022CF899AB2E1C371EE41DA80

Function 00562051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005620C3
_free.LIBCMT ref: 005620E3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 74bee9f766522d23ef11272473ac916ad9023062521924c20880734659abc485
Instruction ID: a96db8b859ab23736f8390932fb9ac837564d11313f2c888d5c2c44e172fca74
Opcode Fuzzy Hash: 74bee9f766522d23ef11272473ac916ad9023062521924c20880734659abc485
Instruction Fuzzy Hash: 6D41E432A006049FCB24DF78C985A6DBBF5FF89324F154569E915EB352DB31AD01CB80

Function 0054912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00549141
ScreenToClient.USER32(00000000,?), ref: 0054915E
GetAsyncKeyState.USER32(00000001), ref: 00549183
GetAsyncKeyState.USER32(00000002), ref: 0054919D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: cb7bb5c4dd39d161f977f52cb5335ebbe127f18e7c67bcc1b49c71193f42f72c
Instruction ID: dd733f972f30cf9fc417fdcbdfd27934be4f68157fc99e8e911d55edc8937511
Opcode Fuzzy Hash: cb7bb5c4dd39d161f977f52cb5335ebbe127f18e7c67bcc1b49c71193f42f72c
Instruction Fuzzy Hash: 78415F3190850BBFDF15AF64C849BEEBB74FB49324F204219E829A2290C730AD54DB91

Function 005A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 005A3922
TranslateMessage.USER32(?), ref: 005A394B
DispatchMessageW.USER32(?), ref: 005A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005A3966

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7eecfa83ca6f479e765c48b71b8323ca01bf1a223d1491ae3961003640c29a8c
Instruction ID: 44f50a5f071a818490406688b655107db556660ecbcd413e6aebc1603b45a426
Opcode Fuzzy Hash: 7eecfa83ca6f479e765c48b71b8323ca01bf1a223d1491ae3961003640c29a8c
Instruction Fuzzy Hash: 6D31A0709443469FEB25CF749848BBB3FA8FB17308F04456DF466861A0E3B49A89DB21

Function 005ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,005AC21E,00000000), ref: 005ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 005ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,005AC21E,00000000), ref: 005ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,005AC21E,00000000), ref: 005ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,005AC21E,00000000), ref: 005ACFF2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: eacd3226a26a01fcc21bfdfc38a7323c57cd8eac0310aafc400e2804fdb80427
Instruction ID: a2874d40c5ffd4a2d9cc2b860902be3e305c06343a0d2c8f04ad428c596510f1
Opcode Fuzzy Hash: eacd3226a26a01fcc21bfdfc38a7323c57cd8eac0310aafc400e2804fdb80427
Instruction Fuzzy Hash: 90317C71900605AFDB20DFA5D884EAFBFF9FB15314B10442EF50AD2100DB30AE45DB60

Function 00591901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00591915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005919E2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 99205e29eb14637b6fb41beab13da5805e292ab12959996ebd6eb2adce077048
Instruction ID: fbaaffe383f5efdd387224eab5836f230ac1cf293500b2808148b11aeaed8f0d
Opcode Fuzzy Hash: 99205e29eb14637b6fb41beab13da5805e292ab12959996ebd6eb2adce077048
Instruction Fuzzy Hash: EE31AD71A0062AEFDF00CFA8C999ADE3FB5FB54315F104229F926AB2D1C7709944DB90

Function 005B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005B0951
GetForegroundWindow.USER32 ref: 005B0968
GetDC.USER32(00000000), ref: 005B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 005B09B0
ReleaseDC.USER32(00000000,00000003), ref: 005B09E8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 45887848aeb10cd7e34415e8a0e71aa089c1d68c9db1568b975954adc75cda0a
Instruction ID: 05fe9796a96f033b533a05a8596bc0b17163b448f8e48c1c64b78e8a792406c8
Opcode Fuzzy Hash: 45887848aeb10cd7e34415e8a0e71aa089c1d68c9db1568b975954adc75cda0a
Instruction Fuzzy Hash: AA218135600604AFD704EF69C989EAEBFE9FF89740F048468E84A97752DB30EC44DB50

Function 0056CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0056CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0056CDE9

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0056CE0F
_free.LIBCMT ref: 0056CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0056CE31

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8a8566d3c09289805e5e74ee3f0296566f592e893a8bdf562061c34e16289585
Instruction ID: f4606196e627e01545ca7b49ce360495bcf10c5bae01bd6d4cff09394fecf260
Opcode Fuzzy Hash: 8a8566d3c09289805e5e74ee3f0296566f592e893a8bdf562061c34e16289585
Instruction Fuzzy Hash: 45018472A026557F233216B66C8CD7B7D7DFEC6FA13150129F949C7201EA668D0191B0

Function 00549639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00549693
SelectObject.GDI32(?,00000000), ref: 005496A2
BeginPath.GDI32(?), ref: 005496B9
SelectObject.GDI32(?,00000000), ref: 005496E2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 13062efce0db8c2cfc3940c11a2a3a3aca9e99242dc19fb8caaef126d0856add
Instruction ID: 3f2653f5cbcb04633284ca90c1dd1656803f6152c89b789001b395ba66250323
Opcode Fuzzy Hash: 13062efce0db8c2cfc3940c11a2a3a3aca9e99242dc19fb8caaef126d0856add
Instruction Fuzzy Hash: 13219530842309EFDB119F65EC09BEB3FB6BB52319F110216F414AA1B0D3709855DF94

Function 00595711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00595726
_memcmp.LIBVCRUNTIME ref: 00595744
_memcmp.LIBVCRUNTIME ref: 00595757
_memcmp.LIBVCRUNTIME ref: 0059576F
_memcmp.LIBVCRUNTIME ref: 00595787

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 59513758d8477797382fe89bbed00e65fb8371632d310fd5f5c8007e7822cf02
Instruction ID: f63170801d2a822bb71544c90224884cbbd3fdf90f3e2772ab9575a2a13e0b72
Opcode Fuzzy Hash: 59513758d8477797382fe89bbed00e65fb8371632d310fd5f5c8007e7822cf02
Instruction Fuzzy Hash: 7501D261241A0ABFDA095790ADA2FBA7F5DFB603D9B004425FE059A241F730EE2483E4

Function 00562DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0055F2DE,00563863,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6), ref: 00562DFD
_free.LIBCMT ref: 00562E32
_free.LIBCMT ref: 00562E59
SetLastError.KERNEL32(00000000,00531129), ref: 00562E66
SetLastError.KERNEL32(00000000,00531129), ref: 00562E6F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ec0e6e35a35ce7f3418a73970f85d661adbf0df7e2c5ef885ff3509b44081740
Instruction ID: 78c0e5f3a2a43e0d3026c46f41c79b0d7d6edef62869aa21a908212c43fd52bc
Opcode Fuzzy Hash: ec0e6e35a35ce7f3418a73970f85d661adbf0df7e2c5ef885ff3509b44081740
Instruction Fuzzy Hash: FE01F436645E026BC71227346C49D3B2E6DBBE17A1F254838F429E32D2EB268C459120

Function 0059000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?,?,0059035E), ref: 0059002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?), ref: 00590064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0058FF41,80070057,?,?), ref: 00590070

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b48ac0447dfccb193235b80842fa3e35bf0b6e03b8b5bcfaffcd4cfdf318d4c0
Instruction ID: bed412c5a38d9268181dbf1572f5349f3cbd9d4103141f3bdb5696286efc0cfb
Opcode Fuzzy Hash: b48ac0447dfccb193235b80842fa3e35bf0b6e03b8b5bcfaffcd4cfdf318d4c0
Instruction Fuzzy Hash: 7A018B72600604BFDF108F69DC08FAA7EEDFB44792F585924F909D2250E771DD44ABA0

Function 0059E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0059E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0059E9A5
Sleep.KERNEL32(00000000), ref: 0059E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0059E9B7
Sleep.KERNEL32 ref: 0059E9F3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d1c0a98d4f609bdafbc930ec84a8101242ea5efa2438421a9e3e8c3c353627b4
Instruction ID: 932437724addeb99383f68e157d49883d10726b3813d8a9d6c481e93cc721574
Opcode Fuzzy Hash: d1c0a98d4f609bdafbc930ec84a8101242ea5efa2438421a9e3e8c3c353627b4
Instruction Fuzzy Hash: E3015331C01A29DBCF00EBE5DC5AAEDBF78FB18300F050946E902B2241CB309A58DBA1

Function 005910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00591114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 0059112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00590B9B,?,?,?), ref: 00591136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0059114D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 56fc81d38194af887be92247e132efda552d8354228470bd453419109f0b19e5
Instruction ID: a7974c429b1fefb0991031639b2d3d7df6d4f9c774255f46aa3de946898f0eb8
Opcode Fuzzy Hash: 56fc81d38194af887be92247e132efda552d8354228470bd453419109f0b19e5
Instruction Fuzzy Hash: CD01F675200A15BFDB114BA5DC49E6A3FAEEF892A0B244419FA49D6260DB31DC05EA60

