Edit tour

Windows Analysis Report
RFQ 3100185 MAHAD.exe

Overview

General Information

Sample name:	RFQ 3100185 MAHAD.exe
Analysis ID:	1560112
MD5:	73a3c01e5d5023e800f52569958185ab
SHA1:	f2c3103491b9a8e46264d47939bbd4c53cbc149f
SHA256:	ce1748d51da0ccc300e4287b95cd7b8e975c30bb482896de396cc47d7097f0c7
Tags:	exeuser-TeamDreier
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RFQ 3100185 MAHAD.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe" MD5: 73A3C01E5D5023E800F52569958185AB)

svchost.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1936259878.0000000003160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1935867535.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", CommandLine: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", CommandLine|base64offset|contains: ]4, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", ParentImage: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe, ParentProcessId: 7280, ParentProcessName: RFQ 3100185 MAHAD.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", ProcessId: 7296, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", CommandLine: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", CommandLine|base64offset|contains: ]4, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", ParentImage: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe, ParentProcessId: 7280, ParentProcessName: RFQ 3100185 MAHAD.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe", ProcessId: 7296, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RFQ 3100185 MAHAD.exe

ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1936259878.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1935867535.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RFQ 3100185 MAHAD.exe

Joe Sandbox ML: detected

Source: RFQ 3100185 MAHAD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: RFQ 3100185 MAHAD.exe, 00000000.00000003.1748999494.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, RFQ 3100185 MAHAD.exe, 00000000.00000003.1760874803.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1936299744.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1936299744.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897017776.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1899368792.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ 3100185 MAHAD.exe, 00000000.00000003.1748999494.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, RFQ 3100185 MAHAD.exe, 00000000.00000003.1760874803.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1936299744.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1936299744.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897017776.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1899368792.0000000003100000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004B6CA9
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004B60DD
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004B63F9
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004BEB60
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BF56F FindFirstFileW,FindClose,	0_2_004BF56F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004BF5FA
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004C1B2F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004C1C8A
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004C1F94

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004C4EB5

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004C6B0C

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004C6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004C6D07

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

0_2_004C6B0C

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_004B2B37

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004DF7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1936259878.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1935867535.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00473D19
Source: RFQ 3100185 MAHAD.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ 3100185 MAHAD.exe, 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1ce3d03a-0
Source: RFQ 3100185 MAHAD.exe, 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: JSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_af7bac69-b
Source: RFQ 3100185 MAHAD.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e1d5b8cc-6
Source: RFQ 3100185 MAHAD.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1d3515a7-1

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ 3100185 MAHAD.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CA93 NtClose,	1_2_0042CA93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372B60 NtClose,LdrInitializeThunk,	1_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033735C0 NtCreateMutant,LdrInitializeThunk,	1_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03374340 NtSetContextThread,	1_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03374650 NtSuspendThread,	1_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372BA0 NtEnumerateValueKey,	1_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372B80 NtQueryInformationFile,	1_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372BF0 NtAllocateVirtualMemory,	1_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372BE0 NtQueryValueKey,	1_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372AB0 NtWaitForSingleObject,	1_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372AF0 NtWriteFile,	1_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372AD0 NtReadFile,	1_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372F30 NtCreateSection,	1_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372F60 NtCreateProcessEx,	1_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372FB0 NtResumeThread,	1_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372FA0 NtQuerySection,	1_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372F90 NtProtectVirtualMemory,	1_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372FE0 NtCreateFile,	1_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372E30 NtWriteVirtualMemory,	1_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372EA0 NtAdjustPrivilegesToken,	1_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372E80 NtReadVirtualMemory,	1_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372EE0 NtQueueApcThread,	1_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372D30 NtUnmapViewOfSection,	1_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372D10 NtMapViewOfSection,	1_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372D00 NtSetInformationFile,	1_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372DB0 NtEnumerateKey,	1_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372DD0 NtDelayExecution,	1_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372C00 NtQueryInformationProcess,	1_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372C70 NtFreeVirtualMemory,	1_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372C60 NtCreateKey,	1_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372CA0 NtQueryInformationToken,	1_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372CF0 NtOpenProcess,	1_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372CC0 NtQueryVirtualMemory,	1_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03373010 NtOpenDirectoryObject,	1_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03373090 NtSetValueKey,	1_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033739B0 NtGetContextThread,	1_2_033739B0

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004B6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_004B6606

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004AACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004AACC5

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004B79D3

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049B043	0_2_0049B043
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00483200	0_2_00483200
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00483B70	0_2_00483B70
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004A410F	0_2_004A410F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004902A4	0_2_004902A4
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0047E3E3	0_2_0047E3E3
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004A038E	0_2_004A038E
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004A467F	0_2_004A467F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004906D9	0_2_004906D9
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004DAACE	0_2_004DAACE
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004A4BEF	0_2_004A4BEF
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049CCC1	0_2_0049CCC1
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0047AF50	0_2_0047AF50
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00476F07	0_2_00476F07
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0048B11F	0_2_0048B11F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049D1B9	0_2_0049D1B9
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004D31BC	0_2_004D31BC
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004A724D	0_2_004A724D
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049123A	0_2_0049123A
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004B13CA	0_2_004B13CA
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004793F0	0_2_004793F0
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0048F563	0_2_0048F563
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004796C0	0_2_004796C0
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BB6CC	0_2_004BB6CC
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004DF7FF	0_2_004DF7FF
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004777B0	0_2_004777B0
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004A79C9	0_2_004A79C9
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0048FA57	0_2_0048FA57
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00479B60	0_2_00479B60
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00477D19	0_2_00477D19
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0048FE6F	0_2_0048FE6F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00499ED0	0_2_00499ED0
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00477FA3	0_2_00477FA3
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_01109260	0_2_01109260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401ACB	1_2_00401ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F0B3	1_2_0042F0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101D3	1_2_004101D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004032F0	1_2_004032F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402A90	1_2_00402A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E3D3	1_2_0040E3D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004103F3	1_2_004103F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B8E	1_2_00416B8E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B93	1_2_00416B93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401C40	1_2_00401C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401C3A	1_2_00401C3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E51C	1_2_0040E51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E523	1_2_0040E523
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402E49	1_2_00402E49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402E50	1_2_00402E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F19	1_2_00402F19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402720	1_2_00402720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FA352	1_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034003E6	1_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C02C0	1_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330100	1_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C8158	1_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F41A2	1_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034001AA	1_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F81CC	1_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364750	1_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333C7C0	1_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335C6E0	1_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03400591	1_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4420	1_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F2446	1_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EE4F6	1_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FAB40	1_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F6BD7	1_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340A9A6	1_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334A840	1_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03342840	1_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033268B8	1_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E8F0	1_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03360F30	1_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E2F30	1_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03382F28	1_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B4F40	1_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BEFA0	1_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332FC8	1_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FEE26	1_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340E59	1_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352E90	1_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FCE93	1_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FEEDB	1_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DCD1F	1_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334AD00	1_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03358DBF	1_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333ADE0	1_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340C00	1_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0CB5	1_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330CF2	1_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F132D	1_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332D34C	1_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0338739A	1_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033452A0	1_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E12ED	1_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335B2C0	1_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340B16B	1_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332F172	1_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337516C	1_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334B1B0	1_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F70E9	1_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FF0E0	1_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EF0CC	1_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033470C0	1_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FF7B0	1_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03385630	1_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F16CC	1_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034095C3	1_2_034095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DD5B0	1_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FF43F	1_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03331460	1_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFB76	1_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335FB80	1_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B5BF0	1_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337DBF9	1_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B3A6C	1_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFA49	1_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F7A46	1_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DDAAC	1_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03385AA0	1_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E1AA3	1_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EDAC6	1_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D5910	1_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03349950	1_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335B950	1_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AD800	1_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFF09	1_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFFB1	1_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03341F92	1_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03349EB0	1_2_03349EB0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 226 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 98 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 81 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 101 times
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: String function: 0048EC2F appears 68 times
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: String function: 00496AC0 appears 42 times
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: String function: 0049F8A0 appears 35 times

Source: RFQ 3100185 MAHAD.exe, 00000000.00000003.1760874803.0000000003D3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ 3100185 MAHAD.exe
Source: RFQ 3100185 MAHAD.exe, 00000000.00000003.1751733255.0000000003B93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ 3100185 MAHAD.exe

Source: RFQ 3100185 MAHAD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004BCE7A GetLastError,FormatMessageW,

0_2_004BCE7A

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004AAB84 AdjustTokenPrivileges,CloseHandle,		0_2_004AAB84
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004AB134

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004BE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004BE1FD

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004B6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_004B6532

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004CC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_004CC18C

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_0047406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0047406B

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

File created: C:\Users\user\AppData\Local\Temp\autE378.tmp

Jump to behavior

Source: RFQ 3100185 MAHAD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ 3100185 MAHAD.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe"
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe"
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: RFQ 3100185 MAHAD.exe

Static file information: File size 1216512 > 1048576

Source: RFQ 3100185 MAHAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RFQ 3100185 MAHAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RFQ 3100185 MAHAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RFQ 3100185 MAHAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RFQ 3100185 MAHAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RFQ 3100185 MAHAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RFQ 3100185 MAHAD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: RFQ 3100185 MAHAD.exe, 00000000.00000003.1748999494.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, RFQ 3100185 MAHAD.exe, 00000000.00000003.1760874803.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1936299744.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1936299744.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897017776.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1899368792.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ 3100185 MAHAD.exe, 00000000.00000003.1748999494.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, RFQ 3100185 MAHAD.exe, 00000000.00000003.1760874803.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1936299744.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1936299744.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897017776.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1899368792.0000000003100000.00000004.00000020.00020000.00000000.sdmp

Source: RFQ 3100185 MAHAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RFQ 3100185 MAHAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RFQ 3100185 MAHAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RFQ 3100185 MAHAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RFQ 3100185 MAHAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_0048E01E LoadLibraryA,GetProcAddress,

0_2_0048E01E

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049C09E push esi; ret	0_2_0049C0A0
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049C187 push edi; ret	0_2_0049C189
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004DC8BC push esi; ret	0_2_004DC8BE
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00496B05 push ecx; ret	0_2_00496B18
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BB2B1 push FFFFFF8Bh; iretd	0_2_004BB2B3
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049BDAA push edi; ret	0_2_0049BDAC
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0049BEC3 push esi; ret	0_2_0049BEC5
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_01109509 push ebp; ret	0_2_01109519
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402055 push edx; iretd	1_2_00402056
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004018A1 push edx; iretd	1_2_004018A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040218B push ebp; iretd	1_2_00402192
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040D9B6 push FFFFFFEBh; iretd	1_2_0040D9BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041F9B8 push 13D671DEh; iretd	1_2_0041F9BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041AA30 push edx; retf	1_2_0041AA31
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004192F1 push edx; ret	1_2_004192F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00424281 push ds; retf	1_2_00424287
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00425433 push edi; ret	1_2_00425483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00423D54 push 00000063h; retf	1_2_00423D83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403570 push eax; ret	1_2_00403572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414E8B pushfd ; iretd	1_2_00414E91
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040A7C3 push edi; ret	1_2_0040A7F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040D7CA push ecx; ret	1_2_0040D7CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330225F pushad ; ret	1_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033027FA pushad ; ret	1_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033309AD push ecx; mov dword ptr [esp], ecx	1_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330283D push eax; iretd	1_2_03302858

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004D8111
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_0048EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0048EB42

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_0049123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0049123A

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

API/Special instruction interceptor: Address: 1108E84

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0337096E rdtsc

1_2_0337096E

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Evaded block: after key decision

graph_0-92713

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-93252

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7300

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004B6CA9
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004B60DD
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004B63F9
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004BEB60
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BF56F FindFirstFileW,FindClose,	0_2_004BF56F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004BF5FA
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004C1B2F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004C1C8A
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004C1F94

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_0048DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0048DDC0

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	API call chain: ExitProcess graph end node			graph_0-92308
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	API call chain: ExitProcess graph end node			graph_0-93002

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0337096E rdtsc

1_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417B23 LdrLoadDll,

1_2_00417B23

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004C6AAF BlockInput,

0_2_004C6AAF

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_00473D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00473D19

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004A3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_004A3920

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_0048E01E LoadLibraryA,GetProcAddress,

0_2_0048E01E

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_01109150 mov eax, dword ptr fs:[00000030h]	0_2_01109150
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_011090F0 mov eax, dword ptr fs:[00000030h]	0_2_011090F0
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_01107AA0 mov eax, dword ptr fs:[00000030h]	0_2_01107AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340634F mov eax, dword ptr fs:[00000030h]	1_2_0340634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C310 mov ecx, dword ptr fs:[00000030h]	1_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350310 mov ecx, dword ptr fs:[00000030h]	1_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]	1_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]	1_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]	1_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D437C mov eax, dword ptr fs:[00000030h]	1_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03408324 mov eax, dword ptr fs:[00000030h]	1_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03408324 mov ecx, dword ptr fs:[00000030h]	1_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03408324 mov eax, dword ptr fs:[00000030h]	1_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03408324 mov eax, dword ptr fs:[00000030h]	1_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov ecx, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FA352 mov eax, dword ptr fs:[00000030h]	1_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D8350 mov ecx, dword ptr fs:[00000030h]	1_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]	1_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]	1_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]	1_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]	1_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]	1_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]	1_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]	1_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]	1_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033663FF mov eax, dword ptr fs:[00000030h]	1_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]	1_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]	1_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EC3CD mov eax, dword ptr fs:[00000030h]	1_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B63C0 mov eax, dword ptr fs:[00000030h]	1_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332823B mov eax, dword ptr fs:[00000030h]	1_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340625D mov eax, dword ptr fs:[00000030h]	1_2_0340625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]	1_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]	1_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]	1_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332826B mov eax, dword ptr fs:[00000030h]	1_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A250 mov eax, dword ptr fs:[00000030h]	1_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336259 mov eax, dword ptr fs:[00000030h]	1_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]	1_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]	1_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B8243 mov eax, dword ptr fs:[00000030h]	1_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B8243 mov ecx, dword ptr fs:[00000030h]	1_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]	1_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]	1_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034062D6 mov eax, dword ptr fs:[00000030h]	1_2_034062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]	1_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]	1_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]	1_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]	1_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]	1_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]	1_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]	1_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]	1_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03360124 mov eax, dword ptr fs:[00000030h]	1_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404164 mov eax, dword ptr fs:[00000030h]	1_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404164 mov eax, dword ptr fs:[00000030h]	1_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov ecx, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F0115 mov eax, dword ptr fs:[00000030h]	1_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C156 mov eax, dword ptr fs:[00000030h]	1_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C8158 mov eax, dword ptr fs:[00000030h]	1_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]	1_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]	1_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov ecx, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]	1_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]	1_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]	1_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034061E5 mov eax, dword ptr fs:[00000030h]	1_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03370185 mov eax, dword ptr fs:[00000030h]	1_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]	1_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]	1_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]	1_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]	1_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033601F8 mov eax, dword ptr fs:[00000030h]	1_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]	1_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]	1_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6030 mov eax, dword ptr fs:[00000030h]	1_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A020 mov eax, dword ptr fs:[00000030h]	1_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C020 mov eax, dword ptr fs:[00000030h]	1_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B4000 mov ecx, dword ptr fs:[00000030h]	1_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335C073 mov eax, dword ptr fs:[00000030h]	1_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332050 mov eax, dword ptr fs:[00000030h]	1_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6050 mov eax, dword ptr fs:[00000030h]	1_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F60B8 mov eax, dword ptr fs:[00000030h]	1_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033280A0 mov eax, dword ptr fs:[00000030h]	1_2_033280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C80A8 mov eax, dword ptr fs:[00000030h]	1_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333208A mov eax, dword ptr fs:[00000030h]	1_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033720F0 mov ecx, dword ptr fs:[00000030h]	1_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033380E9 mov eax, dword ptr fs:[00000030h]	1_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B60E0 mov eax, dword ptr fs:[00000030h]	1_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B20DE mov eax, dword ptr fs:[00000030h]	1_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]	1_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336273C mov ecx, dword ptr fs:[00000030h]	1_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]	1_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AC730 mov eax, dword ptr fs:[00000030h]	1_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]	1_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]	1_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330710 mov eax, dword ptr fs:[00000030h]	1_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03360710 mov eax, dword ptr fs:[00000030h]	1_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C700 mov eax, dword ptr fs:[00000030h]	1_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338770 mov eax, dword ptr fs:[00000030h]	1_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330750 mov eax, dword ptr fs:[00000030h]	1_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE75D mov eax, dword ptr fs:[00000030h]	1_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]	1_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]	1_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B4755 mov eax, dword ptr fs:[00000030h]	1_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336674D mov esi, dword ptr fs:[00000030h]	1_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]	1_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]	1_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033307AF mov eax, dword ptr fs:[00000030h]	1_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E47A0 mov eax, dword ptr fs:[00000030h]	1_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D678E mov eax, dword ptr fs:[00000030h]	1_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]	1_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]	1_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]	1_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]	1_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]	1_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B07C3 mov eax, dword ptr fs:[00000030h]	1_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E627 mov eax, dword ptr fs:[00000030h]	1_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03366620 mov eax, dword ptr fs:[00000030h]	1_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368620 mov eax, dword ptr fs:[00000030h]	1_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333262C mov eax, dword ptr fs:[00000030h]	1_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372619 mov eax, dword ptr fs:[00000030h]	1_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE609 mov eax, dword ptr fs:[00000030h]	1_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03362674 mov eax, dword ptr fs:[00000030h]	1_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]	1_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]	1_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]	1_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]	1_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334C640 mov eax, dword ptr fs:[00000030h]	1_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033666B0 mov eax, dword ptr fs:[00000030h]	1_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]	1_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]	1_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]	1_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]	1_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6500 mov eax, dword ptr fs:[00000030h]	1_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]	1_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]	1_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]	1_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]	1_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]	1_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]	1_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]	1_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]	1_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]	1_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]	1_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E59C mov eax, dword ptr fs:[00000030h]	1_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332582 mov eax, dword ptr fs:[00000030h]	1_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332582 mov ecx, dword ptr fs:[00000030h]	1_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364588 mov eax, dword ptr fs:[00000030h]	1_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033325E0 mov eax, dword ptr fs:[00000030h]	1_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]	1_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]	1_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033365D0 mov eax, dword ptr fs:[00000030h]	1_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]	1_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]	1_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A430 mov eax, dword ptr fs:[00000030h]	1_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]	1_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]	1_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]	1_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C427 mov eax, dword ptr fs:[00000030h]	1_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]	1_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]	1_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]	1_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]	1_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]	1_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]	1_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC460 mov ecx, dword ptr fs:[00000030h]	1_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA456 mov eax, dword ptr fs:[00000030h]	1_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332645D mov eax, dword ptr fs:[00000030h]	1_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335245A mov eax, dword ptr fs:[00000030h]	1_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033644B0 mov ecx, dword ptr fs:[00000030h]	1_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033364AB mov eax, dword ptr fs:[00000030h]	1_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA49A mov eax, dword ptr fs:[00000030h]	1_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033304E5 mov ecx, dword ptr fs:[00000030h]	1_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]	1_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]	1_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]	1_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]	1_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]	1_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]	1_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]	1_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]	1_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404B00 mov eax, dword ptr fs:[00000030h]	1_2_03404B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332CB7E mov eax, dword ptr fs:[00000030h]	1_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328B50 mov eax, dword ptr fs:[00000030h]	1_2_03328B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DEB50 mov eax, dword ptr fs:[00000030h]	1_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]	1_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]	1_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]	1_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]	1_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FAB40 mov eax, dword ptr fs:[00000030h]	1_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D8B42 mov eax, dword ptr fs:[00000030h]	1_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]	1_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]	1_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]	1_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]	1_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]	1_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EBFC mov eax, dword ptr fs:[00000030h]	1_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]	1_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]	1_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]	1_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]	1_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]	1_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]	1_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]	1_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]	1_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA38 mov eax, dword ptr fs:[00000030h]	1_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA24 mov eax, dword ptr fs:[00000030h]	1_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EA2E mov eax, dword ptr fs:[00000030h]	1_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BCA11 mov eax, dword ptr fs:[00000030h]	1_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]	1_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]	1_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]	1_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]	1_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]	1_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DEA60 mov eax, dword ptr fs:[00000030h]	1_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]	1_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]	1_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]	1_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]	1_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386AA4 mov eax, dword ptr fs:[00000030h]	1_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368A90 mov edx, dword ptr fs:[00000030h]	1_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404A80 mov eax, dword ptr fs:[00000030h]	1_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]	1_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]	1_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330AD0 mov eax, dword ptr fs:[00000030h]	1_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]	1_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]	1_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]	1_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]	1_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]	1_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404940 mov eax, dword ptr fs:[00000030h]	1_2_03404940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B892A mov eax, dword ptr fs:[00000030h]	1_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C892B mov eax, dword ptr fs:[00000030h]	1_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC912 mov eax, dword ptr fs:[00000030h]	1_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]	1_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]	1_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]	1_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]	1_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]	1_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]	1_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC97C mov eax, dword ptr fs:[00000030h]	1_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]	1_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337096E mov edx, dword ptr fs:[00000030h]	1_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]	1_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0946 mov eax, dword ptr fs:[00000030h]	1_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B89B3 mov esi, dword ptr fs:[00000030h]	1_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]	1_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]	1_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]	1_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]	1_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]	1_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]	1_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033649D0 mov eax, dword ptr fs:[00000030h]	1_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C69C0 mov eax, dword ptr fs:[00000030h]	1_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov ecx, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A830 mov eax, dword ptr fs:[00000030h]	1_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]	1_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]	1_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC810 mov eax, dword ptr fs:[00000030h]	1_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]	1_2_033BE872