Function 00590FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00590FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00590FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00590FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00590FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00591002

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 77676047ba9f4db5e506a2b8142005bca04714ec9ea73f513cfc525c06f65208
Instruction ID: 296ad8ca1bb46db5829628f072cfa4c3f2523d447a7ea9e6772979c26ca132f5
Opcode Fuzzy Hash: 77676047ba9f4db5e506a2b8142005bca04714ec9ea73f513cfc525c06f65208
Instruction Fuzzy Hash: A0F0A935200B12AFDB210FA6AC4DF5A3FADFF99762F100414FA09D6250DA31DC40DA60

Function 00591014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0059102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00591036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0059104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591062

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ed0a2c779fb9f97fa0542e8994a8dcf47a1873f7f621141a27d8fafc0f5b8baf
Instruction ID: 91765aba19a3cfcc9651e26ffad2b712c6fe2058978d34525089e87588b77c7a
Opcode Fuzzy Hash: ed0a2c779fb9f97fa0542e8994a8dcf47a1873f7f621141a27d8fafc0f5b8baf
Instruction Fuzzy Hash: 2FF04935200B12AFDB215FA6EC4DF5A3FADFF997A1F140414FA49D6250CA71D8449A60

Function 005A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0324
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0331
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A033E
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A034B
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0358
CloseHandle.KERNEL32(?,?,?,?,005A017D,?,005A32FC,?,00000001,00572592,?), ref: 005A0365

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fec606dadb228b10723eaf33bd2bdfc3a1e1aa56caa838894cc02f76c439dbb2
Instruction ID: 6f0d079c97ea20e70eb8295672e6f076cf2c6479158f536268aa13d2c68f1cc2
Opcode Fuzzy Hash: fec606dadb228b10723eaf33bd2bdfc3a1e1aa56caa838894cc02f76c439dbb2
Instruction Fuzzy Hash: 2301AE72810B159FCB30AF66D88081AFBF9BF613163159E3FD19652971C3B1A958DF80

Function 0056D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0056D752

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 0056D764
_free.LIBCMT ref: 0056D776
_free.LIBCMT ref: 0056D788
_free.LIBCMT ref: 0056D79A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6165d4adee7a8261d40bf45edf058c4607b23935983dbade1e034f4d152baf1f
Instruction ID: 5f99fcd1ed527610c428fc5c82cb3adc274021e6f19a2960b6d7241f0d50b93d
Opcode Fuzzy Hash: 6165d4adee7a8261d40bf45edf058c4607b23935983dbade1e034f4d152baf1f
Instruction Fuzzy Hash: 1FF04F32B00609AB8625EB64FAC5D267FEDFB84390B940C15F049D7502CB24FC80C671

Function 00595C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00595C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00595C6F
MessageBeep.USER32(00000000), ref: 00595C87
KillTimer.USER32(?,0000040A), ref: 00595CA3
EndDialog.USER32(?,00000001), ref: 00595CBD

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0beaf7d93edbd2de920983946fee974871339404552495eee7e3ac9002183346
Instruction ID: a212b493eb7e2c83836d31cecbb46406490c210bb22af78f80910e268bf2d93b
Opcode Fuzzy Hash: 0beaf7d93edbd2de920983946fee974871339404552495eee7e3ac9002183346
Instruction Fuzzy Hash: 78018130500B04AFEF215B14DE4EFA67FB8FB10B05F000559E687A15E1EBF4AD989B90

Function 005622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005622BE

Part of subcall function 005629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000), ref: 005629DE
Part of subcall function 005629C8: GetLastError.KERNEL32(00000000,?,0056D7D1,00000000,00000000,00000000,00000000,?,0056D7F8,00000000,00000007,00000000,?,0056DBF5,00000000,00000000), ref: 005629F0

_free.LIBCMT ref: 005622D0
_free.LIBCMT ref: 005622E3
_free.LIBCMT ref: 005622F4
_free.LIBCMT ref: 00562305

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 51f04cd51465826e2b5efba379beaef6af01ebd01d5ad1665db70aea9c3ab68d
Instruction ID: 30cb43ac13e39556a72fc0872eb8b47aa6f282402621ab2759068de3879dfd62
Opcode Fuzzy Hash: 51f04cd51465826e2b5efba379beaef6af01ebd01d5ad1665db70aea9c3ab68d
Instruction Fuzzy Hash: 6AF0B4745809128BC716AF64BC0191A3FA6F759790F00111AF418C7271D7340681FFE4

Function 005495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005495D4
StrokeAndFillPath.GDI32(?,?,005871F7,00000000,?,?,?), ref: 005495F0
SelectObject.GDI32(?,00000000), ref: 00549603
DeleteObject.GDI32 ref: 00549616
StrokePath.GDI32(?), ref: 00549631

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6e5fa6a4735b7650ef7bad1a48f75d127807dffa86a17e1d5b2d5e830175abec
Instruction ID: f015ac01a94c85940fc325200031f3a8797b15188ee84c4026777fe632acb3b1
Opcode Fuzzy Hash: 6e5fa6a4735b7650ef7bad1a48f75d127807dffa86a17e1d5b2d5e830175abec
Instruction Fuzzy Hash: 48F06231045708EFDB165F65ED1DBAA3F62FB12326F149214F469690F0C7308995EF60

Function 00560F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005610F9
__freea.LIBCMT ref: 00561117

Part of subcall function 00561537: _free.LIBCMT ref: 0056154F

Strings

am/pm, xrefs: 0056117A
a/p, xrefs: 005611DE

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e1d217ccb8c6e9323f19dbb2cbeb94420b631f328601bc024f4bd135377e86d0
Instruction ID: b841d5ac47cbc8edf6f4de943b32ea763735481d4e1781ad2ceb2e1bbb3b5f93
Opcode Fuzzy Hash: e1d217ccb8c6e9323f19dbb2cbeb94420b631f328601bc024f4bd135377e86d0
Instruction Fuzzy Hash: 4DD1F235A00A06CBCB249F68C859BFABFB1FF06310F2C4959E9069B750D7359D80CB99

Function 005B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00550242: EnterCriticalSection.KERNEL32(0060070C,00601884,?,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055024D
Part of subcall function 00550242: LeaveCriticalSection.KERNEL32(0060070C,?,0054198B,00602518,?,?,?,005312F9,00000000), ref: 0055028A

Part of subcall function 005500A3: __onexit.LIBCMT ref: 005500A9

__Init_thread_footer.LIBCMT ref: 005B6238

Part of subcall function 005501F8: EnterCriticalSection.KERNEL32(0060070C,?,?,00548747,00602514), ref: 00550202
Part of subcall function 005501F8: LeaveCriticalSection.KERNEL32(0060070C,?,00548747,00602514), ref: 00550235

Part of subcall function 005A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005A35E4
Part of subcall function 005A359C: LoadStringW.USER32(00602390,?,00000FFF,?), ref: 005A360A

Strings

x#`, xrefs: 005B633A
x#`, xrefs: 005B636F
x#`, xrefs: 005B6353

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#`$x#`$x#`
API String ID: 1072379062-3950501536
Opcode ID: 85f053118308ebe224b59bee3ccac0a74e84b93ac6a60729ed2a5c9b511a1c6a
Instruction ID: 8fc4dd54d04c711968db93dd9f8fe52ea22c3e0961ce64eb508e5d683ab4d2f5
Opcode Fuzzy Hash: 85f053118308ebe224b59bee3ccac0a74e84b93ac6a60729ed2a5c9b511a1c6a
Instruction Fuzzy Hash: C3C15B71A00106AFDB24DF58C895EFEBBB9FF48300F148469E9459B291DB74ED45CB90

Function 00565AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOS, xrefs: 00565BA8, 00565C6C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: JOS
API String ID: 0-131039872
Opcode ID: 0dc427438055e99682d4576b438a0b8e652b7ab1d7c5666f1a04c0580a8cb1fe
Instruction ID: 307a3d9f96195156a42e76cd81f1b6119ffd3cfe4638671679f4e197ffb3729d
Opcode Fuzzy Hash: 0dc427438055e99682d4576b438a0b8e652b7ab1d7c5666f1a04c0580a8cb1fe
Instruction Fuzzy Hash: 0251C175D8060AAFDB219FA8CC49FAE7FB8FF45310F14045AF805A72A1EA319D01DB61

Function 00568A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00568B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00568B7A
__dosmaperr.LIBCMT ref: 00568B81

Strings

.U, xrefs: 00568A63

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .U
API String ID: 2434981716-2997353397
Opcode ID: 39c2d8ff317c2af3ffa31326bdc568f7662d1500ae8adead4359b60af4793081
Instruction ID: 8addc591414bbbc88ba0b24e7f7f3026b56ed0451037cc19d2f9675f1fd3098c
Opcode Fuzzy Hash: 39c2d8ff317c2af3ffa31326bdc568f7662d1500ae8adead4359b60af4793081
Instruction Fuzzy Hash: EF417BB0604045AFDB249F68DC84A7D7FA6FB85314F2C87AAF88587662DE31CC029790

Function 00592716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005921D0,?,?,00000034,00000800,?,00000034), ref: 0059B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00592760

Part of subcall function 0059B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0059B3F8

Part of subcall function 0059B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0059B355
Part of subcall function 0059B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00592194,00000034,?,?,00001004,00000000,00000000), ref: 0059B365
Part of subcall function 0059B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00592194,00000034,?,?,00001004,00000000,00000000), ref: 0059B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0059281A

Strings

@, xrefs: 00592832

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d5306c8b1acac34b2939212098dcff63d7b75e7cccf82755e4abab1fb6abdd3b
Instruction ID: d6bd3b4521ec04ba36f615a62d8ecb11cb03b2617797f7ead847b7d5d9685c1c
Opcode Fuzzy Hash: d5306c8b1acac34b2939212098dcff63d7b75e7cccf82755e4abab1fb6abdd3b
Instruction Fuzzy Hash: 97412972900219BEEF10DBA4D945EEEBBB8FF49300F104099EA55B7181DB706E85DBA0

Function 0056172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe,00000104), ref: 00561769
_free.LIBCMT ref: 00561834
_free.LIBCMT ref: 0056183E

Strings

C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe, xrefs: 00561760, 00561767, 00561796, 005617CE

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe
API String ID: 2506810119-578366114
Opcode ID: bfc0d28228c7756a9264df00742996b15a1d5d0dfa2b07e46dffe6b4e14c1160
Instruction ID: 829883e48f458185cac023ac1aab02729fc7e743f1b76fb2ed50b8b12c0bc39e
Opcode Fuzzy Hash: bfc0d28228c7756a9264df00742996b15a1d5d0dfa2b07e46dffe6b4e14c1160
Instruction Fuzzy Hash: A1319C71A40609ABDB21DB999885DAEBFFCFB85310F18416AF804DB211DA708A80CB94

Function 0059C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0059C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0059C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00601990,00D54DB0), ref: 0059C395

Strings

0, xrefs: 0059C2DF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 40ad23b7e24e4cf56c58f52bf775cf0ac3cbe458619e432b314026364851f00e
Instruction ID: 6b99481e676daf61c2e2041d12032c960a36ed5662c99fa90374189bfe8e8723
Opcode Fuzzy Hash: 40ad23b7e24e4cf56c58f52bf775cf0ac3cbe458619e432b314026364851f00e
Instruction Fuzzy Hash: 79417F712043029FDB24DF29D885B5ABFE4BF85320F148A5DF9A5972D1D770E904CB52

Function 005C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005CCC08,00000000,?,?,?,?), ref: 005C44AA
GetWindowLongW.USER32 ref: 005C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005C44D7

Strings

SysTreeView32, xrefs: 005C447C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b61feb5c5837f3000655948624d25c8ebada9428768396186e0516a6dcb12848
Instruction ID: 2c5d1d614dc950143a0c236e3b3adb7d2edd3210c30bf7e4f574083ff796b393
Opcode Fuzzy Hash: b61feb5c5837f3000655948624d25c8ebada9428768396186e0516a6dcb12848
Instruction Fuzzy Hash: D1316931210606AFDF248EB8DC99FEA7FA9FB48324F204719F979921E0D774AC509B50

Function 00596E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00596EED
VariantCopyInd.OLEAUT32(?,?), ref: 00596F08
VariantClear.OLEAUT32(?), ref: 00596F12

Strings

*jY, xrefs: 00596E8B, 00596E90, 00596EF8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jY
API String ID: 2173805711-1195274329
Opcode ID: b63aec31f8c7aac3d2264b56cae887d7931828048f5459a86b71dc6a8cc8ced6
Instruction ID: c30b64a8e45e8c31607e840db6ab4a1efb13e809c354a7ec7fea10015b2e1209
Opcode Fuzzy Hash: b63aec31f8c7aac3d2264b56cae887d7931828048f5459a86b71dc6a8cc8ced6
Instruction Fuzzy Hash: 29318F72604246DFDF09AFA4E8959BE7F75FF85300F100899F9034B2A1D738995ADBA0

Function 005B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,005B3077,?,?), ref: 005B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005B307A
_wcslen.LIBCMT ref: 005B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 005B3106

Strings

255.255.255.255, xrefs: 005B3095, 005B309A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 75e9ed3ea6851fed1bab0c7006ff3aa74b7ae8194f5dd8432f1a76674883cb6e
Instruction ID: b58523df02058bae545a61918e06e4707bcb74d639c458981188e66fdb345fa4
Opcode Fuzzy Hash: 75e9ed3ea6851fed1bab0c7006ff3aa74b7ae8194f5dd8432f1a76674883cb6e
Instruction Fuzzy Hash: 4331C4396042059FC710DF28C489EEA7FE4FF54318F248459E915AB3A2DB71EE45CB60

Function 005C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005C471A

Strings

msctls_updown32, xrefs: 005C4684

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 20c2a185deb19a2f01e0d9b650af355edadacbe328ee6a57bf9fa4fb0d49ea6e
Instruction ID: fb578ebc212f156a9965150a961881ded485c56d30e5e056055ace65dec6fde2
Opcode Fuzzy Hash: 20c2a185deb19a2f01e0d9b650af355edadacbe328ee6a57bf9fa4fb0d49ea6e
Instruction Fuzzy Hash: CB215EB5600209AFDB10DF68DC95DB73BEDFB9A394B040059FA059B351CB30EC52DA60

Function 005995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059961D

Strings

#OnAutoItStartRegister, xrefs: 005995F3
#requireadmin, xrefs: 005995D9
#notrayicon, xrefs: 005995B7

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3d64737941cf156c46639086c2493139d5c15853868e51c240ec3da0731e7cbd
Instruction ID: af21cfe12ade0bbfa9439c9be24064df748add6d4318450cad06b8aec92e9598
Opcode Fuzzy Hash: 3d64737941cf156c46639086c2493139d5c15853868e51c240ec3da0731e7cbd
Instruction Fuzzy Hash: 0F21267210451266DB31AA2CDC16FB77FACBF95310F10442EF94997041EB51AD45C3D5

Function 005C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005C3876

Strings

Listbox, xrefs: 005C380F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ce61431aee6eb7118d87e1e1ec8a98ed3975c2b265884a602b775f7f9493a468
Instruction ID: d3ce60f7799fc1e65e67fd4f238c5b988e6a25bd0318f873baf2fb2c553b0c2f
Opcode Fuzzy Hash: ce61431aee6eb7118d87e1e1ec8a98ed3975c2b265884a602b775f7f9493a468
Instruction Fuzzy Hash: 3F218072610118BFEB119F94DC85FBB3BAEFF89750F118128F9049B190C671DD5287A0

Function 005A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005A4A5C
SetErrorMode.KERNEL32(00000000,?,?,005CCC08), ref: 005A4AD0

Strings

%lu, xrefs: 005A4A6F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e9392da659cbdc20a778cb8564f4ffa9b610c20769ac16ed14869d103fa92bd9
Instruction ID: 9ba51ccc538f6fda20655ccf3bf6947921e8ea23a6f84c28cf00af5b7efc7128
Opcode Fuzzy Hash: e9392da659cbdc20a778cb8564f4ffa9b610c20769ac16ed14869d103fa92bd9
Instruction Fuzzy Hash: A0312D75A00109AFDB10DF94C885EAA7BB9FF49308F1480A5E509DB252D771ED45CB61

Function 005C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005C4271

Strings

msctls_trackbar32, xrefs: 005C4226

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2f13c74a6faae57d14b698a16cc15daafbec0e7e6e81ce480fe780a9c0f823de
Instruction ID: 81347761612471b1e2a655e591071da36648a7fc9a0d19ebdc02bf08a9d44d23
Opcode Fuzzy Hash: 2f13c74a6faae57d14b698a16cc15daafbec0e7e6e81ce480fe780a9c0f823de
Instruction Fuzzy Hash: 5511A331240248BEEF205E69CC46FAB3FACFF95B54F114518FA55E6090D671D851DB50

Function 00592F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

Part of subcall function 00592DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00592DC5
Part of subcall function 00592DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00592DD6
Part of subcall function 00592DA7: GetCurrentThreadId.KERNEL32 ref: 00592DDD
Part of subcall function 00592DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00592DE4