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_004AA66C

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_00498189 SetUnhandledExceptionFilter,		0_2_00498189
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_004981AC

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 281E008

Jump to behavior

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004AB106 LogonUserW,

0_2_004AB106

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_00473D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00473D19

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004B411C SendInput,keybd_event,

0_2_004B411C

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004B74E7 mouse_event,

0_2_004B74E7

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

0_2_004AA66C

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004B71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004B71FA

Source: RFQ 3100185 MAHAD.exe	Binary or memory string: Shell_TrayWnd
Source: RFQ 3100185 MAHAD.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004965C4 cpuid

0_2_004965C4

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004C091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_004C091D

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004EB340 GetUserNameW,

0_2_004EB340

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_004A1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_004A1E8E

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe

Code function: 0_2_0048DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0048DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1936259878.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1935867535.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: RFQ 3100185 MAHAD.exe	Binary or memory string: WIN_81
Source: RFQ 3100185 MAHAD.exe	Binary or memory string: WIN_XP
Source: RFQ 3100185 MAHAD.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: RFQ 3100185 MAHAD.exe	Binary or memory string: WIN_XPe
Source: RFQ 3100185 MAHAD.exe	Binary or memory string: WIN_VISTA
Source: RFQ 3100185 MAHAD.exe	Binary or memory string: WIN_7
Source: RFQ 3100185 MAHAD.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1936259878.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1935867535.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_004C8C4F
Source: C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe	Code function: 0_2_004C923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_004C923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ 3100185 MAHAD.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
RFQ 3100185 MAHAD.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560112
Start date and time:	2024-11-21 12:19:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ 3100185 MAHAD.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 55 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: RFQ 3100185 MAHAD.exe

Simulations

Behavior and APIs

Time	Type	Description
06:20:25	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994335786061729
Encrypted:	true
SSDEEP:	6144:90rCOI9MU7+jFLi1j1b436to5lQXsWOcEnVTjrCIVOFK9NdzCiLKSSJq9u:96wZ7+Zu1j1I6KUsWO1nZryI5COjSgw
MD5:	3E05465E9DFAE3898C82343D67914690
SHA1:	E0C3F3B46E3FF7F8590A64E3D40A6FE78BB33E7F
SHA-256:	01D25701CBA88B351D7F829130A52147EDFF7578EFE0E6178C2DD8DEB60E9607
SHA-512:	C9E183B12D6B99459F2DBC86C469C9C36B957F2DE7E9274F789D4C4686B61E7FFB13F0B058453796B942B2B6D7525F76DA7E87116E036989F71F6372D159E0EE
Malicious:	false
Reputation:	low
Preview:	...KJ0ADKC0K.VP.XQKI0AD.C0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K.AVPTG.EI.H.n.1..`.83+q;;_&6...(S/8?.x3.iB4o^kv..p775.g=LNkC0K2AVP#YX.tP&.r#W..!1.@...sP&.U..!1.@...uP&..*S#.!1.ZXQKI0AD..0K~@WP....I0ADOC0K.ATQQYZKIhEDOC0K2AVP.LQKI ADO34K2A.PZHQKI2ADIC0K2AVP\XQKI0ADO34K2CVPZXQKK0..OC K2QVPZXAKI ADOC0K"AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPt,43=0AD;.4K2QVPZ.UKI ADOC0K2AVPZXQKi0A$OC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0AD

C:\Users\user\AppData\Local\Temp\indivisibility

Download File

Process:	C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994335786061729
Encrypted:	true
SSDEEP:	6144:90rCOI9MU7+jFLi1j1b436to5lQXsWOcEnVTjrCIVOFK9NdzCiLKSSJq9u:96wZ7+Zu1j1I6KUsWO1nZryI5COjSgw
MD5:	3E05465E9DFAE3898C82343D67914690
SHA1:	E0C3F3B46E3FF7F8590A64E3D40A6FE78BB33E7F
SHA-256:	01D25701CBA88B351D7F829130A52147EDFF7578EFE0E6178C2DD8DEB60E9607
SHA-512:	C9E183B12D6B99459F2DBC86C469C9C36B957F2DE7E9274F789D4C4686B61E7FFB13F0B058453796B942B2B6D7525F76DA7E87116E036989F71F6372D159E0EE
Malicious:	false
Reputation:	low
Preview:	...KJ0ADKC0K.VP.XQKI0AD.C0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K.AVPTG.EI.H.n.1..`.83+q;;_&6...(S/8?.x3.iB4o^kv..p775.g=LNkC0K2AVP#YX.tP&.r#W..!1.@...sP&.U..!1.@...uP&..*S#.!1.ZXQKI0AD..0K~@WP....I0ADOC0K.ATQQYZKIhEDOC0K2AVP.LQKI ADO34K2A.PZHQKI2ADIC0K2AVP\XQKI0ADO34K2CVPZXQKK0..OC K2QVPZXAKI ADOC0K"AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPt,43=0AD;.4K2QVPZ.UKI ADOC0K2AVPZXQKi0A$OC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0ADOC0K2AVPZXQKI0AD

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.149193055049042
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ 3100185 MAHAD.exe
File size:	1'216'512 bytes
MD5:	73a3c01e5d5023e800f52569958185ab
SHA1:	f2c3103491b9a8e46264d47939bbd4c53cbc149f
SHA256:	ce1748d51da0ccc300e4287b95cd7b8e975c30bb482896de396cc47d7097f0c7
SHA512:	81eb8758166e9949a7156f8df7d4c846e10d7aa96de667728b8e4bdce68cf8d648de9008501522687534307693cc46fe3e3200319003eb7f4b061d0aa172cd59
SSDEEP:	24576:Ntb20pkaCqT5TBWgNQ7axw9zoC3CdolZCPFna3Q66A:+Vg5tQ7axUoCydiga35
TLSH:	2645CF2373DE8361C3B25273BA56B7016EBF7C2506A1F96B2FD4093DE920162521E673
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673BE4C6 [Tue Nov 19 01:07:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F51008BC3FFh
jmp 00007F51008AF414h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F51008AF59Ah
cmp edi, eax
jc 00007F51008AF8FEh
bt dword ptr [004C0158h], 01h
jnc 00007F51008AF599h
rep movsb
jmp 00007F51008AF8ACh
cmp ecx, 00000080h
jc 00007F51008AF764h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F51008AF5A0h
bt dword ptr [004BA370h], 01h
jc 00007F51008AFA70h
bt dword ptr [004C0158h], 00000000h
jnc 00007F51008AF73Dh
test edi, 00000003h
jne 00007F51008AF74Eh
test esi, 00000003h
jne 00007F51008AF72Dh
bt edi, 02h
jnc 00007F51008AF59Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F51008AF5A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F51008AF5F5h
bt esi, 03h
jnc 00007F51008AF648h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5fe98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5fe98	0x60000	2a151d77592958accea7ab76c3a12b59	False	0.9312388102213541	data	7.9027705416266985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x5719d	data			1.0003251440023544
RT_GROUP_ICON	0x123958	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1239d0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1239e4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1239f8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x123a0c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x123ae8	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	06:20:07
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe"
Imagebase:	0x470000
File size:	1'216'512 bytes
MD5 hash:	73A3C01E5D5023E800F52569958185AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:20:08
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ 3100185 MAHAD.exe"
Imagebase:	0x610000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1936259878.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1935867535.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	7.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	64

Executed Functions

Function 0049B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa2946a0a02e17f8ab3ebfeb4dc56589465331e33c4191759225acf552b8a9f
Instruction ID: 49bdfc38999b0cc67401450b741ab0b7962de563bac3c4d06c5d6264cb6cf1a5
Opcode Fuzzy Hash: 9aa2946a0a02e17f8ab3ebfeb4dc56589465331e33c4191759225acf552b8a9f
Instruction Fuzzy Hash: F2326075A022188FCF24CF54ED456EABBB5FF46314F0441EAE40AA7A91D7349D80CF96

Function 00473D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00473AA3,?), ref: 00473D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00473AA3,?), ref: 00473D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00531148,00531130,?,?,?,?,00473AA3,?), ref: 00473DC8

Part of subcall function 00476430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00473DEE,00531148,?,?,?,?,?,00473AA3,?), ref: 00476471

SetCurrentDirectoryW.KERNEL32(?,?,?,00473AA3,?), ref: 00473E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005228F4,00000010), ref: 004E1CCE
SetCurrentDirectoryW.KERNEL32(?,00531148,?,?,?,?,?,00473AA3,?), ref: 004E1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0050DAB4,00531148,?,?,?,?,?,00473AA3,?), ref: 004E1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00473AA3), ref: 004E1D90

Part of subcall function 00473E6E: GetSysColorBrush.USER32(0000000F), ref: 00473E79
Part of subcall function 00473E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00473E88
Part of subcall function 00473E6E: LoadIconW.USER32(00000063), ref: 00473E9E
Part of subcall function 00473E6E: LoadIconW.USER32(000000A4), ref: 00473EB0
Part of subcall function 00473E6E: LoadIconW.USER32(000000A2), ref: 00473EC2
Part of subcall function 00473E6E: RegisterClassExW.USER32(?), ref: 00473F30

Part of subcall function 004736B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004736E6
Part of subcall function 004736B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00473707
Part of subcall function 004736B8: ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 0047371B
Part of subcall function 004736B8: ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 00473724

Part of subcall function 00474FFC: _memset.LIBCMT ref: 00475022
Part of subcall function 00474FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004750CB

Strings

()R, xrefs: 004E1D49
runas, xrefs: 004E1D84
This is a third-party compiled AutoIt script., xrefs: 004E1CC8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()R$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-2871243473
Opcode ID: ca7ec14b365b40744be1d7433bb95ec6f4e84a73207aa19e206732c1c7fddcf2
Instruction ID: e3f2763818cab12f8c45c454d979a1251262c7bb1ddec82003831778c47252ce
Opcode Fuzzy Hash: ca7ec14b365b40744be1d7433bb95ec6f4e84a73207aa19e206732c1c7fddcf2
Instruction Fuzzy Hash: A8514830E04644AACB01AFF1DC45DEE7B75AF19705F00C06BF505662A2DB785649EB2E

Function 0048DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0048DDEC
GetCurrentProcess.KERNEL32(00000000,0050DC38,?,?), ref: 0048DEAC
GetNativeSystemInfo.KERNELBASE(?,0050DC38,?,?), ref: 0048DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0048DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0048DF1F
GetSystemInfo.KERNEL32(?,0050DC38,?,?), ref: 0048DF29
GetSystemInfo.KERNEL32(?,0050DC38,?,?), ref: 0048DF35

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 11f72345c335e393f6c72ca16af147353ec5712322cddd6496d4b64f1c8e83f3
Instruction ID: 2718635847419978543286695ad90cfa835d3ca938418460c75b6197a899c9d4
Opcode Fuzzy Hash: 11f72345c335e393f6c72ca16af147353ec5712322cddd6496d4b64f1c8e83f3
Instruction Fuzzy Hash: 9461B571C0A2C4DBCF16DF6994C11EE7FB46F29300B1949DAD8455F38BC668C909CB6A

Function 0047406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0047449E,?,?,00000000,00000001), ref: 0047407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0047449E,?,?,00000000,00000001), ref: 00474092
LoadResource.KERNEL32(?,00000000,?,?,0047449E,?,?,00000000,00000001,?,?,?,?,?,?,004741FB), ref: 004E4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0047449E,?,?,00000000,00000001,?,?,?,?,?,?,004741FB), ref: 004E4F2F
LockResource.KERNEL32(0047449E,?,?,0047449E,?,?,00000000,00000001,?,?,?,?,?,?,004741FB,00000000), ref: 004E4F42

Strings

SCRIPT, xrefs: 00474088

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ea8f1ee652ff0207892fb31fe83e04414f3e3539e8ddffdf4bacdc5467f08577
Instruction ID: 30da49bf6aa5151e6a5f929789bcb0317d8301df5d2b2fe741f5043c1969d284
Opcode Fuzzy Hash: ea8f1ee652ff0207892fb31fe83e04414f3e3539e8ddffdf4bacdc5467f08577
Instruction Fuzzy Hash: 5B115770600741AFE7318B26EC48F777BBAEBC5B51F20856DF606962A0DB71DC00CA64

Function 00483B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00484176
S, xrefs: 004840A4
S, xrefs: 004840EC
S, xrefs: 004E701F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ S$ S$ S
API String ID: 3728558374-2981100487
Opcode ID: 3a627812dbe48ea490ad92b1ff2ebad87e53bf14f85cb10421b0fd95619e3b35
Instruction ID: f2f760a98f977ebcabc497526d8a24ade7cc07efd31781b197d6d1d1acf67ff0
Opcode Fuzzy Hash: 3a627812dbe48ea490ad92b1ff2ebad87e53bf14f85cb10421b0fd95619e3b35
Instruction Fuzzy Hash: 3972DF30D042099FCF14EF95C481ABEB7B5EF48714F14845BE909AB351D738AE46CB99

Function 004B6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,004E2F49), ref: 004B6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 004B6CCA
FindClose.KERNEL32(00000000), ref: 004B6CDA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 6a09b146a199b9c7f00ca4c19b0895aab71eac964b42d674610c9baf3d45bab1
Instruction ID: cd2b4ffdfb66a5ea08e7805cc68f1fc296df5deb1a0fba2f46ed6a694af96fbe
Opcode Fuzzy Hash: 6a09b146a199b9c7f00ca4c19b0895aab71eac964b42d674610c9baf3d45bab1
Instruction Fuzzy Hash: C1E0D831C104105782146738ED0D4FA3B7DDA05339F100B16F571C12D0EB78E91095EE

Function 00483200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

S, xrefs: 004E933E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharUpper
String ID: S
API String ID: 3964851224-2211950704
Opcode ID: d836eb2112b13e3e2707ee8db73aee839e2ec17d221cb782e9d0745480ac6752
Instruction ID: f7ebae158be1475f89e4db984e33c962f0e3c6276da8e7bf3ff60f9df3226a40
Opcode Fuzzy Hash: d836eb2112b13e3e2707ee8db73aee839e2ec17d221cb782e9d0745480ac6752
Instruction Fuzzy Hash: 0E928F706083419FD724EF19C480B6BB7E1BF88708F14885EE98A8B392D779ED45CB56

Function 0047E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E959
timeGetTime.WINMM ref: 0047EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047ED2E
TranslateMessage.USER32(?), ref: 0047ED3F
DispatchMessageW.USER32(?), ref: 0047ED4A
LockWindowUpdate.USER32(00000000), ref: 0047ED79
DestroyWindow.USER32 ref: 0047ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0047ED9F
Sleep.KERNEL32(0000000A), ref: 004E5270
TranslateMessage.USER32(?), ref: 004E59F7
DispatchMessageW.USER32(?), ref: 004E5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004E5A19

Strings

@GUI_CTRLHANDLE, xrefs: 004E53AC
@GUI_WINHANDLE, xrefs: 004E5360
@TRAY_ID, xrefs: 004E54C9
@GUI_CTRLID, xrefs: 004E5314

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: fd07bd893e266024b1d3124bc87a1aa4a52b790414129e8f5fdf876dff5119ae
Instruction ID: 2b5d978f1fd4bf7926653307965461a03c6475c43bc1b369532c9642fdd513ff
Opcode Fuzzy Hash: fd07bd893e266024b1d3124bc87a1aa4a52b790414129e8f5fdf876dff5119ae
Instruction Fuzzy Hash: FF62B670504380DFD724DF26C885BAA77E5BF48308F0449AFF94A8B292D778D849CB5A