GetFocus.USER32 ref: 00592F78

Part of subcall function 00592DEE: GetParent.USER32(00000000), ref: 00592DF9

GetClassNameW.USER32(?,?,00000100), ref: 00592FC3
EnumChildWindows.USER32(?,0059303B), ref: 00592FEB

Strings

%s%d, xrefs: 00592FFF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7498bf087034d871cff9d5dab7d88fec7e7d1d79f64c0d5d241bd2e21c0cc144
Instruction ID: 5c64e60e428fca8c9e235c99e3edb9b62cb36f1c657f24df24ba34a47cb43ceb
Opcode Fuzzy Hash: 7498bf087034d871cff9d5dab7d88fec7e7d1d79f64c0d5d241bd2e21c0cc144
Instruction Fuzzy Hash: FE118471600206ABCF14BF749C9DEED7F6ABFD4304F048079FA099B252DE70994A9B60

Function 0058D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0058D3BF
FreeLibrary.KERNEL32 ref: 0058D3E5

Strings

X64, xrefs: 0058D2A8
GetSystemWow64DirectoryW, xrefs: 0058D3B9

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7fcd8fce5420ade9fc93c8a7a8a05d0aedd5c742a848b0241c508d2727829a9f
Instruction ID: 9e300e8b74a2692419d09974dd922ad3d933a06be2eee7c7f92bef532e73b507
Opcode Fuzzy Hash: 7fcd8fce5420ade9fc93c8a7a8a05d0aedd5c742a848b0241c508d2727829a9f
Instruction Fuzzy Hash: F3F02035841A20AEC77126104C58EAA7FB0BF10B01BA84919EC0BFA184EA20CD4483F2

Function 0059007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d30e716f07b2c5dee5e764408270a29be6092cf147dc84f659bca32d15239b
Instruction ID: c83dc6b7220128ded7809eca5f3f895df2bb32ae2d9a85747000596312d5e228
Opcode Fuzzy Hash: 24d30e716f07b2c5dee5e764408270a29be6092cf147dc84f659bca32d15239b
Instruction Fuzzy Hash: 15C15B75A00216EFCF14CFA4C894AAEBBB5FF48714F209998E905EB291D731DD41DB90

Function 005B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005B3459
CoUninitialize.OLE32 ref: 005B3463
VariantInit.OLEAUT32(?), ref: 005B346E
VariantClear.OLEAUT32(?), ref: 005B371B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 9378aff5276a6f896feb528246f4cb38f0a8bfbc9cf0c3d97265993e089117c2
Instruction ID: d354b1691a6aad9fca242d13eaa3275317ca8615392ef2baed9d91461cda1a55
Opcode Fuzzy Hash: 9378aff5276a6f896feb528246f4cb38f0a8bfbc9cf0c3d97265993e089117c2
Instruction Fuzzy Hash: 31A16B756046059FCB14DF28C489A6ABBE5FF8C714F048859F98AAB362DB30FE05CB51

Function 00590436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005CFC08,?), ref: 005905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005CFC08,?), ref: 00590608
CLSIDFromProgID.OLE32(?,?,00000000,005CCC40,000000FF,?,00000000,00000800,00000000,?,005CFC08,?), ref: 0059062D
_memcmp.LIBVCRUNTIME ref: 0059064E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 03e9b6cd61a601694fb6a6ad3f0ca0aff75da76f18c82a295a1cf815bd4d5efb
Instruction ID: b431cd1fff1231a6961e8770a918d8dc32ddbe2c6cd01b22c72190f210cb1ad2
Opcode Fuzzy Hash: 03e9b6cd61a601694fb6a6ad3f0ca0aff75da76f18c82a295a1cf815bd4d5efb
Instruction Fuzzy Hash: 8A81EB75A00109EFCF04DF94C984EEEBBB9FF89315F205558E516AB290DB71AE06CB60

Function 00571391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005714C0

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: db37488bca0c4dc98c651f7af1b9ee744529db9731009251b79e7715e327b921
Instruction ID: 020436e4b6ded235fe4404d16278c7cbf72a787f5b04c037ef5af29c1e729fec
Opcode Fuzzy Hash: db37488bca0c4dc98c651f7af1b9ee744529db9731009251b79e7715e327b921
Instruction Fuzzy Hash: 53417F75600D026BDF356BBCAC4AABE3EA6FF81370F148626F81DD3191EA3448417765

Function 005C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D5E7D8,?), ref: 005C62E2
ScreenToClient.USER32(?,?), ref: 005C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005C6382

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e79bc6c3f5ca0601871c82506d72b49ff9799350e70ad6445ca6f27c7a579aac
Instruction ID: c1a5a64b4508164dbe56d5e0b9042bd7760108088e1df3b26789a0600bbed0a6
Opcode Fuzzy Hash: e79bc6c3f5ca0601871c82506d72b49ff9799350e70ad6445ca6f27c7a579aac
Instruction Fuzzy Hash: 88511B74A00649AFCF10DFA8D984EAE7BB6FB95760F10855DF8159B290D730EE81CB90

Function 005B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005B1AFD
WSAGetLastError.WSOCK32 ref: 005B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005B1B8A
WSAGetLastError.WSOCK32 ref: 005B1B94

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 793f796e7b7c4ccc44079f11a757496588a9a8b0979543ac600d3ee57c9f7002
Instruction ID: f20ed79146010cedf82243647c2f4b8b467443cdcd056c6398433cc249137a81
Opcode Fuzzy Hash: 793f796e7b7c4ccc44079f11a757496588a9a8b0979543ac600d3ee57c9f7002
Instruction Fuzzy Hash: 7541B074600601AFE720AF24C88AF667FE5BB84718F54844CFA1A9F3D2D772ED418B90

Function 0056B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f216da68e3eb26188c3db65238b7df6a6a89725f2200eaf00ab2a2654de8b473
Instruction ID: fdc84ae2840e816d15c0fc2a56f709b48d77b017a52b257b59e6dc373fdb905a
Opcode Fuzzy Hash: f216da68e3eb26188c3db65238b7df6a6a89725f2200eaf00ab2a2654de8b473
Instruction Fuzzy Hash: 7C412B75900714AFE724AF38CC45BAA7FEAFBC4711F10452AF546DB291D77199818780

Function 005A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005A5783
GetLastError.KERNEL32(?,00000000), ref: 005A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005A57FA

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 661681ffe082f4863672373230d02e137404cf6fd2913f7392d5916faac844b6
Instruction ID: f136b16e5268793c35069dc8496edfbf21d7f9ac4f4a6162944506ece2c2b4e2
Opcode Fuzzy Hash: 661681ffe082f4863672373230d02e137404cf6fd2913f7392d5916faac844b6
Instruction Fuzzy Hash: 1841F839600A15DFCB25DF15C448A1DBFE1BF99320F188488E84A6B362DB34ED009B91

Function 0056D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00556D71,00000000,00000000,005582D9,?,005582D9,?,00000001,00556D71,?,00000001,005582D9,005582D9), ref: 0056D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0056D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0056D9AB
__freea.LIBCMT ref: 0056D9B4

Part of subcall function 00563820: RtlAllocateHeap.NTDLL(00000000,?,00601444,?,0054FDF5,?,?,0053A976,00000010,00601440,005313FC,?,005313C6,?,00531129), ref: 00563852

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3b4e5cfff15af5bbccc99961fb47d3523ba25fb12212aeb9c756a903c6704d26
Instruction ID: 1445b772efd183fa1e0ffe1d94cc7653a73d1cb80b0c6303a73583e9ee6d2e66
Opcode Fuzzy Hash: 3b4e5cfff15af5bbccc99961fb47d3523ba25fb12212aeb9c756a903c6704d26
Instruction Fuzzy Hash: A9319A72A0020AABDB249F65DC49EAF7FB5FB41750B054569FC08D7290EB35CD54CBA0

Function 005C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005C5352
GetWindowLongW.USER32(?,000000F0), ref: 005C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005C53A8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e259c1fae6f0f03bb0ee131cddd34d222292175e152677a9bead061aa0302b1c
Instruction ID: 825ed3d4c37ed9611bbc84b2776b9946a3063c10a6373d2e44db7d2e25ee2789
Opcode Fuzzy Hash: e259c1fae6f0f03bb0ee131cddd34d222292175e152677a9bead061aa0302b1c
Instruction Fuzzy Hash: 5431D430A55A88AFEB309FD4CC15FE93F65BB05B90F944909FA10961E1E7B4B9C09B41

Function 0059AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0059ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0059AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0059AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0059ACC6

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8c114579c1251ed9e6f345969a20eae6054985c60fc44b42b297de668ced059d
Instruction ID: 4fc555b56e0e24884c2b60c31b7a90547ad7c049b09a4e3086b4067690ec3d2d
Opcode Fuzzy Hash: 8c114579c1251ed9e6f345969a20eae6054985c60fc44b42b297de668ced059d
Instruction Fuzzy Hash: 4A310430A00619AFFF35CB698C08BFA7FA5BB89311F08461AF4859A1D1C3758D8597F2

Function 005C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005C769A
GetWindowRect.USER32(?,?), ref: 005C7710
PtInRect.USER32(?,?,005C8B89), ref: 005C7720
MessageBeep.USER32(00000000), ref: 005C778C

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2be2ac90dc633e73207482a31e72b4191e9d9af68c533478a5da0ff3ff77f05b
Instruction ID: b1126bc87aff012d8c0f4550a8e0e18501e211a1af67374f068dbc96713e7f22
Opcode Fuzzy Hash: 2be2ac90dc633e73207482a31e72b4191e9d9af68c533478a5da0ff3ff77f05b
Instruction Fuzzy Hash: 58415A34A0521D9FCB11CFA8C894FA9BBF5FB4D314F1941ADE9149B661C730A942CF90

Function 005C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005C16EB

Part of subcall function 00593A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00593A57
Part of subcall function 00593A3D: GetCurrentThreadId.KERNEL32 ref: 00593A5E
Part of subcall function 00593A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005925B3), ref: 00593A65

GetCaretPos.USER32(?), ref: 005C16FF
ClientToScreen.USER32(00000000,?), ref: 005C174C
GetForegroundWindow.USER32 ref: 005C1752

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9d1eb7e2f2afe5247ef5a8628178abd6a19e1f93f89b52b6eccb11d7fdd8ffb2
Instruction ID: d487a431111dc023bb84b0c2067822e08e6455977034935667bd4ca5c1c32ae0
Opcode Fuzzy Hash: 9d1eb7e2f2afe5247ef5a8628178abd6a19e1f93f89b52b6eccb11d7fdd8ffb2
Instruction Fuzzy Hash: 28311D75D00549AFCB04EFA9C885DAEBBF9FF89304B5480A9E415E7212D6319E45CFA0

Function 0059D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0059D501
Process32FirstW.KERNEL32(00000000,?), ref: 0059D50F
Process32NextW.KERNEL32(00000000,?), ref: 0059D52F
CloseHandle.KERNEL32(00000000), ref: 0059D5DC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 99494b5e708a4a5c7fcff48b5f42d1557b29810c00b8976d8deadcda2c50a458
Instruction ID: 5baae22b1b1d4293fc8985230f9ebd25e08b7a8743e3ef32d1a266e212e5a6ce
Opcode Fuzzy Hash: 99494b5e708a4a5c7fcff48b5f42d1557b29810c00b8976d8deadcda2c50a458
Instruction Fuzzy Hash: 18317C721082019FD701EF64C885AAFBFF8BFD9354F14092DF585861A1EB719949CBA2

Function 005C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

GetCursorPos.USER32(?), ref: 005C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00587711,?,?,?,?,?), ref: 005C9016
GetCursorPos.USER32(?), ref: 005C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00587711,?,?,?), ref: 005C9094

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: abf9fc249a256d14e366c661c0084d9b58720f76e5f620a9570fa61a9ffa305c
Instruction ID: cfa09badf0576a254d402ab5513188abb69e6aa642fef65f04eb36cfe8eb4e64
Opcode Fuzzy Hash: abf9fc249a256d14e366c661c0084d9b58720f76e5f620a9570fa61a9ffa305c
Instruction Fuzzy Hash: 71216D35600018EFDB258F94C85DFEA7FBAFB8A350F144059F9055B261C7319990EB60

Function 0059D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005CCB68), ref: 0059D2FB
GetLastError.KERNEL32 ref: 0059D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0059D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005CCB68), ref: 0059D376

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1a4dfa6631a90a3b7e2e22fb7188a9e59ce53d1324a85c139475daf56bc98848
Instruction ID: bc85206f5852fd707b24c1f0cd4d1a07d94162fdad7875bfd755688cd0a3e30a
Opcode Fuzzy Hash: 1a4dfa6631a90a3b7e2e22fb7188a9e59ce53d1324a85c139475daf56bc98848
Instruction Fuzzy Hash: 77218D745082029FCB00DF68C8858AABFF4BE96365F504E1DF499C32A1D730994ACBA3

Function 00591571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00591014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0059102A
Part of subcall function 00591014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00591036
Part of subcall function 00591014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591045
Part of subcall function 00591014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0059104C
Part of subcall function 00591014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00591062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005915BE
_memcmp.LIBVCRUNTIME ref: 005915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00591617
HeapFree.KERNEL32(00000000), ref: 0059161E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2325aad4cbe993b8bff76d7e36981dc8c19d1b6549ab030b12df60e7910ced4f
Instruction ID: 40d383346914911b0efb17c3ca4e1d944d95566f732cf96b2dd1f604b1228335
Opcode Fuzzy Hash: 2325aad4cbe993b8bff76d7e36981dc8c19d1b6549ab030b12df60e7910ced4f
Instruction Fuzzy Hash: BD219031E4051AEFDF10DFA4CA49BEEBBB8FF44344F094459E445AB241D730AA05DB54

Function 005C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005C2840

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fd5d083ef66189c499719b538620879ff76c891c74237455cfad50947b77bb7c
Instruction ID: dab5b5619aee1d519ff1e9ee66a0551126ed42a1d80b79d09b1c4a7265eace56
Opcode Fuzzy Hash: fd5d083ef66189c499719b538620879ff76c891c74237455cfad50947b77bb7c
Instruction Fuzzy Hash: 4C219D35208611AFD7149B64C895FAA7FA5FF85324F14815CF42A8B6A2CB75EC82CB90

Function 005978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00598D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0059790A,?,000000FF,?,00598754,00000000,?,0000001C,?,?), ref: 00598D8C
Part of subcall function 00598D7D: lstrcpyW.KERNEL32(00000000,?,?,0059790A,?,000000FF,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00598DB2
Part of subcall function 00598D7D: lstrcmpiW.KERNEL32(00000000,?,0059790A,?,000000FF,?,00598754,00000000,?,0000001C,?,?), ref: 00598DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00597923
lstrcpyW.KERNEL32(00000000,?,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00597949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00598754,00000000,?,0000001C,?,?,00000000), ref: 00597984

Strings

cdecl, xrefs: 0059797B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ed78a06cd86a5fcd6359926fe9a2f5b21512bdd2615c03225fa21753a861dade
Instruction ID: 4cf22cfbfb0800b8c2e7b5c7b542a7fc22749c212b4516ba687e2d70bd95c240
Opcode Fuzzy Hash: ed78a06cd86a5fcd6359926fe9a2f5b21512bdd2615c03225fa21753a861dade
Instruction Fuzzy Hash: 7B11063A200706AFCF155F39D848E7A7BA9FF99350B10402BF906CB264EB319811D791

Function 005C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 005C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005AB7AD,00000000), ref: 005C7D6B

Part of subcall function 00549BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00549BB2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: ed6e26dca059045cdca78e91d594acc2a2eadafce1eca4148d689e52dbe84362
Instruction ID: 4b3d1024d5bdcee9e66ebbb8f8bdaa7c0f0913768a3a5b8cf91b639743fd4096
Opcode Fuzzy Hash: ed6e26dca059045cdca78e91d594acc2a2eadafce1eca4148d689e52dbe84362
Instruction Fuzzy Hash: 53118E31504619AFCB109F68DC04EA63FA5BF4A360F154728F83ACB6E0D7309950DB90

Function 00561D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b9e597f3f9baf05735f1e5a5e79bdfa07bb8980706f1b101823b4a8ba62ef1
Instruction ID: a3750c921c7cfbbdd1db1cb677e5449dd0c8c6dcffd8bb21c0ce1c69be832031
Opcode Fuzzy Hash: 52b9e597f3f9baf05735f1e5a5e79bdfa07bb8980706f1b101823b4a8ba62ef1
Instruction Fuzzy Hash: 6E0178B2609E167EF62126786CC5F376E2DFF817B8F380725F525A22D2DA608C4091A4

Function 00591A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00591A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00591A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00591A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00591A8A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9872be7962d053dfdc87bf430941bcf6ef4cb88bd0368e43e0e37d7809bdda8d
Instruction ID: a2f5d6a6fe1d432e7a4935a6d3cc51bb25ee28a42910e644417405a88880c0ce
Opcode Fuzzy Hash: 9872be7962d053dfdc87bf430941bcf6ef4cb88bd0368e43e0e37d7809bdda8d
Instruction Fuzzy Hash: 7411FA3AD01229FFEF119BA5C985FADBB78FB04750F200091E605B7290D6716E50DB94

Function 0059E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0059E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0059E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0059E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0059E24D