Function 004A5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 004A5EC3
___createFile.LIBCMT ref: 004A5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004A5F2D
__dosmaperr.LIBCMT ref: 004A5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 004A5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004A5F6A
__dosmaperr.LIBCMT ref: 004A5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004A5F7C
__set_osfhnd.LIBCMT ref: 004A5FAC
__lseeki64_nolock.LIBCMT ref: 004A6016
__close_nolock.LIBCMT ref: 004A603C
__chsize_nolock.LIBCMT ref: 004A606C
__lseeki64_nolock.LIBCMT ref: 004A607E
__lseeki64_nolock.LIBCMT ref: 004A6176
__lseeki64_nolock.LIBCMT ref: 004A618B
__close_nolock.LIBCMT ref: 004A61EB

Part of subcall function 0049EA9C: CloseHandle.KERNELBASE(00000000,0051EEF4,00000000,?,004A6041,0051EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0049EAEC
Part of subcall function 0049EA9C: GetLastError.KERNEL32(?,004A6041,0051EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0049EAF6
Part of subcall function 0049EA9C: __free_osfhnd.LIBCMT ref: 0049EB03
Part of subcall function 0049EA9C: __dosmaperr.LIBCMT ref: 0049EB25

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

__lseeki64_nolock.LIBCMT ref: 004A620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004A6342
___createFile.LIBCMT ref: 004A6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004A636E
__dosmaperr.LIBCMT ref: 004A6375
__free_osfhnd.LIBCMT ref: 004A6395
__invoke_watson.LIBCMT ref: 004A63C3
__wsopen_helper.LIBCMT ref: 004A63DD

Strings

@, xrefs: 004A5F98

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 76b4fec0db37177676c5cce61bc6acd49d5b08a6a23231ed9f4e78215b95fef2
Instruction ID: 6f16d0eca53d4e953d3c7db3bb47afc10054d51f6f2be3b6a2a4cfaa1571a95e
Opcode Fuzzy Hash: 76b4fec0db37177676c5cce61bc6acd49d5b08a6a23231ed9f4e78215b95fef2
Instruction Fuzzy Hash: 542234719046059BEF259F68CD45BBE7B21EB32324F29822BE9219B3D1C23D8D50C759

Function 004BFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 004BFA96
_wcschr.LIBCMT ref: 004BFAA4
_wcscpy.LIBCMT ref: 004BFABB
_wcscat.LIBCMT ref: 004BFACA
_wcscat.LIBCMT ref: 004BFAE8
_wcscpy.LIBCMT ref: 004BFB09
__wsplitpath.LIBCMT ref: 004BFBE6
_wcscpy.LIBCMT ref: 004BFC0B
_wcscpy.LIBCMT ref: 004BFC1D
_wcscpy.LIBCMT ref: 004BFC32
_wcscat.LIBCMT ref: 004BFC47
_wcscat.LIBCMT ref: 004BFC59
_wcscat.LIBCMT ref: 004BFC6E

Part of subcall function 004BBFA4: _wcscmp.LIBCMT ref: 004BC03E
Part of subcall function 004BBFA4: __wsplitpath.LIBCMT ref: 004BC083
Part of subcall function 004BBFA4: _wcscpy.LIBCMT ref: 004BC096
Part of subcall function 004BBFA4: _wcscat.LIBCMT ref: 004BC0A9
Part of subcall function 004BBFA4: __wsplitpath.LIBCMT ref: 004BC0CE
Part of subcall function 004BBFA4: _wcscat.LIBCMT ref: 004BC0E4
Part of subcall function 004BBFA4: _wcscat.LIBCMT ref: 004BC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 004BFA61
t2R, xrefs: 004BFC97

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2R
API String ID: 2955681530-151873073
Opcode ID: c31aee72f7804df038a7783b1cfc2d3386f165faa01c79fd118f191411eb22a2
Instruction ID: 0758a785a0176a4ff91a829bac642e68c1ba5911cdeb8b7879023c35dae63b76
Opcode Fuzzy Hash: c31aee72f7804df038a7783b1cfc2d3386f165faa01c79fd118f191411eb22a2
Instruction Fuzzy Hash: 6A91A371504205AFDB20EB55C851EDBB7E8BF84314F00496EF94D97291DB38FA48CB99

Function 00473F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00473F86
RegisterClassExW.USER32(00000030), ref: 00473FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00473FC1
InitCommonControlsEx.COMCTL32(?), ref: 00473FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00473FEE
LoadIconW.USER32(000000A9), ref: 00474004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00474013

Strings

AutoIt v3 GUI, xrefs: 00473FA2
TaskbarCreated, xrefs: 00473FB6
0, xrefs: 00473F68
+, xrefs: 00473F6F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 433446085b86216f9da4348957797ee4d975d292f47685dc387446d19bf1c5cd
Instruction ID: a56db41af9fc764c62a1d3a812c0e2c44befc6e952c930ffaf6758ee0fb52bef
Opcode Fuzzy Hash: 433446085b86216f9da4348957797ee4d975d292f47685dc387446d19bf1c5cd
Instruction Fuzzy Hash: F021B4B5D00618AFDB009FE4E889B9DBBB5FB18704F00412AF511A62A0D7B44554DF99

Function 004BBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004BBDB4: __time64.LIBCMT ref: 004BBDBE

Part of subcall function 00474517: _fseek.LIBCMT ref: 0047452F

__wsplitpath.LIBCMT ref: 004BC083

Part of subcall function 00491DFC: __wsplitpath_helper.LIBCMT ref: 00491E3C

_wcscpy.LIBCMT ref: 004BC096
_wcscat.LIBCMT ref: 004BC0A9
__wsplitpath.LIBCMT ref: 004BC0CE
_wcscat.LIBCMT ref: 004BC0E4
_wcscat.LIBCMT ref: 004BC0F7
_wcscmp.LIBCMT ref: 004BC03E

Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC65D
Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004BC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004BC338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004BC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004BC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004BC371

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: d342150d949d26e4757b92f97783c11c8ec82502ba97fe01225993300b4c1240
Instruction ID: 6875bc50a8fdd83b27afaf77d575f41dd135e750d2391069f7e49c900cce24f9
Opcode Fuzzy Hash: d342150d949d26e4757b92f97783c11c8ec82502ba97fe01225993300b4c1240
Instruction Fuzzy Hash: E2C13CB1D00129AADF11DFA5CC81EEEBBBDAF49314F0040ABF609E6151DB749A448F65

Function 00473742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004737B3
KillTimer.USER32(?,00000001), ref: 004737DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00473800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0047380B
CreatePopupMenu.USER32 ref: 0047381F
PostQuitMessage.USER32(00000000), ref: 0047382E

Strings

TaskbarCreated, xrefs: 00473806

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b250293bd631434db8553aa22fc8355c233fd7a6dfe108ed7d3ccf9edc827d3a
Instruction ID: e712d0284a6554568185fff116707f5743be3156c90d3a519e4738d706990427
Opcode Fuzzy Hash: b250293bd631434db8553aa22fc8355c233fd7a6dfe108ed7d3ccf9edc827d3a
Instruction Fuzzy Hash: F04125F410054AA7DB186F389C4ABFA3695F710302F04C12BF90AD22A0DB6C9951B66E

Function 00473E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00473E79
LoadCursorW.USER32(00000000,00007F00), ref: 00473E88
LoadIconW.USER32(00000063), ref: 00473E9E
LoadIconW.USER32(000000A4), ref: 00473EB0
LoadIconW.USER32(000000A2), ref: 00473EC2

Part of subcall function 00474024: LoadImageW.USER32(00470000,00000063,00000001,00000010,00000010,00000000), ref: 00474048

RegisterClassExW.USER32(?), ref: 00473F30

Part of subcall function 00473F53: GetSysColorBrush.USER32(0000000F), ref: 00473F86
Part of subcall function 00473F53: RegisterClassExW.USER32(00000030), ref: 00473FB0
Part of subcall function 00473F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00473FC1
Part of subcall function 00473F53: InitCommonControlsEx.COMCTL32(?), ref: 00473FDE
Part of subcall function 00473F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00473FEE
Part of subcall function 00473F53: LoadIconW.USER32(000000A9), ref: 00474004
Part of subcall function 00473F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00474013

Strings

#, xrefs: 00473F09
AutoIt v3, xrefs: 00473F1F
0, xrefs: 00473F02

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a5b39152dddf20fc4eddc11a08231615b0f533d058cc20269965a0148eb78c3f
Instruction ID: f8da7820810fe74454faa2ff9386bd9eafab7e8cf38970e7b11d6262dad75b39
Opcode Fuzzy Hash: a5b39152dddf20fc4eddc11a08231615b0f533d058cc20269965a0148eb78c3f
Instruction Fuzzy Hash: 0D2132B0D00704ABCB04DFB9ED49A99BFF5FB58314F10812AE218A73A0D7755648EF99

Function 0049ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0049ACC1

Part of subcall function 00497CF4: __mtinitlocknum.LIBCMT ref: 00497D06
Part of subcall function 00497CF4: EnterCriticalSection.KERNEL32(00000000,?,00497ADD,0000000D), ref: 00497D1F

__calloc_crt.LIBCMT ref: 0049ACD2

Part of subcall function 00496986: __calloc_impl.LIBCMT ref: 00496995
Part of subcall function 00496986: Sleep.KERNEL32(00000000,000003BC,0048F507,?,0000000E), ref: 004969AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0049ACED
GetStartupInfoW.KERNEL32(?,00526E28,00000064,00495E91,00526C70,00000014), ref: 0049AD46
__calloc_crt.LIBCMT ref: 0049AD91
GetFileType.KERNEL32(00000001), ref: 0049ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0049AE11

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 5f81094e6d6ac361f25b1ba00d695876321636ff470af10975d06a0701f04012
Instruction ID: 3d23bcc5cb87a5500d4408298a73b2d5572858e1d4b33d600e0fd20b5b08157f
Opcode Fuzzy Hash: 5f81094e6d6ac361f25b1ba00d695876321636ff470af10975d06a0701f04012
Instruction Fuzzy Hash: 0081C2719053558FDF14CF68C8845AABFF1AF05324B24427EE4A6AB3D1C7389813CB9A

Function 01108240 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01108311
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01108537

Memory Dump Source

Source File: 00000000.00000002.1762128934.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1105000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 7ef956642ca54a4a3323923f07a2754abff253ce5be2ecf64243f532f711794d
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: F4A10770E04209EBDB19CFA4C894BEEBBB5BF48304F208159E605BB2C1D7B59A41CF95

Function 004749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00474A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004E41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004E421A
RegCloseKey.ADVAPI32(?), ref: 004E4249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00474A13
Include, xrefs: 004E41D3, 004E4212

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 4c3b1b12d051afc2dc96ad8e86b0fd7e015765ce34a9abe1d9e051bf4268b74b
Instruction ID: 62ac2336300a2d15db588f556fa428db226fdbe2af275720d5ab33eaf81a8a78
Opcode Fuzzy Hash: 4c3b1b12d051afc2dc96ad8e86b0fd7e015765ce34a9abe1d9e051bf4268b74b
Instruction Fuzzy Hash: 82113D71A00109BFEB04ABA5CD86DFF7BBCEF44348F00406AB506D6191EB759E05D768

Function 004736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004736E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00473707
ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 0047371B
ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 00473724

Strings

AutoIt v3, xrefs: 004736DE, 004736E3, 004736E4
edit, xrefs: 00473701

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f33d3d7a9ea3ad3ab2121b0cf060fdd454c9b96bb9447f3fa001ce71684a8ca7
Instruction ID: fb3fe256dfc55542bb23a1027339f86e2f15ec6d5d148948bb36fb72e8fa6fa8
Opcode Fuzzy Hash: f33d3d7a9ea3ad3ab2121b0cf060fdd454c9b96bb9447f3fa001ce71684a8ca7
Instruction Fuzzy Hash: 95F0D071A406D47BD73557676C4CE772E7ED7D6F20B00401ABA04972A0C6650899EAB8

Function 01107FE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01107ED0: Sleep.KERNELBASE(000001F4), ref: 01107EE1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0110812E

Strings

ZXQKI0ADOC0K2AVP, xrefs: 01108191, 01108194

Memory Dump Source

Source File: 00000000.00000002.1762128934.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1105000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateFileSleep
String ID: ZXQKI0ADOC0K2AVP
API String ID: 2694422964-72368136
Opcode ID: 79b6036b85c8fa9202d60a1801e5f78e74328fbd70c44c1b50f94b2d7d5b482e
Instruction ID: d65aa3b74fbf9ace36bd2607b759119ad0e240bdd3874e7b6b6f9a14adf674a1
Opcode Fuzzy Hash: 79b6036b85c8fa9202d60a1801e5f78e74328fbd70c44c1b50f94b2d7d5b482e
Instruction Fuzzy Hash: C3518130E14248EBEF15DBE4D854BEEBB79AF18300F004199E609BB2C1D7B91B45CB66

Function 00474A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00475374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00531148,?,004761FF,?,00000000,00000001,00000000), ref: 00475392

Part of subcall function 004749FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00474A1D

_wcscat.LIBCMT ref: 004E2D80
_wcscat.LIBCMT ref: 004E2DB5

Strings

8!S, xrefs: 00474B1C
\, xrefs: 004E2DA2
\Include\, xrefs: 00474B0A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!S$\$\Include\
API String ID: 3592542968-3708070565
Opcode ID: 32064c9d60affcbafe64fa5a8e732c664ab2b169bcf3fa765d1e869ada7aed94
Instruction ID: 1bce59ee6212c67b7ed9206d73ba84010ca981adc96c135045d43c3d43dabc0e
Opcode Fuzzy Hash: 32064c9d60affcbafe64fa5a8e732c664ab2b169bcf3fa765d1e869ada7aed94
Instruction Fuzzy Hash: 12515E714047409BC714EF56EA818AAB7F8FF69304F40852FF64993360EB78990CDB5A

Function 004751AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047522F
_wcscpy.LIBCMT ref: 00475283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00475293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004E3CB0

Strings

Line: , xrefs: 004E3CD9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: da965d1fd71c0a7956974fcd7076077584ce5ce1258d9a9357a7ed44f5d3d6f4
Instruction ID: badedc31f6889291ab01af31bd8dead38d422d2eb2c6027e77ee2e83e21a7c1b
Opcode Fuzzy Hash: da965d1fd71c0a7956974fcd7076077584ce5ce1258d9a9357a7ed44f5d3d6f4
Instruction Fuzzy Hash: 2D31C171408B406FD320EB61EC46BDB77D8AB44314F00891FF58D9A192DBB8A548CB9E

Function 00474139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 004741A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004739FE,?,00000001), ref: 004741DB

_free.LIBCMT ref: 004E36B7
_free.LIBCMT ref: 004E36FE

Part of subcall function 0047C833: __wsplitpath.LIBCMT ref: 0047C93E
Part of subcall function 0047C833: _wcscpy.LIBCMT ref: 0047C953
Part of subcall function 0047C833: _wcscat.LIBCMT ref: 0047C968
Part of subcall function 0047C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0047C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 004E3491
Bad directive syntax error, xrefs: 004E36E4

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: cd6a117ee93b172fe8ff869b9a94b73b3d8c7a46900e6cfef694d3a865fedeb3
Instruction ID: 68cb2c86ea38f12b6cae73b16a21e0e1e0211e574e6cbf79c66564fffc5ddf79
Opcode Fuzzy Hash: cd6a117ee93b172fe8ff869b9a94b73b3d8c7a46900e6cfef694d3a865fedeb3
Instruction Fuzzy Hash: 02918171910259AFCF15EFA6CC859EEB7B4BF08315F00442FF416A7291DB38AA05CB68

Function 004740E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004E3725
GetOpenFileNameW.COMDLG32 ref: 004E376F

Part of subcall function 0047660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004753B1,?,?,004761FF,?,00000000,00000001,00000000), ref: 0047662F

Part of subcall function 004740A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004740C6

Strings

t3R, xrefs: 004E3745
X, xrefs: 004E373E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3R
API String ID: 3777226403-3286752794
Opcode ID: 7387efb0339e42cce88fd447ec7a6d1bc3faa22418ebffe7b9bf1bbdf80821f3
Instruction ID: 207a9a5eb5118050d29b0e65f36cb5e7e8c371c2b4f95687c7c5ab7b0a1c105d
Opcode Fuzzy Hash: 7387efb0339e42cce88fd447ec7a6d1bc3faa22418ebffe7b9bf1bbdf80821f3
Instruction Fuzzy Hash: 3F21C971A101989FCF01DF95D8457EE7BF99F89304F00805AE408A7281DBB85689CF59

Function 004934AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 004934FE

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00493539
__wopenfile.LIBCMT ref: 00493549

Strings

<G, xrefs: 004934CD, 004934F0, 004934FC

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: e4f40ac35d11377e6d390c9af55a0eb9bfd374ec3f682348050fcb2ab3494899
Instruction ID: 037740784d9766ba4a09bde4624700851dc101cca4b4bfdd72dd7b7b348a1417
Opcode Fuzzy Hash: e4f40ac35d11377e6d390c9af55a0eb9bfd374ec3f682348050fcb2ab3494899
Instruction Fuzzy Hash: 94110D70900215AFDF11BF729C4266F3EA4AF46764B16853BE415C7281EB3CCE0197A9

Function 0048D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0048D28B,SwapMouseButtons,00000004,?), ref: 0048D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0048D28B,SwapMouseButtons,00000004,?,?,?,?,0048C865), ref: 0048D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0048D28B,SwapMouseButtons,00000004,?,?,?,?,0048C865), ref: 0048D2FF

Strings

Control Panel\Mouse, xrefs: 0048D2BA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6a74bebe94491a83f7a6affb00672fb9923ccf839c6ac15d5084a19dc25030e3
Instruction ID: 1a699cc5acbc6330a63021e8148647587a6ec1e5e70a3bf24a4fde08716a0e2e
Opcode Fuzzy Hash: 6a74bebe94491a83f7a6affb00672fb9923ccf839c6ac15d5084a19dc25030e3
Instruction Fuzzy Hash: 70113C75A12208BFDB20AF64CC84EAF7BB8EF44754F10486AF805D7250D6359E41DB69

Function 01106ED0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0110768B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01107721
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01107743

Memory Dump Source

Source File: 00000000.00000002.1762128934.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1105000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: 9edaa1b4a94fbb15999f4348beeddf8fb2ff77d52e94c1f4c308b2a58aee4033
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: 71620A30E14658DAEB29CFA4C850BDEB376EF58300F1091A9D14DEB2D0E7B59E81CB59

Function 004BC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00474517: _fseek.LIBCMT ref: 0047452F

Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC65D
Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC670

_free.LIBCMT ref: 004BC4DD
_free.LIBCMT ref: 004BC4E4
_free.LIBCMT ref: 004BC54F

Part of subcall function 00491C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00497A85), ref: 00491CB1
Part of subcall function 00491C9D: GetLastError.KERNEL32(00000000,?,00497A85), ref: 00491CC3

_free.LIBCMT ref: 004BC557

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: c0e1fe5465827434153b298b39c13922f63295e7ac5e3a760452db9ff3c9e12f
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 5A516FB1904219AFDF249F65DC81BEDBBB9EF48304F1040AEB21DA3251DB755A808F69

Function 0048EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048EBB2

Part of subcall function 004751AF: _memset.LIBCMT ref: 0047522F
Part of subcall function 004751AF: _wcscpy.LIBCMT ref: 00475283
Part of subcall function 004751AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00475293

KillTimer.USER32(?,00000001,?,?), ref: 0048EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0048EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004E3C88

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: fefd59608fb89d167a5f865937ada47da9e67b2449083e15cb75982931fd6b1e
Instruction ID: 0efd38d9f807c16dc1b98e3f32a63201cfb1080fb74c0286240d782b30e9167f
Opcode Fuzzy Hash: fefd59608fb89d167a5f865937ada47da9e67b2449083e15cb75982931fd6b1e
Instruction Fuzzy Hash: 6E21DA719047849FE7339B398859BEBBBEC9F01309F14045EE68E57241C3786A85CB5A

Function 004BC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004BC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 004BC746

Strings

aut, xrefs: 004BC740

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f5cf406750d43d096f995ed72f72e31d24a03a112a45109f8efc4c07f770f57b
Instruction ID: b13ec9b781ee2d633c2e6197b56fe3c2c293f39dd9675ffbda152d5a7ea4439f
Opcode Fuzzy Hash: f5cf406750d43d096f995ed72f72e31d24a03a112a45109f8efc4c07f770f57b
Instruction Fuzzy Hash: 6FD05E7190030EABDB10AB90EC0EF9A7B6CAB00704F0001A07690E50F1DAB5E6A9CB99

Function 004CF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c6df8f4bee8a81936ad6308a069195bbd70f8fa0044cc8973fb5c459a487c5
Instruction ID: 0478d551f2fbe18a94f76c601c32ba7cb382c3e544ada785583b931e61519bdb
Opcode Fuzzy Hash: 14c6df8f4bee8a81936ad6308a069195bbd70f8fa0044cc8973fb5c459a487c5
Instruction Fuzzy Hash: 7EF158756043019FC710DF25C481B6AB7E5FF88318F10892EF99A9B392D778E909CB86

Function 00474FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00475022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004750CB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 3af740ca5768d2f8a6f599c3980deec6c5d6f2570e87fa6358388903f04c35bf
Instruction ID: 73678f12bac10465f9fcec6f0881f336dc2467bdbbcf5a8a20fa561aa7bfab9f
Opcode Fuzzy Hash: 3af740ca5768d2f8a6f599c3980deec6c5d6f2570e87fa6358388903f04c35bf
Instruction Fuzzy Hash: B1317AB0504B408FD721DF25D8456DBBBE4EB58309F00492EE59E86340E7B5A948CB9A

Function 0049395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00493973

Part of subcall function 004981C2: __NMSG_WRITE.LIBCMT ref: 004981E9
Part of subcall function 004981C2: __NMSG_WRITE.LIBCMT ref: 004981F3

__NMSG_WRITE.LIBCMT ref: 0049397A

Part of subcall function 0049821F: GetModuleFileNameW.KERNEL32(00000000,00530312,00000104,00000000,00000001,00000000), ref: 004982B1
Part of subcall function 0049821F: ___crtMessageBoxW.LIBCMT ref: 0049835F

Part of subcall function 00491145: ___crtCorExitProcess.LIBCMT ref: 0049114B
Part of subcall function 00491145: ExitProcess.KERNEL32 ref: 00491154

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

RtlAllocateHeap.NTDLL(010C0000,00000000,00000001,00000001,00000000,?,?,0048F507,?,0000000E), ref: 0049399F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 9c53bae8eb8a3ed1cd21f43a073767a483805fad81c34991247f2b02b9a17abc
Instruction ID: f4be4d83cd270d4f30361f5ebb0651628e9f14cf0650969aee1c7619f7ca907f
Opcode Fuzzy Hash: 9c53bae8eb8a3ed1cd21f43a073767a483805fad81c34991247f2b02b9a17abc
Instruction Fuzzy Hash: 670196B22453019AEE213F66DC56B2B2B489B83B69B21003FF505973D1DBBCDD01866D

Function 004BC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,004BC385,?,?,?,?,?,00000004), ref: 004BC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,004BC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004BC708
CloseHandle.KERNEL32(00000000,?,004BC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004BC70F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 61a2d7482c568c433baf7f23f34e74242922a687afa1195b605ec0a5d1315c19
Instruction ID: c0aa398b5482bfc2dbdda50ce0a517e75dde58cc463131d737260d9bcee4012e
Opcode Fuzzy Hash: 61a2d7482c568c433baf7f23f34e74242922a687afa1195b605ec0a5d1315c19
Instruction Fuzzy Hash: 41E08632540214B7D7211B54AC4DFDE7B19AB05764F104120FB14690E097B12531C79C

Function 004BBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004BBB72

Part of subcall function 00491C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00497A85), ref: 00491CB1
Part of subcall function 00491C9D: GetLastError.KERNEL32(00000000,?,00497A85), ref: 00491CC3

_free.LIBCMT ref: 004BBB83
_free.LIBCMT ref: 004BBB95

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: 81794d8c19092dcb03ae5eee3b458eeb713f78711d03ad2ce8064dd0831bf2ae
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 16E012A164574246DE24697A6E44EF717CC8F04355714082FB459E7646CF6CF84085FC

Function 00472322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004722A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004724F1), ref: 00472303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004725A1
CoInitialize.OLE32(00000000), ref: 00472618
CloseHandle.KERNEL32(00000000), ref: 004E503A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 3157057a1c5d21fc813eab62b2a4ec5abea133501bd1de987b16da107b348455
Instruction ID: c97f90c914816398bce9273579d3458820b76612c594a6815df823708a010a51
Opcode Fuzzy Hash: 3157057a1c5d21fc813eab62b2a4ec5abea133501bd1de987b16da107b348455
Instruction Fuzzy Hash: FD71B0B8901A818BC704EF7BE99049ABBE4FB79344780852EE509C7771CB744418EF2C

Function 004D0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 004D08FD

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

_wcscpy.LIBCMT ref: 004D098C

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 51272c1e060d210c7b232895f8facea4b516b276d31a9e311de05d5e008a9b1f
Instruction ID: a6205440b4ed2c7d9162f7088cee7425698fbca334bf2ed52e805104bf187c84
Opcode Fuzzy Hash: 51272c1e060d210c7b232895f8facea4b516b276d31a9e311de05d5e008a9b1f
Instruction Fuzzy Hash: 51913C34A00605DFCB18DF19C591AA9B7E5FF59314B55806FE81A8F352DB38ED01CB89

Function 00473A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00473A73

Part of subcall function 00491405: __lock.LIBCMT ref: 0049140B

Part of subcall function 00473ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00473AF3
Part of subcall function 00473ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00473B08

Part of subcall function 00473D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00473AA3,?), ref: 00473D45
Part of subcall function 00473D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00473AA3,?), ref: 00473D57
Part of subcall function 00473D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00531148,00531130,?,?,?,?,00473AA3,?), ref: 00473DC8
Part of subcall function 00473D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00473AA3,?), ref: 00473E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00473AB3

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: d69f7dffbeec2ea1bc1a9a70379b507f69d776f9caf7cb388345da2f56ba50f1
Instruction ID: fdf5c6aa5999a192926b8283ae90c452df488c5d19dde86a6167becc1985b101
Opcode Fuzzy Hash: d69f7dffbeec2ea1bc1a9a70379b507f69d776f9caf7cb388345da2f56ba50f1
Instruction Fuzzy Hash: A811AE719043419BC304EF2AED4595EBBE9EBA4310F00891FF484872B1DBB49559DB9A

Function 0049E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0049EA29
__close_nolock.LIBCMT ref: 0049EA42

Part of subcall function 00497BDA: __getptd_noexit.LIBCMT ref: 00497BDA

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 3ba2e6710614bea7b5dfc6181c7a357b315bfc0fd706527dafc002307fbeeb8d
Instruction ID: 7dbe70f9dbfa899d43b5d36ea1568a22da46d85ffa2e18d5007443fe399cd764
Opcode Fuzzy Hash: 3ba2e6710614bea7b5dfc6181c7a357b315bfc0fd706527dafc002307fbeeb8d
Instruction Fuzzy Hash: 7911C2728056108ADF11FFA6C8423193E606F82339F26436AE4201F2F3CBBC9C0197AD

Function 0048F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0049395C: __FF_MSGBANNER.LIBCMT ref: 00493973
Part of subcall function 0049395C: __NMSG_WRITE.LIBCMT ref: 0049397A
Part of subcall function 0049395C: RtlAllocateHeap.NTDLL(010C0000,00000000,00000001,00000001,00000000,?,?,0048F507,?,0000000E), ref: 0049399F

std::exception::exception.LIBCMT ref: 0048F51E
__CxxThrowException@8.LIBCMT ref: 0048F533

Part of subcall function 00496805: RaiseException.KERNEL32(?,?,0000000E,00526A30,?,?,?,0048F538,0000000E,00526A30,?,00000001), ref: 00496856

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8e936113f2c07f46a098632562d3407892fa113bc1d8818ebcd093a0670bc72a
Instruction ID: 7d701db73fd18e409095f7afa064ac0503db4fecd804c5bcf02aca373ee91c2b
Opcode Fuzzy Hash: 8e936113f2c07f46a098632562d3407892fa113bc1d8818ebcd093a0670bc72a
Instruction Fuzzy Hash: 8AF0A93150411EA7DB04BF99D8019EF7B989F05758F60443BF90491181DBB8A74497AD

Function 004935E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

__lock_file.LIBCMT ref: 00493629

Part of subcall function 00494E1C: __lock.LIBCMT ref: 00494E3F

__fclose_nolock.LIBCMT ref: 00493634

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ab36481ec9d03a228935a8a32f197d25ac6e75787020d9a26f16955a68feb848
Instruction ID: 6f3dc99e293e1a22c8b39ca1351d1c565ae8de1ea024a596de657acaed83d357
Opcode Fuzzy Hash: ab36481ec9d03a228935a8a32f197d25ac6e75787020d9a26f16955a68feb848
Instruction Fuzzy Hash: 97F09632801214AADF21AF668802B5F7EA06F42739F26812FE411AB2C1C77C8E019B5D

Function 01106ECD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0110768B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01107721
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01107743

Memory Dump Source

Source File: 00000000.00000002.1762128934.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1105000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: fe4ed42e7045b12dcc09f185077e4534603040e8f41d31f9f111656e451cb852
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 4112BC24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7E5E77A5E81CB5A

Function 0047E8A0 Relevance: 1.7, APIs: 1, Instructions: 194windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E959

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 82dc7a4e1bee50206662311e7e1955be1b002a20850f12935504502d1e867d89
Instruction ID: f9ee8ac093400c504bf847f5281c57a8c991a5294cbacc96ebe39b082798914e
Opcode Fuzzy Hash: 82dc7a4e1bee50206662311e7e1955be1b002a20850f12935504502d1e867d89
Instruction Fuzzy Hash: 8271BB709047C09FEB26CF26C4447AB7BD0BB55308F084ABFD8895B361D3799889CB4A

Function 00492957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00492A0B

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 32fa037e0723e614d1586568b5dc3c5c11bd5285bcf66127adcbf6d1209be768
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 9C419571700706BFDF288EA9CA8056F7FA6AF45360F24853FE855C7240D6B8DD458B48

Function 0048ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0048EDC7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d32e2b8dd2a3ed343dae3082cc6817f8454443326cb7535949d6ff07679ab470
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9131E870A00106DBC718EF5AC48096EFBE6FF49340B648AA6E409CB355DB34EDC5CB85

Function 004D040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D0519

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c36d41e103a3c3a0393b85176115f7a9fbaad2162c0ab082b1602ce8cc59318b
Instruction ID: 4204f28bba0ea79ce15957b9ba8e8da74b83a855a7f123b3e3b716a1d350fd53
Opcode Fuzzy Hash: c36d41e103a3c3a0393b85176115f7a9fbaad2162c0ab082b1602ce8cc59318b
Instruction Fuzzy Hash: 7A315E75104524DFCB01EF11D0A1BAE7BB1FF49324F10885BEA951B386D778A906CF9A

Function 004E9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004E9A80

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2e2020740287af48e2c32a7d0be254f601cd52c645ba99d057beda5a6996e33d
Instruction ID: e2b3177124a91f6e0044209f9c648e723f9ee23f93eccfce969d198317eddde1
Opcode Fuzzy Hash: 2e2020740287af48e2c32a7d0be254f601cd52c645ba99d057beda5a6996e33d
Instruction Fuzzy Hash: 3B415E705046518FDB24DF19C444B1ABBE0BF45308F19899EE99A4B362C37AFC46CF56

Function 004741A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00474214: FreeLibrary.KERNEL32(00000000,?), ref: 00474247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004739FE,?,00000001), ref: 004741DB

Part of subcall function 00474291: FreeLibrary.KERNEL32(00000000), ref: 004742C4

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 1e1a2d091dc26341e014d3b0bb4074d115c4262e2fa88ac9ae34878422b7cc23
Instruction ID: 1c5b76f00367e745a151bde2a5e0cdc646d65fc54180db8612c04e222875775b
Opcode Fuzzy Hash: 1e1a2d091dc26341e014d3b0bb4074d115c4262e2fa88ac9ae34878422b7cc23
Instruction Fuzzy Hash: B2119831700205AADF10AB75DC06BFE77A99F80748F10C46EB55AA61C2DB789A119B68

Function 004E9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 004E9B51

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a4f61d150d3662a10e48d0cbe765be36fd231166f6f044c5831e0971291a83a4
Instruction ID: 17372833fb5c9150077befdee8e92c4c4c70ddeec9c72babc14071f5d83fabf3
Opcode Fuzzy Hash: a4f61d150d3662a10e48d0cbe765be36fd231166f6f044c5831e0971291a83a4
Instruction Fuzzy Hash: A32146705086018FDB24EF29C444A1FBBE1BF89308F14496EE99A47322C739F85ACF56

Function 0049AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0049AFC0

Part of subcall function 00497BDA: __getptd_noexit.LIBCMT ref: 00497BDA

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 8abdae171ad8ccc52017548ce7ba9e7fee92d1f65598ad568e8920f959179c4a
Instruction ID: 66e7efa09ce88cf9818ea10a652857484d30a7c4afbd7ec2b9afc84fd1113d0b
Opcode Fuzzy Hash: 8abdae171ad8ccc52017548ce7ba9e7fee92d1f65598ad568e8920f959179c4a
Instruction Fuzzy Hash: AD11B6728146104BDF117FA5990275A3E60EF41339F16426AE4340B2E2D7BC9D109BEA

Function 004739DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: a9785c1ff9f502088b29672c70055d4f966b7c7ba358923213a7472043add32b
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: 53018631500109AECF04EF65C8828FEBB78EF20344F00C06BB516971A5EB349A49DB68

Function 00492AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00492AED

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 71d9f5014592076cc1a56416258bbc525fa943090f811855314339f0a9c18f09
Instruction ID: c3384e78077c419b81c5dcc18cb9a721512d7dd8752ef139f4bc1fb70943b5fd
Opcode Fuzzy Hash: 71d9f5014592076cc1a56416258bbc525fa943090f811855314339f0a9c18f09
Instruction Fuzzy Hash: FBF0C232500205BADF21AF668D0679F3EA1BF40318F15443BF4149A1A1D7BC8A12DB49

Function 00474252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004739FE,?,00000001), ref: 00474286

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 71b7c31b63c980511e0136ef7f6d2f04cfe903a3e86883155336337c38c11e03
Instruction ID: 4d1bc2c8991b85fed5e69fd743ce051378a5d0f78f6e696b193576ddfcbc4fd8
Opcode Fuzzy Hash: 71b7c31b63c980511e0136ef7f6d2f04cfe903a3e86883155336337c38c11e03
Instruction Fuzzy Hash: C5F08C70404301DFCB348F60D480862BBE4AF44365320CABFF1DA82611C7359860CB49

Function 004740A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004740C6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 4ca94665d4d2f96c58934624211cf351b73af4a0b5635e6890b5f51b73dd6085
Instruction ID: 0dff38657207ae53e1d4aa01350b5ceea960e5969e88031c0bd82bdc29a607f0
Opcode Fuzzy Hash: 4ca94665d4d2f96c58934624211cf351b73af4a0b5635e6890b5f51b73dd6085
Instruction Fuzzy Hash: 2CE07D329001241BC711E354CC42FFA379DDF88694F050075F908D3204DA64D9808694

Function 01107ECC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01107EE1

Memory Dump Source

Source File: 00000000.00000002.1762128934.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1105000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: fda7a9f79249f288cf69c72f74b7b07dfe7ab8f2b7ffaf64651d9fd16fc881a5
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 8BE0BF7494110EEFDB00EFA4D9496DE7BB4EF04301F2005A1FD05D7691DB709E548A62

Function 01107ED0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01107EE1

Memory Dump Source

Source File: 00000000.00000002.1762128934.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1105000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: d9ee5aea0855c8d8d96dbd3967eccc136c79989973cc774e46d43f7bd81a87a5
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 7FE0E67494110EDFDB00EFB4D94969E7FB4EF04301F100161FD01D2681DB709D508A72

Non-executed Functions

Function 004DF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 004DF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004DF8DC
GetWindowLongW.USER32(?,000000F0), ref: 004DF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004DF940
SendMessageW.USER32 ref: 004DF966
_wcsncpy.LIBCMT ref: 004DF9D2
GetKeyState.USER32(00000011), ref: 004DF9F3
GetKeyState.USER32(00000009), ref: 004DFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004DFA16
GetKeyState.USER32(00000010), ref: 004DFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004DFA4F
SendMessageW.USER32 ref: 004DFA72
SendMessageW.USER32(?,00001030,?,004DE059), ref: 004DFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 004DFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004DFB96
SetCapture.USER32(?), ref: 004DFB9F
ClientToScreen.USER32(?,?), ref: 004DFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004DFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 004DFC29
ReleaseCapture.USER32 ref: 004DFC34
GetCursorPos.USER32(?), ref: 004DFC69
ScreenToClient.USER32(?,?), ref: 004DFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 004DFCD8
SendMessageW.USER32 ref: 004DFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 004DFD41
SendMessageW.USER32 ref: 004DFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004DFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004DFD8F
GetCursorPos.USER32(?), ref: 004DFDB0
ScreenToClient.USER32(?,?), ref: 004DFDBD
GetParent.USER32(?), ref: 004DFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 004DFE3F
SendMessageW.USER32 ref: 004DFE6F
ClientToScreen.USER32(?,?), ref: 004DFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004DFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 004DFF19
SendMessageW.USER32 ref: 004DFF3C
ClientToScreen.USER32(?,?), ref: 004DFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004DFFB6
GetWindowLongW.USER32(?,000000F0), ref: 004E004B