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b749f7326d2c678bd113a009e55cb135a3bf9362b692127a645dea926eb20f72
Instruction ID: b60736ac5760e30148f4ad816ff342998c0a7820d7de8aeeeac3d4b6066cd30b
Opcode Fuzzy Hash: b749f7326d2c678bd113a009e55cb135a3bf9362b692127a645dea926eb20f72
Instruction Fuzzy Hash: 2211C876904254BFCB05DBA8EC0AE9F7FADEB46710F144255F914D7291D670890487A0

Function 0055D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0055CFF9,00000000,00000004,00000000), ref: 0055D218
GetLastError.KERNEL32 ref: 0055D224
__dosmaperr.LIBCMT ref: 0055D22B
ResumeThread.KERNEL32(00000000), ref: 0055D249

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b3afc60178f39c11f812443219df5b941e4b3d438db8b45ad9d89a2637d72fd9
Instruction ID: 7e29d524db63d6c4b78bccac5b8aaee5b53cb1bfb4bb41344cf3f6591aea6237
Opcode Fuzzy Hash: b3afc60178f39c11f812443219df5b941e4b3d438db8b45ad9d89a2637d72fd9
Instruction Fuzzy Hash: 9801C07B805605BBCB215BA6DC19AAA7E79FF81732F10021AFD25921D0DB708909D7B0

Function 0053600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0053604C
GetStockObject.GDI32(00000011), ref: 00536060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0053606A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 68fce195ae2783d48af34254100d3eef1e3e0cac2607e66699d8608bd06567f4
Instruction ID: 001a278f35ca34b2a3f4c7ea28559109152c076cd9c8dcd7a92590e666c9841d
Opcode Fuzzy Hash: 68fce195ae2783d48af34254100d3eef1e3e0cac2607e66699d8608bd06567f4
Instruction Fuzzy Hash: 4511C072501508BFEF164FA4DC49EEABFA9FF193A4F044209FA0996010C732DC60EBA1

Function 00553B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00553B56

Part of subcall function 00553AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00553AD2
Part of subcall function 00553AA3: ___AdjustPointer.LIBCMT ref: 00553AED

_UnwindNestedFrames.LIBCMT ref: 00553B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00553B7C
CallCatchBlock.LIBVCRUNTIME ref: 00553BA4

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: ad7da77d0d125f7c3e5d1a005222f6169f649587d5db565105bf9e2e395b6e7f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0D012932100149BBDF125E95CC5AEEB3F69FF887A9F044016FE4896121C732E965DBA0

Function 00563073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005313C6,00000000,00000000,?,0056301A,005313C6,00000000,00000000,00000000,?,0056328B,00000006,FlsSetValue), ref: 005630A5
GetLastError.KERNEL32(?,0056301A,005313C6,00000000,00000000,00000000,?,0056328B,00000006,FlsSetValue,005D2290,FlsSetValue,00000000,00000364,?,00562E46), ref: 005630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0056301A,005313C6,00000000,00000000,00000000,?,0056328B,00000006,FlsSetValue,005D2290,FlsSetValue,00000000), ref: 005630BF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 19b88dd303ecde39024debbbbd5523b638e5112eb46b5f65e929a7972a2558b6
Instruction ID: 9c696e588d6b11d73fad33f92416db277cbd0709c7507c6462460696e05d90f5
Opcode Fuzzy Hash: 19b88dd303ecde39024debbbbd5523b638e5112eb46b5f65e929a7972a2558b6
Instruction Fuzzy Hash: 6801F736341622ABCB314B79AC48E577F98FF15BB1B100620F909E7150D721D90DC7E0

Function 00597464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0059747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00597497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005974CA

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dcc9e06235c3aae856e502877bca2b8036eaa745cfeb1745f8787b85a005d087
Instruction ID: a4b505b62c20de2b2ae657598410ad182be79752ac3127498659e78bce596332
Opcode Fuzzy Hash: dcc9e06235c3aae856e502877bca2b8036eaa745cfeb1745f8787b85a005d087
Instruction Fuzzy Hash: 53117CB12157189FEF208F14DC08F927FBCFB04B00F10856AA62AD6152D770E908EB90

Function 0059B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0059ACD3,?,00008000), ref: 0059B126

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f060161280a9a499871267e7a63279324e84fbe28c8863df296a7a1189d3917a
Instruction ID: 32b1fd4e634395bbf838f9ac35ba7347424aa58b294e92b757c50ecf18733475
Opcode Fuzzy Hash: f060161280a9a499871267e7a63279324e84fbe28c8863df296a7a1189d3917a
Instruction Fuzzy Hash: 70118B30C00A2CEBEF00AFE5EA68AEEBF78FF59310F014485D941B2181CB305650EB91

Function 00592DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00592DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00592DD6
GetCurrentThreadId.KERNEL32 ref: 00592DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00592DE4

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 70e86a2e6a3b2003363c091cbccb781e9d900c65c3cf67adf953b66f3921f0b9
Instruction ID: 446ef5a1926071d5a8c1f640d1bfc08c396bcbb358d1f18224ba5ddb8e4218d6
Opcode Fuzzy Hash: 70e86a2e6a3b2003363c091cbccb781e9d900c65c3cf67adf953b66f3921f0b9
Instruction Fuzzy Hash: 8BE092B15017247FDB201B779C0DFEB3E6CFF62BA1F000015F10AD10809AA0C886D6B0

Function 005C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00549639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00549693
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496A2
Part of subcall function 00549639: BeginPath.GDI32(?), ref: 005496B9
Part of subcall function 00549639: SelectObject.GDI32(?,00000000), ref: 005496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005C8887
LineTo.GDI32(?,?,?), ref: 005C8894
EndPath.GDI32(?), ref: 005C88A4
StrokePath.GDI32(?), ref: 005C88B2

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5141190be306a056499a450ba1bf74b8d6dfdc94d70b5184e5b80ded4600a63d
Instruction ID: 4b4d9e9415f8f7ae2146ebc6f81218042e9a82521277b2dca6d7a6b52947bb6a
Opcode Fuzzy Hash: 5141190be306a056499a450ba1bf74b8d6dfdc94d70b5184e5b80ded4600a63d
Instruction Fuzzy Hash: E7F09436041618BAEB126F94AC0EFDE3F6AAF16310F088004FA01650E2C7B41525EBE9

Function 005498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005498CC
SetTextColor.GDI32(?,?), ref: 005498D6
SetBkMode.GDI32(?,00000001), ref: 005498E9
GetStockObject.GDI32(00000005), ref: 005498F1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 7120f10facfd9ac53f85e0597091fb6d7fcf5c7e688e7f32c2c89a88c334705e
Instruction ID: e7f1e831cf392cb4c88f656f6967fcf56a5b0ef4ad272c1ca580218891f66ba9
Opcode Fuzzy Hash: 7120f10facfd9ac53f85e0597091fb6d7fcf5c7e688e7f32c2c89a88c334705e
Instruction Fuzzy Hash: 8DE06531644644AEDB215B75BC09FD93F10BB26335F188219F6FE540E1C3718644EB10

Function 0059162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00591634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005911D9), ref: 0059163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005911D9), ref: 00591648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005911D9), ref: 0059164F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: afa4aabbc3f1f17c72c95916e7a7f4362170fc02c6620d85ecfa5e805cb7ce95
Instruction ID: 1bd17cefe92f8602ab589c6b7d7bf91eb36346c912cf0a17d00dc2d3619fd2c7
Opcode Fuzzy Hash: afa4aabbc3f1f17c72c95916e7a7f4362170fc02c6620d85ecfa5e805cb7ce95
Instruction Fuzzy Hash: CAE08671A01621DFDB201FA0AD0DF4A3F7CBF64791F184808F249D9080D6348449D754

Function 0058D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0058D858
GetDC.USER32(00000000), ref: 0058D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0058D882
ReleaseDC.USER32(?), ref: 0058D8A3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 78234e4432b03b138572c24488b6d6902494e370f0f5fef8faf7e6a72f779bae
Instruction ID: d85ebfd2103f6bd73dd90b9bc5f11d1a881150d908abb5abdedd0723a8f65d8b
Opcode Fuzzy Hash: 78234e4432b03b138572c24488b6d6902494e370f0f5fef8faf7e6a72f779bae
Instruction Fuzzy Hash: 86E01AB4800605DFCB41AFA4D90CA6DBFB1FB18310F149409E84AF7250C7388946AF50

Function 0058D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0058D86C
GetDC.USER32(00000000), ref: 0058D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0058D882
ReleaseDC.USER32(?), ref: 0058D8A3

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bdb05f9386c8d23f360e340cf9fa4a80c583de20603fda33c9894791ab410254
Instruction ID: ca0cfe6c3bef5a6ac563ceabd6bf9434c47a506f9a23e84e8f6080c18c47b6a5
Opcode Fuzzy Hash: bdb05f9386c8d23f360e340cf9fa4a80c583de20603fda33c9894791ab410254
Instruction Fuzzy Hash: 11E012B4800A00EFCB40AFA4D90CA6DBFB1BB18310F149408E84AE7250CB38994AAF50

Function 005A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00537620: _wcslen.LIBCMT ref: 00537625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 005A4ED4

Strings

LPT, xrefs: 005A4DFB
*, xrefs: 005A4E10

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 1ae78f324bfd10e7fc92664a42555c53ba501fec07a77cebeaa82c417b305727
Instruction ID: cd4d2d4194ff320bc8cc5c73786e6badbf5a33d84e70ea8c6db83cde3c2a66fc
Opcode Fuzzy Hash: 1ae78f324bfd10e7fc92664a42555c53ba501fec07a77cebeaa82c417b305727
Instruction Fuzzy Hash: 23913B75A002459FCB14DF98C484EAEBBF5BF89304F188099E80A9B362D775ED85CF91

Function 005B7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0058569E,00000000,?,005CCC08,?,00000000,00000000), ref: 005B78DD

Part of subcall function 00536B57: _wcslen.LIBCMT ref: 00536B6A

CharUpperBuffW.USER32(0058569E,00000000,?,005CCC08,00000000,?,00000000,00000000), ref: 005B783B

Strings

<s_, xrefs: 005B77C8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s_
API String ID: 3544283678-771138486
Opcode ID: a839a70f23d7a6dbd12f7fb1139f1f8bd55eff41769baaf4aba85f9e024dba71
Instruction ID: 34a84a98b4b33e4cde5e785b9900ed1c5198819439913a05dbb5ee4146d22b7a
Opcode Fuzzy Hash: a839a70f23d7a6dbd12f7fb1139f1f8bd55eff41769baaf4aba85f9e024dba71
Instruction Fuzzy Hash: 05615B7691411EAACF04EBA4CC95DFDBB78BF98300F544529F642B7091EF346A09DBA0

Function 0054E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0054E1B1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a5781d5da581c23e0f4b66cf5e50b9a0cb168d62980d73301e21522c05ae86af
Instruction ID: 0c02b40745e03b1efdcea3b1ba2925ed23101e62f8ed68757b57018154fc69de
Opcode Fuzzy Hash: a5781d5da581c23e0f4b66cf5e50b9a0cb168d62980d73301e21522c05ae86af
Instruction Fuzzy Hash: 7C512335608286DFDB15EF68C4866FA7FB4FF65314F244055EC91AB280D6349D42CB90

Function 0054F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0054F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0054F2BB

Strings

@, xrefs: 0054F2AF

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e0d2706ba88539b4d35fa2dd6a5189f4a100435e64dc74eeef46568c2ddfbb93
Instruction ID: 6f20741d96beacefce56ef81ec31a4e12653fa1a3c54feb5a3d50534fc7b35f7
Opcode Fuzzy Hash: e0d2706ba88539b4d35fa2dd6a5189f4a100435e64dc74eeef46568c2ddfbb93
Instruction Fuzzy Hash: 845138714087499BD320AF10DC8ABAFBBF8FBD8300F81885DF1D951195EB708629CB66

Function 005B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005B57E0
_wcslen.LIBCMT ref: 005B57EC

Strings

CALLARGARRAY, xrefs: 005B57E6, 005B57EB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9302b349713241b02fce1400ad3ab21eb19c1a2486884f9554c960d6f39b6de0
Instruction ID: 46b59e1c51b21d710e01bc33e63c90fbe55fc8bd647d4eae2635d49b0e515d29
Opcode Fuzzy Hash: 9302b349713241b02fce1400ad3ab21eb19c1a2486884f9554c960d6f39b6de0
Instruction Fuzzy Hash: A2416F71A0010A9FCF18DFA9C885AEEBFB5FF99324F244069F505A7251E774AD81CB90

Function 005AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005AD13A

Strings

|, xrefs: 005AD10B

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1fe09e835623cbf181c30158a1dd453def3f944be62649a44ebd56ac903d58de
Instruction ID: 4fd97d21e0d26773caf53205f9b4abaf1b3a989b109f1657fff2ebdc0878438c
Opcode Fuzzy Hash: 1fe09e835623cbf181c30158a1dd453def3f944be62649a44ebd56ac903d58de
Instruction Fuzzy Hash: 97311D71D0021AABCF15EFA4CC89AEFBFB9FF49300F104019F815A6165D735AA56DBA0

Function 005C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005C365C

Strings

static, xrefs: 005C35BC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9f9f02c3561491996197169f0d1c0950f1015851eaeb33b9d351ac8f2e16a39c
Instruction ID: f3256e1589754406fffadd86e20b50d6e444ed868fbd88dbf66b6e713c607dd3
Opcode Fuzzy Hash: 9f9f02c3561491996197169f0d1c0950f1015851eaeb33b9d351ac8f2e16a39c
Instruction Fuzzy Hash: E1318171110608AEDB10DF68DC85FFB7BA9FF88714F10961DF95597280DA31AD81D760

Function 005C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 005C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005C4634

Strings

', xrefs: 005C458E

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3b1db8886ef49b156b2c50a48a6ab1da09ec9f8743b8e57049e859af5bc2e0a9
Instruction ID: 165b37b5d9415c14f988bba5614adc791dc59d284934ff34f2a2ea386c14e8d7
Opcode Fuzzy Hash: 3b1db8886ef49b156b2c50a48a6ab1da09ec9f8743b8e57049e859af5bc2e0a9
Instruction Fuzzy Hash: BA311674A0120A9FDB14CFA9C9A0FEABBB5FF49300F14506AE905AB395D770A941CF90

Function 005C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005C3287

Strings

Combobox, xrefs: 005C3249

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8978362eb3fb8e9eaba6819473d94a4298f5cdda50ae3a47b2fdb3fe4a6df789
Instruction ID: 6789e658c40610b707596f2980520a6214b18ac4bf512a68e63a08b27f5f1aee
Opcode Fuzzy Hash: 8978362eb3fb8e9eaba6819473d94a4298f5cdda50ae3a47b2fdb3fe4a6df789
Instruction Fuzzy Hash: E611D07520020D7FEF219E94DC84FBB3F6AFB98364F108128F9189B290D6319D5187A0

Function 005C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0053600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0053604C
Part of subcall function 0053600E: GetStockObject.GDI32(00000011), ref: 00536060
Part of subcall function 0053600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0053606A

GetWindowRect.USER32(00000000,?), ref: 005C377A
GetSysColor.USER32(00000012), ref: 005C3794

Strings

static, xrefs: 005C3757

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 44815f13f8784333a14b6335ec252782a029f39b801ed8eab3d333c13a67a2ab
Instruction ID: 018a6761af0ae96a949ff2a9871bb2fc669a8366dea11d070df52e444f0164ab
Opcode Fuzzy Hash: 44815f13f8784333a14b6335ec252782a029f39b801ed8eab3d333c13a67a2ab
Instruction Fuzzy Hash: 7E1129B261020AAFDB01DFA8CC4AEEA7BF8FB09314F004918F955E2250E775E9519B50

Function 005ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005ACDA6

Strings

<local>, xrefs: 005ACD66

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 80e77253870b49d8970bb85409a91fe74e6720443146fb69014cb3613be99a40
Instruction ID: 1a76c02ea20a43d893b2bbb57af2fcb48345073b8c45d30753fa2890db3ce27d
Opcode Fuzzy Hash: 80e77253870b49d8970bb85409a91fe74e6720443146fb69014cb3613be99a40
Instruction Fuzzy Hash: 6211C271205675BAD7384B668C49EFBBEADFF237A4F00462AB11983180D7749844D6F0

Function 005C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005C34BA

Strings

edit, xrefs: 005C348F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e237d8c31423031ab9caecbd6a4b907ae20d1c44baba1ae42e0444c770d2b892
Instruction ID: ee1ace5c18d3485a964d14db99909bd4075b8340ebe10828e1312bd784e8715f
Opcode Fuzzy Hash: e237d8c31423031ab9caecbd6a4b907ae20d1c44baba1ae42e0444c770d2b892
Instruction Fuzzy Hash: 23119D71100108AEEF154EA4DC88FAB3F6AFB15374F508728F964971D0C731DC519B50

Function 00596C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

CharUpperBuffW.USER32(?,?,?), ref: 00596CB6
_wcslen.LIBCMT ref: 00596CC2

Strings

STOP, xrefs: 00596CBC, 00596CC1

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e6584e3bfab00180719424305cf3f5067e1ec27b68aecd7b1ea83a4dc08b3ce3
Instruction ID: 05ab8a9eb2e3448bec9a2cb138361ef950831ab011407eb8ef08d2ee59fba7f4
Opcode Fuzzy Hash: e6584e3bfab00180719424305cf3f5067e1ec27b68aecd7b1ea83a4dc08b3ce3
Instruction Fuzzy Hash: 540104326005278ACF219FBDDC858BF7FB4FAA0710B400924F86292190EB31DC48C650