Strings

@GUI_DRAGID, xrefs: 004DFBCC
F, xrefs: 004DFF42

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 0ec9bce6a0200073915add669758d5783858191cfc35e25fcfbe87233af1b312
Instruction ID: 76a224cd4d849c6fe3feecb94f12f0daacbc647138046e3d1ec33d42e03404aa
Opcode Fuzzy Hash: 0ec9bce6a0200073915add669758d5783858191cfc35e25fcfbe87233af1b312
Instruction Fuzzy Hash: 9F32DC70604640EFDB20DF64C894BAABBA5FF49348F04062BF696873A0C734DD59DB5A

Function 004DAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 004DB1CD

Strings

%d/%02d/%02d, xrefs: 004DAEFC

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: c9d74d92a1207640f5f45bd2f9831278ab79fceb7e1522b8c60aee2817e6a7e6
Instruction ID: 573412202b15e3149f13030e09f02ceb29888fbffb5cd1b784cd22fa036152df
Opcode Fuzzy Hash: c9d74d92a1207640f5f45bd2f9831278ab79fceb7e1522b8c60aee2817e6a7e6
Instruction Fuzzy Hash: C112CD71900208ABEB249F64CC69FAF7BB5FF45710F10412BF919DA390DBB88902CB59

Function 0048EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0048EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004E3AEA
IsIconic.USER32(000000FF), ref: 004E3AF3
ShowWindow.USER32(000000FF,00000009), ref: 004E3B00
SetForegroundWindow.USER32(000000FF), ref: 004E3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004E3B20
GetCurrentThreadId.KERNEL32 ref: 004E3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 004E3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004E3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004E3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 004E3B54
SetForegroundWindow.USER32(000000FF), ref: 004E3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B6C
keybd_event.USER32(00000012,00000000), ref: 004E3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B81
keybd_event.USER32(00000012,00000000), ref: 004E3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B8F
keybd_event.USER32(00000012,00000000), ref: 004E3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B9E
keybd_event.USER32(00000012,00000000), ref: 004E3BA3
SetForegroundWindow.USER32(000000FF), ref: 004E3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 004E3BCD

Strings

Shell_TrayWnd, xrefs: 004E3AE5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b6f2ec0d6bc8732d0990be2453535c65bb335616aec9f54d3f4d342a34fa9e54
Instruction ID: 842782f151f543faba8efba9500dd5075ad5a424d881215ca453811844915aca
Opcode Fuzzy Hash: b6f2ec0d6bc8732d0990be2453535c65bb335616aec9f54d3f4d342a34fa9e54
Instruction Fuzzy Hash: 0231B271A40218BFEB216F728C49F7F3E6DEB44B51F104026FA05EB1D1C6B46D10EAA8

Function 004AACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 004AB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004AB180
Part of subcall function 004AB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004AB1AD
Part of subcall function 004AB134: GetLastError.KERNEL32 ref: 004AB1BA

_memset.LIBCMT ref: 004AAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004AAD5A
CloseHandle.KERNEL32(?), ref: 004AAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004AAD82
GetProcessWindowStation.USER32 ref: 004AAD9B
SetProcessWindowStation.USER32(00000000), ref: 004AADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004AADBF

Part of subcall function 004AAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004AACC0), ref: 004AAB99
Part of subcall function 004AAB84: CloseHandle.KERNEL32(?,?,004AACC0), ref: 004AABAB

Strings

default, xrefs: 004AADBA
winsta0, xrefs: 004AAD7D
, xrefs: 004AAD17
H*R, xrefs: 004AAE40

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*R$default$winsta0
API String ID: 2063423040-3454619666
Opcode ID: f7d9094de181f73fc9620cde75727d5a1646daa70be4020df743ae75e9785afd
Instruction ID: f831b1225cfa0c78c6781eb2dec85cd9ccc831d210de2449f68576b6ec87f785
Opcode Fuzzy Hash: f7d9094de181f73fc9620cde75727d5a1646daa70be4020df743ae75e9785afd
Instruction Fuzzy Hash: E081A171800209AFDF11DFA4CD45AEF7B79FF16308F04412AF914A62A1D7398E64DB6A

Function 004B60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004B5FA6,?), ref: 004B6ED8

Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004B5FA6,?), ref: 004B6EF1

Part of subcall function 004B725E: __wsplitpath.LIBCMT ref: 004B727B
Part of subcall function 004B725E: __wsplitpath.LIBCMT ref: 004B728E

Part of subcall function 004B72CB: GetFileAttributesW.KERNEL32(?,004B6019), ref: 004B72CC

_wcscat.LIBCMT ref: 004B6149
_wcscat.LIBCMT ref: 004B6167
__wsplitpath.LIBCMT ref: 004B618E
FindFirstFileW.KERNEL32(?,?), ref: 004B61A4
_wcscpy.LIBCMT ref: 004B6209
_wcscat.LIBCMT ref: 004B621C
_wcscat.LIBCMT ref: 004B622F
lstrcmpiW.KERNEL32(?,?), ref: 004B625D
DeleteFileW.KERNEL32(?), ref: 004B626E
MoveFileW.KERNEL32(?,?), ref: 004B6289
MoveFileW.KERNEL32(?,?), ref: 004B6298
CopyFileW.KERNEL32(?,?,00000000), ref: 004B62AD
DeleteFileW.KERNEL32(?), ref: 004B62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B62E1
FindClose.KERNEL32(00000000), ref: 004B62FD
FindClose.KERNEL32(00000000), ref: 004B630B

Strings

\*.*, xrefs: 004B6138, 004B6147, 004B6165

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 3cce2b1e4e3d621b5ea16fa7ef0138270953298458d3d62e9fc02cc3f0b05940
Instruction ID: f3a7e8f38a9bc2d99df0cdbda946da89178f9ec1acd46bf72ec28d118f3661da
Opcode Fuzzy Hash: 3cce2b1e4e3d621b5ea16fa7ef0138270953298458d3d62e9fc02cc3f0b05940
Instruction Fuzzy Hash: FE510072C0811C6ADB25EBA6CC45DEB77BCAF05304F0A01EBE545E2141DE3A9749CFA9

Function 004C6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0050DC00), ref: 004C6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 004C6B44
GetClipboardData.USER32(0000000D), ref: 004C6B4C
CloseClipboard.USER32 ref: 004C6B58
GlobalLock.KERNEL32(00000000), ref: 004C6B74
CloseClipboard.USER32 ref: 004C6B7E
GlobalUnlock.KERNEL32(00000000), ref: 004C6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 004C6BA0
GetClipboardData.USER32(00000001), ref: 004C6BA8
GlobalLock.KERNEL32(00000000), ref: 004C6BB5
GlobalUnlock.KERNEL32(00000000), ref: 004C6BE9
CloseClipboard.USER32 ref: 004C6CF6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 36ed8444bd1c95fd1d68caa2b20a95808261b69b4dd961c65b64f1d0c414da68
Instruction ID: ef86790cdf63737d79119726dc2409c8490921e6f573a43876b198a206923861
Opcode Fuzzy Hash: 36ed8444bd1c95fd1d68caa2b20a95808261b69b4dd961c65b64f1d0c414da68
Instruction Fuzzy Hash: 9251AF35600201ABD340EF65DC86FBE77A9AF44B05F01802EF58AD62D1DF68E805CA6A

Function 004BF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004BF62B
FindClose.KERNEL32(00000000), ref: 004BF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004BF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004BF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 004BF6E2
__swprintf.LIBCMT ref: 004BF72E
__swprintf.LIBCMT ref: 004BF767
__swprintf.LIBCMT ref: 004BF7BB

Part of subcall function 0049172B: __woutput_l.LIBCMT ref: 00491784

__swprintf.LIBCMT ref: 004BF809
__swprintf.LIBCMT ref: 004BF858
__swprintf.LIBCMT ref: 004BF8A7
__swprintf.LIBCMT ref: 004BF8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004BF728
%02d, xrefs: 004BF7B0, 004BF7B9, 004BF807, 004BF856, 004BF8A5, 004BF8F4
%4d, xrefs: 004BF761

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 4d12f15da427866f8ec4bd2090564447b5a966a759a3ec4b7412b5763ddf007d
Instruction ID: e337e689b7c0fe3b67b3e0e81086ce82e0f1b3b52d132cfcd6297eeff68354e5
Opcode Fuzzy Hash: 4d12f15da427866f8ec4bd2090564447b5a966a759a3ec4b7412b5763ddf007d
Instruction Fuzzy Hash: B1A10EB2508344ABC310EB95CD85DAFB7ECAF99704F404C2EF59982152EB38D949C766

Function 004C1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004C1B50
_wcscmp.LIBCMT ref: 004C1B65
_wcscmp.LIBCMT ref: 004C1B7C
GetFileAttributesW.KERNEL32(?), ref: 004C1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 004C1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 004C1BC0
FindClose.KERNEL32(00000000), ref: 004C1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 004C1BE7
_wcscmp.LIBCMT ref: 004C1C0E
_wcscmp.LIBCMT ref: 004C1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 004C1C37
SetCurrentDirectoryW.KERNEL32(005239FC), ref: 004C1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 004C1C5F
FindClose.KERNEL32(00000000), ref: 004C1C6C
FindClose.KERNEL32(00000000), ref: 004C1C7C

Strings

*.*, xrefs: 004C1BE2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: b686f516be8bfd5a13506249d456de49f9ce2de0bf90fbd10ba3ee06b6b52cfb
Instruction ID: a9af9e856c879b5e366cc5d894b8d84d047341a107cbbb1c04f470f4c0d92b59
Opcode Fuzzy Hash: b686f516be8bfd5a13506249d456de49f9ce2de0bf90fbd10ba3ee06b6b52cfb
Instruction Fuzzy Hash: 5531A735A002197ADF549FA09C49FEE77ADAF07324F10016AF811D21A1EB78DE55CA68

Function 004C1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004C1CAB
_wcscmp.LIBCMT ref: 004C1CC0
_wcscmp.LIBCMT ref: 004C1CD7

Part of subcall function 004B6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004B6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 004C1D06
FindClose.KERNEL32(00000000), ref: 004C1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 004C1D2D
_wcscmp.LIBCMT ref: 004C1D54
_wcscmp.LIBCMT ref: 004C1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 004C1D7D
SetCurrentDirectoryW.KERNEL32(005239FC), ref: 004C1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 004C1DA5
FindClose.KERNEL32(00000000), ref: 004C1DB2
FindClose.KERNEL32(00000000), ref: 004C1DC2

Strings

*.*, xrefs: 004C1D28

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 2a166284590e3e27516f330a52c57249995a23e23c203f1e04e6e8fdf13c432a
Instruction ID: dbc147fbead5a2517643f27527cdf4554ba47d1df16aa5a6935a5c3380a9e5e2
Opcode Fuzzy Hash: 2a166284590e3e27516f330a52c57249995a23e23c203f1e04e6e8fdf13c432a
Instruction Fuzzy Hash: F6311A3690021A7ACF50AFA0DC48FEF37AD9F07324F10056AF801A21A1DB38DA55CA68

Function 00477D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00477DBD

Strings

Q\E, xrefs: 004786D6
], xrefs: 00477D9F
^, xrefs: 00477D96
\, xrefs: 00477E1D
[:>:]], xrefs: 00477D37
\b(?<=\w), xrefs: 004EF877
[, xrefs: 00477E14
\b(?=\w), xrefs: 004EF85E
\, xrefs: 00477D89
\, xrefs: 004EF95B
[:<:]], xrefs: 00477D1D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: f1c9417863603d446217a143b6c80a63ca217e1cfc9363d2bafddb4191a0c18b
Instruction ID: 529fa4e78d347336149de6375fb9d148b068bf11000bcaeaecf275f5b866662a
Opcode Fuzzy Hash: f1c9417863603d446217a143b6c80a63ca217e1cfc9363d2bafddb4191a0c18b
Instruction Fuzzy Hash: 8482D071D04259DFCB24CF99C8806EEBBB1BF44314F25816BD819AB341E778AD85CB89

Function 004C091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004C09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 004C09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004C09FB
__wsplitpath.LIBCMT ref: 004C0A59
_wcscat.LIBCMT ref: 004C0A71
_wcscat.LIBCMT ref: 004C0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 004C0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 004C0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 004C0AFF
_wcscpy.LIBCMT ref: 004C0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004C0B4A

Strings

*.*, xrefs: 004C0B05

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 729f6e8e691c9628a8c9578464fe513047448077fe016ae65d3cd689d4319d91
Instruction ID: e4f8a973c78a791e3c16ba33afce981d291711c43c4f2e3d46d4232933feee47
Opcode Fuzzy Hash: 729f6e8e691c9628a8c9578464fe513047448077fe016ae65d3cd689d4319d91
Instruction Fuzzy Hash: B6615B765043059FD710EF61C840EAEB3E8FF89314F04896EF98987252DB39E945CB9A

Function 004AA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004AABD7
Part of subcall function 004AABBB: GetLastError.KERNEL32(?,004AA69F,?,?,?), ref: 004AABE1
Part of subcall function 004AABBB: GetProcessHeap.KERNEL32(00000008,?,?,004AA69F,?,?,?), ref: 004AABF0
Part of subcall function 004AABBB: HeapAlloc.KERNEL32(00000000,?,004AA69F,?,?,?), ref: 004AABF7
Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004AAC0E

Part of subcall function 004AAC56: GetProcessHeap.KERNEL32(00000008,004AA6B5,00000000,00000000,?,004AA6B5,?), ref: 004AAC62
Part of subcall function 004AAC56: HeapAlloc.KERNEL32(00000000,?,004AA6B5,?), ref: 004AAC69
Part of subcall function 004AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004AA6B5,?), ref: 004AAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004AA6D0
_memset.LIBCMT ref: 004AA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004AA704
GetLengthSid.ADVAPI32(?), ref: 004AA715
GetAce.ADVAPI32(?,00000000,?), ref: 004AA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004AA76E
GetLengthSid.ADVAPI32(?), ref: 004AA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004AA79A
HeapAlloc.KERNEL32(00000000), ref: 004AA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004AA7C2
CopySid.ADVAPI32(00000000), ref: 004AA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004AA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004AA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004AA834

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 29dcb6a6b46739254a48c445db1bae4d90ab88c9ce63e27e30a137856bd25cba
Instruction ID: c71ded860d635cd1c9e739398f869b37dd178ca942fd77a519a793a43244b4e2
Opcode Fuzzy Hash: 29dcb6a6b46739254a48c445db1bae4d90ab88c9ce63e27e30a137856bd25cba
Instruction Fuzzy Hash: E5513C71900209AFDF109F95DC44AEFBBB9FF15304F04812AE911AA290DB38DA25CB69

Function 00476F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 004F2D7E
Q, xrefs: 00476F77
BSR_UNICODE), xrefs: 004F2EBA
ANY), xrefs: 004F2E60
UTF16), xrefs: 004F2C56
LIMIT_MATCH=, xrefs: 004F2CF2
ANYCRLF), xrefs: 004F2E7D
CR), xrefs: 004F2E09
CRLF), xrefs: 004F2E43
QQQ Q, xrefs: 00477096, 0047709C
LF), xrefs: 004F2E26
UTF), xrefs: 004F2C7C
NO_START_OPT), xrefs: 004F2CD1
BSR_ANYCRLF), xrefs: 004F2EA0
UCP), xrefs: 004F2C8F
NO_AUTO_POSSESS), xrefs: 004F2CB0

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID: Q$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$QQQ Q
API String ID: 0-2637990437
Opcode ID: 59e96b4cfb0bb440bc32e654d6dd6d0d91bcf7a6c5d530ddb81789fd86da471b
Instruction ID: 2fa4dde25cce456bb151f07693165136e742ce661626d2e1a2fd5c8404dc9e46
Opcode Fuzzy Hash: 59e96b4cfb0bb440bc32e654d6dd6d0d91bcf7a6c5d530ddb81789fd86da471b
Instruction Fuzzy Hash: 42727E71E042198BDB24CF59C8407FEB7B5BF04310F64816BE919EB381DB789A41DB99

Function 004B63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004B5FA6,?), ref: 004B6ED8

Part of subcall function 004B72CB: GetFileAttributesW.KERNEL32(?,004B6019), ref: 004B72CC

_wcscat.LIBCMT ref: 004B6441
__wsplitpath.LIBCMT ref: 004B645F
FindFirstFileW.KERNEL32(?,?), ref: 004B6474
_wcscpy.LIBCMT ref: 004B64A3
_wcscat.LIBCMT ref: 004B64B8
_wcscat.LIBCMT ref: 004B64CA
DeleteFileW.KERNEL32(?), ref: 004B64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B64EB
FindClose.KERNEL32(00000000), ref: 004B6506

Strings

\*.*, xrefs: 004B643B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 7319072b7610107c25fe9a8443e82fa496927cfc362c7e8fd4687ba0e41dd1e7
Instruction ID: 5f48eab5a1c7b57823ab090fa76f0d68e74be6610e477ea70ccf1bf95a78bcd0
Opcode Fuzzy Hash: 7319072b7610107c25fe9a8443e82fa496927cfc362c7e8fd4687ba0e41dd1e7
Instruction Fuzzy Hash: CB3152B2408384AEC721DBA488859DB7BDCAF55314F44092FF6D9C3141EA39D509C7BB

Function 004D31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D328E

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004D332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004D33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 004D3604
RegCloseKey.ADVAPI32(00000000), ref: 004D3611

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 585ac9c09097fdb284653883e36bf2063e2b195686a1247f8c38304eaa1bae4e
Instruction ID: 61b9ffa76a0afb2152c96b3ab272998e3b38bd1ae87ad7f4401912e7d47b051f
Opcode Fuzzy Hash: 585ac9c09097fdb284653883e36bf2063e2b195686a1247f8c38304eaa1bae4e
Instruction Fuzzy Hash: CBE14C31604200AFCB14DF29C991E6BBBE5EF89714B04886EF84AD7361DB34ED05CB56

Function 004B2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004B2B5F
GetAsyncKeyState.USER32(000000A0), ref: 004B2BE0
GetKeyState.USER32(000000A0), ref: 004B2BFB
GetAsyncKeyState.USER32(000000A1), ref: 004B2C15
GetKeyState.USER32(000000A1), ref: 004B2C2A
GetAsyncKeyState.USER32(00000011), ref: 004B2C42
GetKeyState.USER32(00000011), ref: 004B2C54
GetAsyncKeyState.USER32(00000012), ref: 004B2C6C
GetKeyState.USER32(00000012), ref: 004B2C7E
GetAsyncKeyState.USER32(0000005B), ref: 004B2C96
GetKeyState.USER32(0000005B), ref: 004B2CA8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6e3d1a52ea023eccfb183eadc1f9d5a00f3c2f618dfdb03c4edfbf78bb6ec78a
Instruction ID: ca3943d46b7e7bf032388325581807cb488bf3775a30e781bb10337bbba3518a
Opcode Fuzzy Hash: 6e3d1a52ea023eccfb183eadc1f9d5a00f3c2f618dfdb03c4edfbf78bb6ec78a
Instruction Fuzzy Hash: 3F4163349087C969FB359B648A083FBBEB16B11344F04405BD5C6563C2DBDC99D4C7BA

Function 004C6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004C6D2E
EmptyClipboard.USER32 ref: 004C6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 004C6D49
CloseClipboard.USER32 ref: 004C6DE8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8dccb010c8be48f4506af4b2f2912a8ea2597e6594fa5e8c52b2b599cec8e91c
Instruction ID: 3d011cb07573066eff146cf651aa5c2974c06ea78be2f1a84d20ecc979c3fdbd
Opcode Fuzzy Hash: 8dccb010c8be48f4506af4b2f2912a8ea2597e6594fa5e8c52b2b599cec8e91c
Instruction Fuzzy Hash: 2F217C356005109FEB01AF69DD49F7E77A9EF04711F01846AF90ADB2A1CB78E811CB9D

Function 004CC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 004A9ABF: CLSIDFromProgID.OLE32 ref: 004A9ADC
Part of subcall function 004A9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 004A9AF7
Part of subcall function 004A9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 004A9B05
Part of subcall function 004A9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 004A9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 004CC235
_memset.LIBCMT ref: 004CC242
_memset.LIBCMT ref: 004CC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 004CC38C
CoTaskMemFree.OLE32(?), ref: 004CC397

Strings

NULL Pointer assignment, xrefs: 004CC3E5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c236a2163000131e14aa0adb8da940fcf7413436277ad7d70a61608354e528c4
Instruction ID: 11129134ec4c2bbd88321beaacdf367248b920eb7b24e99ff6022c06c76233ca
Opcode Fuzzy Hash: c236a2163000131e14aa0adb8da940fcf7413436277ad7d70a61608354e528c4
Instruction Fuzzy Hash: 67913A75D00218ABDB10DF95DC81EEEBBB9EF08310F10812EF919A7291DB746A45CFA4

Function 004B79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004AB180
Part of subcall function 004AB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004AB1AD
Part of subcall function 004AB134: GetLastError.KERNEL32 ref: 004AB1BA

ExitWindowsEx.USER32(?,00000000), ref: 004B7A0F

Strings

SeShutdownPrivilege, xrefs: 004B79DD
@, xrefs: 004B7A02
, xrefs: 004B79FD

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 6c35aad97f0f98ce715b18ca4f512edc53bfce031554fbcb872eafa17d3be670
Instruction ID: 062597c692a7f1c57635c5b3a818da8e1cd750d6caecc11841ef5ac01d7ce5c9
Opcode Fuzzy Hash: 6c35aad97f0f98ce715b18ca4f512edc53bfce031554fbcb872eafa17d3be670
Instruction Fuzzy Hash: 2A0147717582116BF7681678DC4ABFF72189B49380F100826FA43A21C2DA6CAE0081BD

Function 004C8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004C8CA8
WSAGetLastError.WSOCK32(00000000), ref: 004C8CB7
bind.WSOCK32(00000000,?,00000010), ref: 004C8CD3
listen.WSOCK32(00000000,00000005), ref: 004C8CE2
WSAGetLastError.WSOCK32(00000000), ref: 004C8CFC
closesocket.WSOCK32(00000000,00000000), ref: 004C8D10

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: b865f51d2cff2c59cb6709e61822610c96d25145a6d30af9994c5e4c430066ca
Instruction ID: 7027e1730a6da6e097604f935efca8628e9d33467c614a1cd5fcf4dacbf551f1
Opcode Fuzzy Hash: b865f51d2cff2c59cb6709e61822610c96d25145a6d30af9994c5e4c430066ca
Instruction Fuzzy Hash: 4B2180356001009BC714AF68C985B7EB7E9AF48314F10856EE956AB3D2CB74AD42CB69

Function 004B6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004B6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 004B6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 004B6583
__wsplitpath.LIBCMT ref: 004B65A7
_wcscat.LIBCMT ref: 004B65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004B65F9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 09084e4649f784af2c391b96fb56a375219536ee6051ce4a44e174e60559079b
Instruction ID: 9e8fc44fe6b6e4668504d7c714bcc57acc9fa75e7822ce963896acfc9b656080
Opcode Fuzzy Hash: 09084e4649f784af2c391b96fb56a375219536ee6051ce4a44e174e60559079b
Instruction Fuzzy Hash: A4219871900219BBDB20ABA4DD88FEEBBBDAB44304F5004BAF505D3241DB799F95CB64

Function 00479B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

Q, xrefs: 00479CF3
ERCP, xrefs: 00479C32
VUUU, xrefs: 00479ED4
VUUU, xrefs: 00479E95
VUUU, xrefs: 004FBE14
VUUU, xrefs: 00479EA7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$Q
API String ID: 0-2210302715
Opcode ID: c55c1332da09ea8b3f922f70d28eed103b6f75500e1ca711a9395f28179f295f
Instruction ID: 64a4584caa58576cd8acf3dca66693592578f485d92c72540bff5175cc9f495f
Opcode Fuzzy Hash: c55c1332da09ea8b3f922f70d28eed103b6f75500e1ca711a9395f28179f295f
Instruction Fuzzy Hash: EA927C71A0021ACBDF24CF58C9807FEB7B1EB95314F14859BD91AA7380D7789D81CB9A

Function 004B13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004B13DC

Strings

,2R, xrefs: 004B16B1
<2R, xrefs: 004B16FA
|, xrefs: 004B140C
(, xrefs: 004B1422

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: lstrlen
String ID: ($,2R$<2R$|
API String ID: 1659193697-1671734559
Opcode ID: 20c43d8eb330d049c566e24634e73bd63b578b51f066676218ff891c7615efb6
Instruction ID: f9c0c750ad3f5ea5efe56a5b8c6ea2e7147a843e68f9b641d3a9f1255d3dc6bd
Opcode Fuzzy Hash: 20c43d8eb330d049c566e24634e73bd63b578b51f066676218ff891c7615efb6
Instruction Fuzzy Hash: 63323575A007059FCB28DF29C490AAAB7F0FF48320B51C56EE49ADB3A1E774E941CB54

Function 004C923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 004CA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 004C9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 004C92B9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: c2a98fc2fcd2329fe618875a0daebf3ed72f5956996ab5346108beec0544dfb8
Instruction ID: fd52b3a3054bf719a646c5248486cc46c7c43963124c4c8f1a08080aed609041
Opcode Fuzzy Hash: c2a98fc2fcd2329fe618875a0daebf3ed72f5956996ab5346108beec0544dfb8
Instruction Fuzzy Hash: DF41F870600100AFDB14BB29C885E7E77EDDF44318F04885EF9569B3D2DB789D018799

Function 004BEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004BEB8A
_wcscmp.LIBCMT ref: 004BEBBA
_wcscmp.LIBCMT ref: 004BEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 004BEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 004BEC0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: e5e7ba9b7594fb7a3f55c1838c90dc71e78c07861c1fbe8e182389628d3cceac
Instruction ID: 811c0ef82a268e181a538d9e4adb8d5ca9ba6d05f98cf4e27ad64422008867a4
Opcode Fuzzy Hash: e5e7ba9b7594fb7a3f55c1838c90dc71e78c07861c1fbe8e182389628d3cceac
Instruction Fuzzy Hash: 4E41C0356042019FCB08DF29C490AEAB7F4FF89324F10455EE95A8B3A1DB79A940CB69

Function 004D8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004D8160
IsWindowEnabled.USER32 ref: 004D816E
GetForegroundWindow.USER32(?,?,00000001), ref: 004D817B
IsIconic.USER32 ref: 004D8189
IsZoomed.USER32 ref: 004D8197

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 888c141d456661f9aa497d163e1723ce1f6f1defac93cb2d678b24b14b13259c
Instruction ID: 5a1553b11a543a05539d36204b85b5feff351f0c752b505fae32b2a3aceb25ad
Opcode Fuzzy Hash: 888c141d456661f9aa497d163e1723ce1f6f1defac93cb2d678b24b14b13259c
Instruction Fuzzy Hash: 0B11DD317002116BE7212F269C54A7FBB99EF44320B04042FF849D7381CF78A90386AC

Function 0048E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0048E014,74DF0AE0,0048DEF1,0050DC38,?,?), ref: 0048E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048E03E

Strings

kernel32.dll, xrefs: 0048E027
GetNativeSystemInfo, xrefs: 0048E038

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 0a17f2d557ace6edd671ca713c4c07b82f2c648ca527d653227de223a3b09c02
Instruction ID: b74ea98ec44ed8f4681dfee99cd8b4a3b827269a6be25fd8362997d8ad749a32
Opcode Fuzzy Hash: 0a17f2d557ace6edd671ca713c4c07b82f2c648ca527d653227de223a3b09c02
Instruction Fuzzy Hash: 1AD05E34800722AFC7215B61E9086267AD9AF02308F19482AA88192291D6B8C880CB54

Function 0048B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0048B22F

Part of subcall function 0048B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0048B5A5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 293e37829473169a5d327621ece63d890fc9fdf3a7dd699a211a0a3283409f1e
Instruction ID: 4d3d1f3de93a9d84cd9345f35a30823707bd341f9aa2a67431bd159b2059fa7f
Opcode Fuzzy Hash: 293e37829473169a5d327621ece63d890fc9fdf3a7dd699a211a0a3283409f1e
Instruction Fuzzy Hash: 4AA14360114105BEEA387A2B4C9DE7F295CEB56349B14491FF802D6792CB2C9C02A3FF

Function 004C4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004C43BF,00000000), ref: 004C4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 004C4FD2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 73a2b7b2a6bb5150ba013ee9216ffe8d35c171d3f7596e92a3064e7a1ce4e8cc
Instruction ID: 9accd88008b56b401ad54e11162f139badf7147e731088ade3d21091da392d67
Opcode Fuzzy Hash: 73a2b7b2a6bb5150ba013ee9216ffe8d35c171d3f7596e92a3064e7a1ce4e8cc
Instruction Fuzzy Hash: 90410A75504209BFEB60DE81DD81FBF77BCEB80758F10002FF605A6281D679AE41D668

Function 004777B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00477921

Strings

\QR, xrefs: 004F1028

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _memmove
String ID: \QR
API String ID: 4104443479-3156365835
Opcode ID: 2404f1de44be5307ffede1c155fcc0f068c0437f51e93258d0dfcb7995a8b0b7
Instruction ID: f5814a0e61bd225ce4a9874c5a48d1bad877c678ef56801fb19993883df9baf6
Opcode Fuzzy Hash: 2404f1de44be5307ffede1c155fcc0f068c0437f51e93258d0dfcb7995a8b0b7
Instruction Fuzzy Hash: 37A25C70904219CFDB24CF58C4806EDBBB1FF48314F6581AAD859AB391D7789E82CF99

Function 004BE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004BE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004BE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 004BE2B4

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 08f34e66528def62d7520a79c0dd5e9704981d46af2753ff4115e6ae2b29c906
Instruction ID: 75483ac08e7981cd8ecd1b0c864ef399b8a994a8ff2f362809dd54eac5cd717e
Opcode Fuzzy Hash: 08f34e66528def62d7520a79c0dd5e9704981d46af2753ff4115e6ae2b29c906
Instruction Fuzzy Hash: D5216D35A00118EFCB00EFA5D984AEDBBF8FF49314F0484AAE905A7351DB359915CB64

Function 004AB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0048F4EA: std::exception::exception.LIBCMT ref: 0048F51E
Part of subcall function 0048F4EA: __CxxThrowException@8.LIBCMT ref: 0048F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004AB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004AB1AD
GetLastError.KERNEL32 ref: 004AB1BA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: f311962182ea5e6e6cc1c75f433235292ddbf115a857f1177632039a6743bb55
Instruction ID: b20713903d67e2bc97bf8eb302a987e8b8c745ae829d1101f434bf9e42c1fe19
Opcode Fuzzy Hash: f311962182ea5e6e6cc1c75f433235292ddbf115a857f1177632039a6743bb55
Instruction Fuzzy Hash: 9611BCB2800204AFE718AF64DC86D2BBBADEB55754B20892EE45693241DB74FC41CB68

Function 004B6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004B6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004B6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004B666F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 938bd37b2a6c4cd38de94622b775ebfc32be4e3525c2e6b2fe9eb9551c9075be
Instruction ID: 5c0414a81dac2e0854ac3263b6e17f89ab83e9e448379e5a580196f39f2dc67b
Opcode Fuzzy Hash: 938bd37b2a6c4cd38de94622b775ebfc32be4e3525c2e6b2fe9eb9551c9075be
Instruction Fuzzy Hash: 81110C71E01228BFDB108FA99C45BEEBBBDEB45B10F104166F900E6290D6B45A058BA5

Function 004B71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004B7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004B723A
FreeSid.ADVAPI32(?), ref: 004B724A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 355558891d3942858355f625b725482d378137207091fd348eed382c140c09d1
Instruction ID: 878bab11bfc5c53c2a06a195cd2aa83cfc9537022c35f393bec9cbad5ba5a4c3
Opcode Fuzzy Hash: 355558891d3942858355f625b725482d378137207091fd348eed382c140c09d1
Instruction Fuzzy Hash: 00F01D76E04209BFDF04DFE4DD89EFEBBB9EF08305F104469A602E2191E6749A54CB14

Function 004BF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004BF599
FindClose.KERNEL32(00000000), ref: 004BF5C9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ef84938f9228db2d664ab7607bc412a75fd05ea46b8edf0bb153115a70a4202f
Instruction ID: ad2bde1919082fcb8dd866048ce8c04e9578e50f1069e84676d83725981db0de
Opcode Fuzzy Hash: ef84938f9228db2d664ab7607bc412a75fd05ea46b8edf0bb153115a70a4202f
Instruction Fuzzy Hash: 7111A1316002009FD710EF29D845A7EB3E9FF84324F00892EF8A9D7291DB74AD058B99

Function 004BCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,004CBE6A,?,?,00000000,?), ref: 004BCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,004CBE6A,?,?,00000000,?), ref: 004BCEB9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f207bbcdf89c30169942799ca3ded1d175a31dc03afaaacdf6704b798d9c8371
Instruction ID: 7c644d1d9984f50c26c8de50015c022c296eefa12289359f4f7e002d4d0fc66f
Opcode Fuzzy Hash: f207bbcdf89c30169942799ca3ded1d175a31dc03afaaacdf6704b798d9c8371
Instruction Fuzzy Hash: 64F08231500229EBDB10ABA4DCC9FFA776DBF08355F00816AF919D6181D734DA54CBA5

Function 004B411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004B4153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 004B4166

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 78272528b7d8adcb593739d10f11f37f70d69af865cf5a93bf77dc3ce3a373cb
Instruction ID: b3f0246354d2af7332e9ea987e3b3fbf28174059c372918ffdb33130d90f9dae
Opcode Fuzzy Hash: 78272528b7d8adcb593739d10f11f37f70d69af865cf5a93bf77dc3ce3a373cb
Instruction Fuzzy Hash: C2F0177090424DAFDB059FA4C809BFE7BB4EF04305F04841AF966A6292D7798616DFA8

Function 004AAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004AACC0), ref: 004AAB99
CloseHandle.KERNEL32(?,?,004AACC0), ref: 004AABAB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 135ab5289cffaac02b303878a6271c1bf78a8865fcc33625b218f4c573768f72
Instruction ID: e2999c3ce3a39b1d0d4a67e3e3bac39390be6fd7cf06d770a60c68b271fc80ec
Opcode Fuzzy Hash: 135ab5289cffaac02b303878a6271c1bf78a8865fcc33625b218f4c573768f72
Instruction Fuzzy Hash: 74E0E671000510BFE7252F55EC09D7777EAEF04324710883EF95981471DB666DA4DB54

Function 004981AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00496DB3,-0000031A,?,?,00000001), ref: 004981B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004981BA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 666052f4442b94a66882eae59f72cb65486b3b08107eecba934cf13944864594
Instruction ID: e6bb7e09da9d5acfdf0fc56444b182d305fc84ac4278c8e57878f06cb9222702
Opcode Fuzzy Hash: 666052f4442b94a66882eae59f72cb65486b3b08107eecba934cf13944864594
Instruction Fuzzy Hash: 39B09232448608ABDB002BA1EC09B687F6AEB08652F004030FB0D440A18B725420DA9A

Function 0049D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27e3ff22dcbc7314e97aa22b18038360506eecd9012954190492cc9c9e8941b
Instruction ID: 316eef5e3e3c04c0acccc3c49cff7d0d3719a92d75bb15105043c80cb808455e
Opcode Fuzzy Hash: b27e3ff22dcbc7314e97aa22b18038360506eecd9012954190492cc9c9e8941b
Instruction Fuzzy Hash: 67323661D29F014DDB239634CD2633AA688EFB73D4F15D737E81AB5AA6EB28C4C35104

Function 004796C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 69c58091a7542b1272e8b98e1f692ff42a3a2775cd9a73d9fa87b35c8c147b57
Instruction ID: 2d5d33db4c96134cb9a0b8674d5627f9ff9fa65e90eafffbf490ac4b760118df
Opcode Fuzzy Hash: 69c58091a7542b1272e8b98e1f692ff42a3a2775cd9a73d9fa87b35c8c147b57
Instruction Fuzzy Hash: F72299715083419BD724EF25C881BAFB7E4BF84314F10891EF89A97291DB78ED05CB9A

Function 004A038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49da235ba5676269f848487a93d26487130aa15cc8e7307c8767133e3aa32dd2
Instruction ID: 9800137ca1e511d06c5b05d2ea420cfe4248f91fa4510836f94d4db78b0abbac
Opcode Fuzzy Hash: 49da235ba5676269f848487a93d26487130aa15cc8e7307c8767133e3aa32dd2
Instruction Fuzzy Hash: D0B1DE20D2AF414DD2239639883933BB79CAFBB2D5B91D71BFC1A74D22FB2185875580

Function 004BB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004BB6DF

Part of subcall function 0049344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004BBDC3,00000000,?,?,?,?,004BBF70,00000000,?), ref: 00493453
Part of subcall function 0049344A: __aulldiv.LIBCMT ref: 00493473

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: c7fe59444bac54790aece486dabeaf2187bfdf58faae2b990a172bce97844dd2
Instruction ID: fcff6ba2435e5f02b77ac1042a667fe468e680adcddd9901793b2406cd412ccb
Opcode Fuzzy Hash: c7fe59444bac54790aece486dabeaf2187bfdf58faae2b990a172bce97844dd2
Instruction Fuzzy Hash: 9C218772634510CBC729CF39C881A92B7E1EB95311B248E7DE4E5CB2C0CB78B905DB94

Function 004C6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004C6ACA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5efe0acaff23d2b9dd6dec7e1952d4efc7110559c3c6a4ab41f1864c7690a183
Instruction ID: 62b977ae7e138de699f6932c297b7a40081a77f5345573ac7f2d389ed3d68064
Opcode Fuzzy Hash: 5efe0acaff23d2b9dd6dec7e1952d4efc7110559c3c6a4ab41f1864c7690a183
Instruction Fuzzy Hash: FAE092352002006FC740EB59D404E9AB7ECAFA4355B04C42BE905D7251CAB5E8048B94

Function 004B74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 004B750A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 4fa43d33c56ed91675aa50da93fee3ba4199d1d19b2e289e3c54854e3239bcca
Instruction ID: 536cb7a938c32f1195e62a5417ec2f04253ca635b10e491e1dd57b0849af314a
Opcode Fuzzy Hash: 4fa43d33c56ed91675aa50da93fee3ba4199d1d19b2e289e3c54854e3239bcca
Instruction Fuzzy Hash: B0D067A416C60979E82A0B349C1BFF71509E380782FD4555BB606995C1A8986E06A039

Function 004AB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,004AAD3E), ref: 004AB124

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bf4f54f37981cdf5a04c3fcff3e355218dd68e5d12825f8a8aa9eef70bc6787e
Instruction ID: 68e6c2dc24c909341da6a2504f16ad864657db176d53455ccc8a100d25a08633
Opcode Fuzzy Hash: bf4f54f37981cdf5a04c3fcff3e355218dd68e5d12825f8a8aa9eef70bc6787e
Instruction Fuzzy Hash: 96D09E321A464EAEDF025FA4DC06EBE3F6AEB04701F448511FA15D50A1C675D531EB54

Function 004EB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 004EB352

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 72ad94174aeba3a45ef0d54d3c95793a8b087bfa609949432caec88f7654e92f
Instruction ID: 555ea24fcf3b101ed5e5958686819564aea97a36f97ef5c13dfabb2b07752eac
Opcode Fuzzy Hash: 72ad94174aeba3a45ef0d54d3c95793a8b087bfa609949432caec88f7654e92f
Instruction Fuzzy Hash: C9C04CB1800149DFC751CFC0C9449EEB7BCAB08305F2040D29105F2110DB749B55DB76

Function 00498189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0049818F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e23446625deb6bc7bf62cf66d38c86c687afbe867e925998a1cdeb27a28edf02
Instruction ID: 687d4d0c42cad617aed70b0ad95091502b974f491ac83902458ecca6df2057ca
Opcode Fuzzy Hash: e23446625deb6bc7bf62cf66d38c86c687afbe867e925998a1cdeb27a28edf02
Instruction Fuzzy Hash: 5CA0113200020CAB8F002B82EC088A83F2EEA002A0B000030FA0C000208B22A820AA8A

Function 004793F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d4420256590d0dcbb7ee0b3d64358e4e1368ba94a4815d557753110ecce023
Instruction ID: 4c1026593972fb4f3730c975dfb53ceebeec2840fbd117f997008dd4a74efc9d
Opcode Fuzzy Hash: f3d4420256590d0dcbb7ee0b3d64358e4e1368ba94a4815d557753110ecce023
Instruction Fuzzy Hash: C6127170A00509AFDF14DFA6DA81AEEB7F5FF48304F10852AE40AE7250E739AD15CB59

Function 0047E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd244db13d88e5f3bec547d4cf2addb52896ffec7f971a332f3f8ae004a8da8a
Instruction ID: 4a1073e6f8221759102d57b65f7cfa896218a65be7c78458a573c51a4aaa7f42
Opcode Fuzzy Hash: cd244db13d88e5f3bec547d4cf2addb52896ffec7f971a332f3f8ae004a8da8a
Instruction Fuzzy Hash: A412A170900205DFDB24DF5AC480AEEB7B0FF18314F14C6ABD94A9B351E339A946CB99

Function 0047AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 539bcf74d6db5463056d5f6ef8ac12a3d390276e8831bb6b9f0b47fcfc7eb01a
Instruction ID: 06cd939fc6644a2c96e3316ab0549432ebffb01a910c9f3511afe99fd11191c2
Opcode Fuzzy Hash: 539bcf74d6db5463056d5f6ef8ac12a3d390276e8831bb6b9f0b47fcfc7eb01a
Instruction Fuzzy Hash: 9B02E470A00105DFCF14DF65D981AAEB7B9FF44304F10C46AE80AEB255EB78DA15CB99

Function 004902A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 06031f5515a6b01645733d6b2f7022147a5285fa737e47b95fbaf8097030e02c
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: B7C183722051930EDF6D4639847443FBEA15AA27B131A077FD8B2CB6D5EF28C528D724

Function 004906D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: b5415d30b4cd5b7036088b67d75202e382616e151d52d2d86ab6ef03fad17a05
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 8AC1A2722051930EDF2D4639847443FBEA15AA2BB131A07BFD4B2CB6D5EF28D528D724

Function 0048FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d650c7bd0b6332c5faa00e9121dd2a1f78bc38767be8519018972e849aa319cd
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: BAC1B17220509309DF2D5639C47043FBAA15AA2BB131A0B7ED4B3CB6D5EF28D568D724

Function 004CA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004CA2FE
DeleteObject.GDI32(00000000), ref: 004CA310
DestroyWindow.USER32 ref: 004CA31E
GetDesktopWindow.USER32 ref: 004CA338
GetWindowRect.USER32(00000000), ref: 004CA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004CA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004CA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA4D8
GetClientRect.USER32(00000000,?), ref: 004CA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004CA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA55E
GlobalLock.KERNEL32(00000000), ref: 004CA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA576
GlobalUnlock.KERNEL32(00000000), ref: 004CA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA586
GlobalFree.KERNEL32(00000000), ref: 004CA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,004FD9BC,00000000), ref: 004CA5B9
GlobalFree.KERNEL32(00000000), ref: 004CA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 004CA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 004CA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA81D

Strings

AutoIt v3, xrefs: 004CA4D0
, xrefs: 004CA7A3
DISPLAY, xrefs: 004CA680
static, xrefs: 004CA518, 004CA66F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4b8e8b98cd6f9f8eb6dd054fd01ae188314a6915027f997107164322fe1d894e
Instruction ID: 26b2664f0f4913be2c67de11eb4f0519f5e118c0bced4da7d785a1163264309b
Opcode Fuzzy Hash: 4b8e8b98cd6f9f8eb6dd054fd01ae188314a6915027f997107164322fe1d894e
Instruction Fuzzy Hash: 72027C75900208AFDB14DFA4CD89EAE7BB9FF49314F008169F905AB2A1C7749D51CB68

Function 004DD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004DD2DB
GetSysColorBrush.USER32(0000000F), ref: 004DD30C
GetSysColor.USER32(0000000F), ref: 004DD318
SetBkColor.GDI32(?,000000FF), ref: 004DD332
SelectObject.GDI32(?,00000000), ref: 004DD341
InflateRect.USER32(?,000000FF,000000FF), ref: 004DD36C
GetSysColor.USER32(00000010), ref: 004DD374
CreateSolidBrush.GDI32(00000000), ref: 004DD37B
FrameRect.USER32(?,?,00000000), ref: 004DD38A
DeleteObject.GDI32(00000000), ref: 004DD391
InflateRect.USER32(?,000000FE,000000FE), ref: 004DD3DC
FillRect.USER32(?,?,00000000), ref: 004DD40E
GetWindowLongW.USER32(?,000000F0), ref: 004DD439

Part of subcall function 004DD575: GetSysColor.USER32(00000012), ref: 004DD5AE
Part of subcall function 004DD575: SetTextColor.GDI32(?,?), ref: 004DD5B2
Part of subcall function 004DD575: GetSysColorBrush.USER32(0000000F), ref: 004DD5C8
Part of subcall function 004DD575: GetSysColor.USER32(0000000F), ref: 004DD5D3
Part of subcall function 004DD575: GetSysColor.USER32(00000011), ref: 004DD5F0
Part of subcall function 004DD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004DD5FE
Part of subcall function 004DD575: SelectObject.GDI32(?,00000000), ref: 004DD60F
Part of subcall function 004DD575: SetBkColor.GDI32(?,00000000), ref: 004DD618
Part of subcall function 004DD575: SelectObject.GDI32(?,?), ref: 004DD625
Part of subcall function 004DD575: InflateRect.USER32(?,000000FF,000000FF), ref: 004DD644
Part of subcall function 004DD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004DD65B
Part of subcall function 004DD575: GetWindowLongW.USER32(00000000,000000F0), ref: 004DD670
Part of subcall function 004DD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004DD698

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: f5503a58b9e8f4e2aabf38a6610d135b477bda0acbe4ae65a27c0f35aeb8f96b
Instruction ID: ee8ad7f0325b8cb6bb6bb9b7f6fc72dbfa8b7a18764d2fa6093c9b1c7173b797
Opcode Fuzzy Hash: f5503a58b9e8f4e2aabf38a6610d135b477bda0acbe4ae65a27c0f35aeb8f96b
Instruction Fuzzy Hash: 2D91B471808301BFC7109F64DC08E6F7BAAFF89325F101A2AF962962E0C775D955CB5A

Function 0048B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0048B98B
DeleteObject.GDI32(00000000), ref: 0048B9CD
DeleteObject.GDI32(00000000), ref: 0048B9D8
DestroyIcon.USER32(00000000), ref: 0048B9E3
DestroyWindow.USER32(00000000), ref: 0048B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 004ED2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004ED2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 004ED711

Part of subcall function 0048B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0048B759,?,00000000,?,?,?,?,0048B72B,00000000,?), ref: 0048BA58

SendMessageW.USER32 ref: 004ED758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004ED76F
ImageList_Destroy.COMCTL32(00000000), ref: 004ED785
ImageList_Destroy.COMCTL32(00000000), ref: 004ED790

Strings

0, xrefs: 004ED5A5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 615d5b0bef7c457a0926a1bd792da1f24fb9cdce6610cfb2f2c4886303d39aae
Instruction ID: e2f4990cd360787c26723b4b57ec2e260306042e321f42db2740e46f84d18414
Opcode Fuzzy Hash: 615d5b0bef7c457a0926a1bd792da1f24fb9cdce6610cfb2f2c4886303d39aae
Instruction Fuzzy Hash: AC12C070900241EFDB25DF25C884BAAB7E1FF05305F14496EE989CB252C739EC52DB99

Function 004BDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004BDBD6
GetDriveTypeW.KERNEL32(?,0050DC54,?,\\.\,0050DC00), ref: 004BDCC3
SetErrorMode.KERNEL32(00000000,0050DC54,?,\\.\,0050DC00), ref: 004BDE29

Strings

RAMDisk, xrefs: 004BDCED
PhysicalDrive, xrefs: 004BDC67
SATA, xrefs: 004BDDD9
USB, xrefs: 004BDDBD
ATAPI, xrefs: 004BDD9A
RAID, xrefs: 004BDDC4
SSD, xrefs: 004BDD50
Virtual, xrefs: 004BDDEE
iSCSI, xrefs: 004BDDCB
FileBackedVirtual, xrefs: 004BDDF5
Network, xrefs: 004BDD01
1394, xrefs: 004BDDA8
Fixed, xrefs: 004BDD0B
SCSI, xrefs: 004BDD93
MMC, xrefs: 004BDDE7
SSA, xrefs: 004BDDAF
Fibre, xrefs: 004BDDB6
CDROM, xrefs: 004BDCF7
Unknown, xrefs: 004BDCE3, 004BDD8C
Removable, xrefs: 004BDD15
ATA, xrefs: 004BDDA1
SAS, xrefs: 004BDDD2
\\.\, xrefs: 004BDC2B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 58f89cda85d9e2715a2fa4507b4cee5fee3443df63f2fcec88f0e510f75c9854
Instruction ID: 007745546dcc931fb02023f143fc5688bc69863d5d401b9e59b90e54477dcaed
Opcode Fuzzy Hash: 58f89cda85d9e2715a2fa4507b4cee5fee3443df63f2fcec88f0e510f75c9854
Instruction Fuzzy Hash: B251D630A08702ABC704DF10D8818AABBA6FF55305B10489FF087972D1EB6CD956DB6F

Function 0047CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0047CC68
__wcsnicmp.LIBCMT ref: 0047CC80
__wcsnicmp.LIBCMT ref: 0047CC98
__wcsnicmp.LIBCMT ref: 0047CCB0
__wcsnicmp.LIBCMT ref: 0047CCC8
__wcsnicmp.LIBCMT ref: 0047CCE0
__wcsnicmp.LIBCMT ref: 0047CCF8
__wcsnicmp.LIBCMT ref: 0047CD0C
__wcsnicmp.LIBCMT ref: 0047CD4D
__wcsnicmp.LIBCMT ref: 0047CD61
__wcsnicmp.LIBCMT ref: 0047CD75
__wcsnicmp.LIBCMT ref: 0047CD89

Strings

Cannot parse #include, xrefs: 004E2FA1
#comments-end, xrefs: 0047CD6F
#ce, xrefs: 0047CD83
#notrayicon, xrefs: 0047CC7A
Bad directive syntax error, xrefs: 004E2ECB
#pragma compile, xrefs: 0047CC62
#include-once, xrefs: 0047CCC2
#comments-start, xrefs: 0047CCF2, 0047CD47
Unterminated group of comments, xrefs: 004E2FB4
#requireadmin, xrefs: 0047CC92
#include, xrefs: 0047CCDA
#OnAutoItStartRegister, xrefs: 0047CCAA
#cs, xrefs: 0047CD06, 0047CD5B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 2f8aded33bbd2cb7661071d689a6c5af521d19aec2e62206fe8937f225c1f9ed
Instruction ID: df6847a4ab225ca8d7c64f38a1f6b7b53ecb94e332d6f44e747b4e650ee55b2f
Opcode Fuzzy Hash: 2f8aded33bbd2cb7661071d689a6c5af521d19aec2e62206fe8937f225c1f9ed
Instruction Fuzzy Hash: 46810A316402157ADB25BB66DD82FEF3B6DAF14305F04803FF909661C6EB68DA01D2AD

Function 004D638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0050DC00), ref: 004D6449

Strings

SETCURRENTSELECTION, xrefs: 004D65D6
GETLINE, xrefs: 004D678B
SHOWDROPDOWN, xrefs: 004D6500
GETCURRENTCOL, xrefs: 004D6724
EDITPASTE, xrefs: 004D675B
ISCHECKED, xrefs: 004D6659
UNCHECK, xrefs: 004D66A1
TABLEFT, xrefs: 004D64A7
TABRIGHT, xrefs: 004D64BD
HIDEDROPDOWN, xrefs: 004D6520
ADDSTRING, xrefs: 004D6536
GETSELECTED, xrefs: 004D66C1
DELSTRING, xrefs: 004D6569
GETCURRENTSELECTION, xrefs: 004D6603
SENDCOMMANDID, xrefs: 004D67CA
CURRENTTAB, xrefs: 004D64DD
SELECTSTRING, xrefs: 004D6626
ISENABLED, xrefs: 004D648C
GETCURRENTLINE, xrefs: 004D6704
GETLINECOUNT, xrefs: 004D66E4
ISVISIBLE, xrefs: 004D6455
FINDSTRING, xrefs: 004D6596
CHECK, xrefs: 004D668B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: ff7ee7ea5636da41ba71cf62acefe5d2200e3dc218ece3daba8b889de7767db3
Instruction ID: cafd546cad2d63f5fa7151755b3c3c98a3e0497b7358aabffb2083418f0cb095
Opcode Fuzzy Hash: ff7ee7ea5636da41ba71cf62acefe5d2200e3dc218ece3daba8b889de7767db3
Instruction Fuzzy Hash: 05C19F306042058BCB04EF11D561AAE77E5AF95348F05485FF8865B3E3DB28ED4BCB8A

Function 004DD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004DD5AE
SetTextColor.GDI32(?,?), ref: 004DD5B2
GetSysColorBrush.USER32(0000000F), ref: 004DD5C8
GetSysColor.USER32(0000000F), ref: 004DD5D3
CreateSolidBrush.GDI32(?), ref: 004DD5D8
GetSysColor.USER32(00000011), ref: 004DD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004DD5FE
SelectObject.GDI32(?,00000000), ref: 004DD60F
SetBkColor.GDI32(?,00000000), ref: 004DD618
SelectObject.GDI32(?,?), ref: 004DD625
InflateRect.USER32(?,000000FF,000000FF), ref: 004DD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004DD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 004DD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004DD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004DD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 004DD6DD
DrawFocusRect.USER32(?,?), ref: 004DD6E8
GetSysColor.USER32(00000011), ref: 004DD6F6
SetTextColor.GDI32(?,00000000), ref: 004DD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004DD712
SelectObject.GDI32(?,004DD2A5), ref: 004DD729
DeleteObject.GDI32(?), ref: 004DD734
SelectObject.GDI32(?,?), ref: 004DD73A
DeleteObject.GDI32(?), ref: 004DD73F
SetTextColor.GDI32(?,?), ref: 004DD745
SetBkColor.GDI32(?,?), ref: 004DD74F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8cb20633f7fbff6243881339fcd93c02893ad4f7b3afd5addb2b6e43ee4503d3
Instruction ID: e064b1879bf33d7450b5235cfdc5d1c0cb326c79dae6c029d60064407fc9b154
Opcode Fuzzy Hash: 8cb20633f7fbff6243881339fcd93c02893ad4f7b3afd5addb2b6e43ee4503d3
Instruction Fuzzy Hash: 7A515C71D00208BFDB10AFA4DD48EAE7B7AEF08324F104526F915AB2A1D7759A50DF94

Function 004DB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004DB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004DB7C1
CharNextW.USER32(0000014E), ref: 004DB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004DB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004DB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004DB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 004DB875
SetWindowTextW.USER32(?,0000014E), ref: 004DB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 004DB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 004DB90E
_memset.LIBCMT ref: 004DB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 004DB97C
_memset.LIBCMT ref: 004DB9DB
SendMessageW.USER32 ref: 004DBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 004DBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 004DBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 004DBB2C
GetMenuItemInfoW.USER32(?), ref: 004DBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004DBBA3
DrawMenuBar.USER32(?), ref: 004DBBB2
SetWindowTextW.USER32(?,0000014E), ref: 004DBBDA

Strings

0, xrefs: 004DBB4F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: f2460ff8e6fdb6bbf680defb8d1748e7108d979163b4b8bae7f335ffe1b4bdbe
Instruction ID: bcafb5e1aa2c24dc3a9a424fa931b10a06698b50e7455a37959f8ff199fd9265
Opcode Fuzzy Hash: f2460ff8e6fdb6bbf680defb8d1748e7108d979163b4b8bae7f335ffe1b4bdbe
Instruction Fuzzy Hash: B3E18074900208EBDF109FA1CC95AEE7B78FF05714F10815BF919AA390DB789A41DFA9

Function 00472EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00472F7A
IsWindow.USER32(?), ref: 004E22FD

Strings

ALL, xrefs: 004E2264
CLASS, xrefs: 004E2128
H+R, xrefs: 004E2184
LAST, xrefs: 004E20B6
INSTANCE, xrefs: 004E223C
T+R, xrefs: 004E220E
ACTIVE, xrefs: 004E20CC
P+R, xrefs: 004E21E0
REGEXPCLASS, xrefs: 004E2149
HANDLE, xrefs: 004E20E2
TITLE, xrefs: 004E2292
L+R, xrefs: 004E21B2
REGEXPTITLE, xrefs: 004E20F8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+R$HANDLE$INSTANCE$L+R$LAST$P+R$REGEXPCLASS$REGEXPTITLE$T+R$TITLE
API String ID: 62970417-1561553379
Opcode ID: 14283c34e08d7c4b981bc788e56ad95c23c20acfbfe3e22ab4f7c7420c1e5528
Instruction ID: 66c18b7a90c9e7f6ba6fd162d43a3eb6abce130b9bc29915af9cacb95b2fc322
Opcode Fuzzy Hash: 14283c34e08d7c4b981bc788e56ad95c23c20acfbfe3e22ab4f7c7420c1e5528
Instruction Fuzzy Hash: 7AD10B30508682ABCB04EF22C541A9FBBB5FF54305F00891FF459536A2DB78E95ACF99

Function 004D764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004D778A
GetDesktopWindow.USER32 ref: 004D779F
GetWindowRect.USER32(00000000), ref: 004D77A6
GetWindowLongW.USER32(?,000000F0), ref: 004D7808
DestroyWindow.USER32(?), ref: 004D7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004D785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004D78A1
SendMessageW.USER32(?,00000421,?,?), ref: 004D78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004D78C9
IsWindowVisible.USER32(?), ref: 004D78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004D7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 004D7918
GetWindowRect.USER32(?,?), ref: 004D7930
MonitorFromPoint.USER32(?,?,00000002), ref: 004D7956
GetMonitorInfoW.USER32 ref: 004D7970
CopyRect.USER32(?,?), ref: 004D7987
SendMessageW.USER32(?,00000412,00000000), ref: 004D79F2

Strings

0, xrefs: 004D7735
(, xrefs: 004D7965
tooltips_class32, xrefs: 004D7856

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e01e20451df1d467b1c51c9742ace1f0999017f3c13547843a3a59d456627d6e
Instruction ID: e0584fa4c418cdf37872f99e080135dd75839da157069bacb91f05a78b1ed31d
Opcode Fuzzy Hash: e01e20451df1d467b1c51c9742ace1f0999017f3c13547843a3a59d456627d6e
Instruction Fuzzy Hash: 9FB18F71608300AFDB04DF65C958B6ABBE5FF88314F00891EF5999B391E774E805CB9A

Function 0048A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0048A939
GetSystemMetrics.USER32(00000007), ref: 0048A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0048A96C
GetSystemMetrics.USER32(00000008), ref: 0048A974
GetSystemMetrics.USER32(00000004), ref: 0048A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0048A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0048A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0048A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0048AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0048AA2B
GetStockObject.GDI32(00000011), ref: 0048AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0048AA52

Part of subcall function 0048B63C: GetCursorPos.USER32(000000FF), ref: 0048B64F
Part of subcall function 0048B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0048B66C
Part of subcall function 0048B63C: GetAsyncKeyState.USER32(00000001), ref: 0048B691
Part of subcall function 0048B63C: GetAsyncKeyState.USER32(00000002), ref: 0048B69F

SetTimer.USER32(00000000,00000000,00000028,0048AB87), ref: 0048AA79

Strings

AutoIt v3 GUI, xrefs: 0048A9F1

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9570b3d87c169a6d171a4aa903e0f7c2b1df9147dabd53a1177c09bc115ba291
Instruction ID: 09f1bccebafa84eeaba2579bd70da86f3e528cefa60512bb2bf529d9e11a679d
Opcode Fuzzy Hash: 9570b3d87c169a6d171a4aa903e0f7c2b1df9147dabd53a1177c09bc115ba291
Instruction Fuzzy Hash: AEB1C571A0020A9FDB14EFA8DC45BAE7BB5FB08315F10412AFA05E7390DB78E851CB59

Function 004D3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0050DC00,00000000,?,00000000,?,?), ref: 004D37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004D37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 004D3874
RegCloseKey.ADVAPI32(?), ref: 004D3B94
RegCloseKey.ADVAPI32(00000000), ref: 004D3BA1

Strings

REG_DWORD, xrefs: 004D3A65
REG_BINARY, xrefs: 004D3B2F
REG_QWORD, xrefs: 004D3AE2
REG_EXPAND_SZ, xrefs: 004D3811
REG_MULTI_SZ, xrefs: 004D395C
REG_SZ, xrefs: 004D38B2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cb9b9845a921523b5500b8eff31a9b9d317bedab8e5f3a5676ab6170b828f620
Instruction ID: a19151acd050cd05519832c2688d3815acc9c5ed9ba67feafc1f4961d834ab75
Opcode Fuzzy Hash: cb9b9845a921523b5500b8eff31a9b9d317bedab8e5f3a5676ab6170b828f620
Instruction Fuzzy Hash: 46026E756046019FCB14EF15C851A6EB7E5FF88714F04845EF98A9B3A2CB78ED01CB8A

Function 004D6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004D6D16

Strings

GETSELECTEDCOUNT, xrefs: 004D6CF9
SELECTCLEAR, xrefs: 004D6D8D
SELECTALL, xrefs: 004D6D75
GETSUBITEMCOUNT, xrefs: 004D6CA1
GETSELECTED, xrefs: 004D6E3C
GETTEXT, xrefs: 004D6CBF
FINDITEM, xrefs: 004D6E81
DESELECT, xrefs: 004D6DFC
ISSELECTED, xrefs: 004D6D21
GETITEMCOUNT, xrefs: 004D6C84
SELECTINVERT, xrefs: 004D6DDE
SELECT, xrefs: 004D6DA8
VIEWCHANGE, xrefs: 004D6ECD

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 08fcca3bf5ef7bbfed70ee5261523bed42a7105fc8ab7cef5e3894b764b12ced
Instruction ID: 9445baf013b150e05385a24c98d0987381c5e4bb9344b65ed35e37d4c6a6bd20
Opcode Fuzzy Hash: 08fcca3bf5ef7bbfed70ee5261523bed42a7105fc8ab7cef5e3894b764b12ced
Instruction Fuzzy Hash: 77A19E306142419BCB14EF15C861A6EB3E2FF55318F11896FB85A5B3D2DB38EC06CB89

Function 004ACF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004ACF91
__swprintf.LIBCMT ref: 004AD032
_wcscmp.LIBCMT ref: 004AD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004AD09A
_wcscmp.LIBCMT ref: 004AD0D6
GetClassNameW.USER32(?,?,00000400), ref: 004AD10D
GetDlgCtrlID.USER32(?), ref: 004AD15F
GetWindowRect.USER32(?,?), ref: 004AD195
GetParent.USER32(?), ref: 004AD1B3
ScreenToClient.USER32(00000000), ref: 004AD1BA
GetClassNameW.USER32(?,?,00000100), ref: 004AD234
_wcscmp.LIBCMT ref: 004AD248
GetWindowTextW.USER32(?,?,00000400), ref: 004AD26E
_wcscmp.LIBCMT ref: 004AD282

Strings

%s%u, xrefs: 004AD02C

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 80983f49c9194691500b849ea002e36abfa7b46abd3d807fddec3a48319ff240
Instruction ID: b90f4c8b8c86b79583b6b355e38a633bf6b96ce8daa4aa74c75e114bdb78319c
Opcode Fuzzy Hash: 80983f49c9194691500b849ea002e36abfa7b46abd3d807fddec3a48319ff240
Instruction Fuzzy Hash: DEA10572A04302AFD714DF64C884FABB7A8FF65314F00852BF95AD2690DB38E915CB95

Function 004AD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 004AD8EB
_wcscmp.LIBCMT ref: 004AD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 004AD924
CharUpperBuffW.USER32(?,00000000), ref: 004AD941
_wcscmp.LIBCMT ref: 004AD95F
_wcsstr.LIBCMT ref: 004AD970
GetClassNameW.USER32(00000018,?,00000400), ref: 004AD9A8
_wcscmp.LIBCMT ref: 004AD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 004AD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 004ADA28
_wcscmp.LIBCMT ref: 004ADA38
GetClassNameW.USER32(00000010,?,00000400), ref: 004ADA60
GetWindowRect.USER32(00000004,?), ref: 004ADAC9

Strings

ThumbnailClass, xrefs: 004AD9B3, 004ADA33
@, xrefs: 004AD8C6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 7e7b6a2defe25a498dba7fc4c22bd230d15234dbaa0f6a752b4bfe9857d9cfd8
Instruction ID: bf9e855cd4efe080def8d03eafeca48608158d43c6cd1d10abbdca8e03ca8063
Opcode Fuzzy Hash: 7e7b6a2defe25a498dba7fc4c22bd230d15234dbaa0f6a752b4bfe9857d9cfd8
Instruction Fuzzy Hash: DE81D0714083059BDB01DF10C884BAB7BE8EF55318F04846FFD8A9A596DB38ED45CBA9

Function 004AD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004AD753

Strings

ALL, xrefs: 004AD7E7
[CLASS:, xrefs: 004AD7A3
[ALL, xrefs: 004AD7F9
LAST, xrefs: 004AD718
REGEXP=, xrefs: 004AD768
[LAST, xrefs: 004AD800
CLASSNAME=, xrefs: 004AD790
HANDLE=, xrefs: 004AD74C
[REGEXPTITLE:, xrefs: 004AD77B
[ACTIVE, xrefs: 004AD740
[HANDLE:, xrefs: 004AD75F
ACTIVE, xrefs: 004AD72E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: be34e04cb9fe810bc1a241ea635eda9934c30aca17acb200a62d953b9c98ff9c
Instruction ID: 65de8941cb3a021fba2aa71d5f12cdba1e5072091e8926308b1d9ae57faea3f6
Opcode Fuzzy Hash: be34e04cb9fe810bc1a241ea635eda9934c30aca17acb200a62d953b9c98ff9c
Instruction Fuzzy Hash: E731E139D04205BADB18FA11ED43EEE7774AF22708F60002FF416710D1EB69AF00C669

Function 004AEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004AEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004AEAC2
SetWindowTextW.USER32(?,?), ref: 004AEAD9
GetDlgItem.USER32(?,000003EA), ref: 004AEAEE
SetWindowTextW.USER32(00000000,?), ref: 004AEAF4
GetDlgItem.USER32(?,000003E9), ref: 004AEB04
SetWindowTextW.USER32(00000000,?), ref: 004AEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004AEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004AEB45
GetWindowRect.USER32(?,?), ref: 004AEB4E
SetWindowTextW.USER32(?,?), ref: 004AEBB9
GetDesktopWindow.USER32 ref: 004AEBBF
GetWindowRect.USER32(00000000), ref: 004AEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 004AEC12
GetClientRect.USER32(?,?), ref: 004AEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 004AEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004AEC6F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: a1774cee3b13814c8ce384671169abc3d78336b1f32e24f12990a4562a6f1294
Instruction ID: fb0732601311cd9d45e71dfb37ef22aadb325786b7a92cf9bc2c31b12a5063d6
Opcode Fuzzy Hash: a1774cee3b13814c8ce384671169abc3d78336b1f32e24f12990a4562a6f1294
Instruction Fuzzy Hash: D7515B71900709AFEB20DFA9CD89B6FBBF5FF04704F004929E696A26A0C774B914CB14

Function 004C79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 004C79C6
LoadCursorW.USER32(00000000,00007F00), ref: 004C79D1
LoadCursorW.USER32(00000000,00007F03), ref: 004C79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 004C79E7
LoadCursorW.USER32(00000000,00007F01), ref: 004C79F2
LoadCursorW.USER32(00000000,00007F81), ref: 004C79FD
LoadCursorW.USER32(00000000,00007F88), ref: 004C7A08
LoadCursorW.USER32(00000000,00007F80), ref: 004C7A13
LoadCursorW.USER32(00000000,00007F86), ref: 004C7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 004C7A29
LoadCursorW.USER32(00000000,00007F85), ref: 004C7A34
LoadCursorW.USER32(00000000,00007F82), ref: 004C7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 004C7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 004C7A55
LoadCursorW.USER32(00000000,00007F02), ref: 004C7A60
LoadCursorW.USER32(00000000,00007F89), ref: 004C7A6B
GetCursorInfo.USER32(?), ref: 004C7A7B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 56510c232f446fb641752e3e7d2dc7ee01559fd2aed2334bc078897b6ca44539
Instruction ID: 0fed7915f8b8f30e565e33525deee3fdb7a34f7417252415ea1f741e08c7a07c
Opcode Fuzzy Hash: 56510c232f446fb641752e3e7d2dc7ee01559fd2aed2334bc078897b6ca44539
Instruction Fuzzy Hash: 043112B0D0831A6ADB509FB68C89D6FBEE8FF04750F50453BA50DE7280DA7DA5008FA5

Function 0047C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0048E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0047C8B7,?,00002000,?,?,00000000,?,0047419E,?,?,?,0050DC00), ref: 0048E984

Part of subcall function 0047660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004753B1,?,?,004761FF,?,00000000,00000001,00000000), ref: 0047662F

__wsplitpath.LIBCMT ref: 0047C93E

Part of subcall function 00491DFC: __wsplitpath_helper.LIBCMT ref: 00491E3C

_wcscpy.LIBCMT ref: 0047C953
_wcscat.LIBCMT ref: 0047C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0047C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0047CABE

Part of subcall function 0047B337: _wcscpy.LIBCMT ref: 0047B36F

Strings

Error opening the file, xrefs: 004E30B4, 004E313D
EA06, xrefs: 004E30C9
Unterminated string, xrefs: 004E3470
>>>AUTOIT SCRIPT<<<, xrefs: 004E311B
Bad directive syntax error, xrefs: 004E3429
AU3!, xrefs: 0047C90C
#include depth exceeded. Make sure there are no recursive includes, xrefs: 004E3098

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 070924494adc91b04ded8dbbbda91841b6d985d538ab1a73a6a1c4ff3fc4af5b
Instruction ID: 33de20e7325a378e836f95a4f90bd2f50f112ac13d7ffc72573795a3a95945a7
Opcode Fuzzy Hash: 070924494adc91b04ded8dbbbda91841b6d985d538ab1a73a6a1c4ff3fc4af5b
Instruction Fuzzy Hash: A112AF715083419FC725EF25C881AAFBBE5BF99308F00491FF58993251DB38DA49CB5A

Function 004DCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004DCEFB
DestroyWindow.USER32(?,?), ref: 004DCF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004DCFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004DD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004DD025
DestroyWindow.USER32(?), ref: 004DD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00470000,00000000), ref: 004DD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004DD094
GetDesktopWindow.USER32 ref: 004DD0A9
GetWindowRect.USER32(00000000), ref: 004DD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004DD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004DD0DA

Part of subcall function 0048B526: GetWindowLongW.USER32(?,000000EB), ref: 0048B537

Strings

0, xrefs: 004DCF1B
tooltips_class32, xrefs: 004DCFED, 004DD06E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: e907a54fbc5ae12743c062df0b20446d1ddaf915846ebb2b2dcecb434641a549
Instruction ID: 545c0b12c1f4776674ee31aa2e6a8d24ee79ff44de788c64283a3cf59b71ebfd
Opcode Fuzzy Hash: e907a54fbc5ae12743c062df0b20446d1ddaf915846ebb2b2dcecb434641a549
Instruction Fuzzy Hash: 7A71CD70540205AFE721CF28CC95FAA7BE5EB89708F04451EF985873A1C738E946DB1A

Function 004DF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

DragQueryPoint.SHELL32(?,?), ref: 004DF37A

Part of subcall function 004DD7DE: ClientToScreen.USER32(?,?), ref: 004DD807
Part of subcall function 004DD7DE: GetWindowRect.USER32(?,?), ref: 004DD87D
Part of subcall function 004DD7DE: PtInRect.USER32(?,?,004DED5A), ref: 004DD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 004DF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004DF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004DF411
_wcscat.LIBCMT ref: 004DF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004DF458
SendMessageW.USER32(?,000000B0,?,?), ref: 004DF471
SendMessageW.USER32(?,000000B1,?,?), ref: 004DF488
SendMessageW.USER32(?,000000B1,?,?), ref: 004DF4AA
DragFinish.SHELL32(?), ref: 004DF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004DF59C

Strings

@GUI_DROPID, xrefs: 004DF4D1
@GUI_DRAGID, xrefs: 004DF510
@GUI_DRAGFILE, xrefs: 004DF54B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: edc42fc195a9a0418b19d12bc8afcdb085d4cc1245f69d3f19ce618713b31924
Instruction ID: 5be0a7568a0cdd213812fba216a2cffca629654862301c03845100e5d656c52e
Opcode Fuzzy Hash: edc42fc195a9a0418b19d12bc8