Function 00591CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00591D4C

Strings

ListBox, xrefs: 00591D16
ComboBox, xrefs: 00591CEB

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5a4f9025d86b9ef9ef9165d74dd21445503529e8c366bc6b0158a1f1e9034811
Instruction ID: db6a064cf9642a652b9e81032c6bba8213e28011166b29c205149b4566667cca
Opcode Fuzzy Hash: 5a4f9025d86b9ef9ef9165d74dd21445503529e8c366bc6b0158a1f1e9034811
Instruction Fuzzy Hash: C301D87160162AAB8F08EBA4CD59CFE7F68FF96350F040919F822572C1EA705908C660

Function 00591BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00591C46

Strings

ListBox, xrefs: 00591C10
ComboBox, xrefs: 00591BE5

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e09d52a03b1eedc869537bb262d71dffc58fc4057b1d5cf6e687193f17c28d8b
Instruction ID: c24992ac8fe2054c4120d296048188e8d21301d4ec9ea31f2590339e4c929660
Opcode Fuzzy Hash: e09d52a03b1eedc869537bb262d71dffc58fc4057b1d5cf6e687193f17c28d8b
Instruction Fuzzy Hash: BE01F7B168451A6ACF05EB90CA59DFF7FA8BF91340F100019F50667281EA609E08C6B5

Function 00591C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00591CC8

Strings

ListBox, xrefs: 00591C94
ComboBox, xrefs: 00591C69

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 28cee96f4fbded15116aa7665bb08b25e46f4b38bd4644b2a93e7c5e095a8332
Instruction ID: 86599b36c11b45f02e096130fe1e1733768748fc06de046de73f8ba8a77f0d45
Opcode Fuzzy Hash: 28cee96f4fbded15116aa7665bb08b25e46f4b38bd4644b2a93e7c5e095a8332
Instruction Fuzzy Hash: 1101D6B568052A67CF05EBA4CA06EFE7FA8BF51380F540415B902B7281EAA09F08C675

Function 0054A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0054A529

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Strings

,%`, xrefs: 0054A509
3yX, xrefs: 0054A545, 0054A54D, 0054A552

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%`$3yX
API String ID: 2551934079-3373406087
Opcode ID: 1a4bd61d7ffd5443474d6c36a4bdad6abafc3226a9dc936e95c2d4102ca41bcf
Instruction ID: 8c3d7f6ee14af8074cab041c13f8cb5db7b7342c50a539c1be13bb9d2accb833
Opcode Fuzzy Hash: 1a4bd61d7ffd5443474d6c36a4bdad6abafc3226a9dc936e95c2d4102ca41bcf
Instruction Fuzzy Hash: 010176317806128BCE05F768ED2FAEE3F15FB86714F400029F9061B1C3EE509D058A9B

Function 00591D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539CB3: _wcslen.LIBCMT ref: 00539CBD

Part of subcall function 00593CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00593CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00591DD3

Strings

ListBox, xrefs: 00591DA0
ComboBox, xrefs: 00591D75

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7dae722532faf98f812e38c8aa676260f06c5e38a5a5a701a43bb49cbb70ea5e
Instruction ID: 0e65d6f921608faf35724697511cdfc168de935385135d5c971ce4f17ddae500
Opcode Fuzzy Hash: 7dae722532faf98f812e38c8aa676260f06c5e38a5a5a701a43bb49cbb70ea5e
Instruction Fuzzy Hash: 49F0A4B5A5172A66DF04E7A4CD5AEFE7F68BF81350F040915B922A72C1EAA0590882A4

Function 005C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00603018,0060305C), ref: 005C81BF
CloseHandle.KERNEL32 ref: 005C81D1

Strings

\0`, xrefs: 005C818A

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0`
API String ID: 3712363035-135485805
Opcode ID: 19dddb6ffbe114b536faa5c70606ada337140c42cf35a3bac2bb35404398a9ce
Instruction ID: 06c3af335e8dfe039895c1689dbedb28b1ca17b2462e01a6302854177455dee2
Opcode Fuzzy Hash: 19dddb6ffbe114b536faa5c70606ada337140c42cf35a3bac2bb35404398a9ce
Instruction Fuzzy Hash: 18F05EF1681320BEF3206B61AC49FB73E5DEB15B56F004861FF09D52A2D6798A0493F8

Function 005B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005B7493
_wcslen.LIBCMT ref: 005B74B9

Strings

3, 3, 16, 1, xrefs: 005B7483

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f182dcdd15c7789b1620cfa26d2e2cf4e9a66065c638f5222240e8fc10d9a20e
Instruction ID: 000a2f452e515db7c2f87f50c7e3fdc26d14e5efa546a7ba515f0c96040bf38d
Opcode Fuzzy Hash: f182dcdd15c7789b1620cfa26d2e2cf4e9a66065c638f5222240e8fc10d9a20e
Instruction Fuzzy Hash: 80E02B0260432520973112799CC69BF5E99FFCD752710182BFD81C2266EA949DD193A0

Function 00550D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0054F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00550D71,?,?,?,0053100A), ref: 0054F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0053100A), ref: 00550D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0053100A), ref: 00550D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00550D7F

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: cfae2a27e4faba07165a01a3f2fe9acacde0f69e62b83640962180b4d0686946
Instruction ID: b2dfced31298fa5b467f622f31cb87f34eb4b2be0509022f0601c18083f09062
Opcode Fuzzy Hash: cfae2a27e4faba07165a01a3f2fe9acacde0f69e62b83640962180b4d0686946
Instruction Fuzzy Hash: 2BE06D742007418FD7609FB8D418B467FF5FF10745F00592EE886C6691DBB5E4488B91

Function 0054E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0054E3D5

Strings

8%`, xrefs: 0054E3CA
0%`, xrefs: 0054E3B5

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%`$8%`
API String ID: 1385522511-1530242074
Opcode ID: b58ef53bc709c8c95faa1c73b801b143398cde1972a7199c5a552c1945fc1af9
Instruction ID: e5e7a6104a0212ab815819bfeaaaba188d0692b7fc4fdc8aff0d0e27ef13c044
Opcode Fuzzy Hash: b58ef53bc709c8c95faa1c73b801b143398cde1972a7199c5a552c1945fc1af9
Instruction Fuzzy Hash: BEE08631494912CBC70B9F18FC7EECA3B57BF45324F5029A5F512871D19B703841865D

Function 005A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 005A3044

Strings

aut, xrefs: 005A3038

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c62a4c3001f011156ca3b33ebdbced53caa1bf04321cce2a58a143b09c6cfb2a
Instruction ID: 2c4c7a34fc8318370a63744659fedc094e006bec9b504924a15fed8d3c84769e
Opcode Fuzzy Hash: c62a4c3001f011156ca3b33ebdbced53caa1bf04321cce2a58a143b09c6cfb2a
Instruction Fuzzy Hash: 12D05E76500328ABDA20E7A4AC0EFDB3E6CDB04750F0002A1B699E2091DAB49988CAD0

Function 0058D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0058D220

Strings

%.3d, xrefs: 0058D22B
X64, xrefs: 0058D2A8

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8c59448eded8b78442480dd11967c73182b3d16050a86ec5400ede399c244808
Instruction ID: f8a5a1d0dad009a0837f231f7d842235f13130c8df73898688961aafe6e6d755
Opcode Fuzzy Hash: 8c59448eded8b78442480dd11967c73182b3d16050a86ec5400ede399c244808
Instruction Fuzzy Hash: 6ED0EC79808109EACA90A6D098498B9BBBDBB18301F508852FD0BA2080E628C5086771

Function 0056BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0056BE93
GetLastError.KERNEL32 ref: 0056BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0056BEFC

Memory Dump Source

Source File: 00000000.00000002.2112288035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2112266509.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112334649.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112384302.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112398988.0000000000604000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_Scanned-IMGS_from NomanGroup IDT.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 911b0af080adaa3773328bbe121bb14bf8667c12830092d9c0a33dca7e5b6156
Instruction ID: 83625ecd3fbd831d4b211fc14405fb6c26d1c60016a1cee96030cacacb154012
Opcode Fuzzy Hash: 911b0af080adaa3773328bbe121bb14bf8667c12830092d9c0a33dca7e5b6156
Instruction Fuzzy Hash: C3410635600206AFEF218FA5CC98ABABFA9FF51310F144169F959D71B1DB318D81DB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scanned-IMGS_from NomanGroup IDT.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\peaks

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Scanned-IMGS_from NomanGroup IDT.scr.exe

Function 005342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00572BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00532CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0057065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0053344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00532B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00533170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01032B28 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00532C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01032908 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Function 00533B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 010317F8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00533923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON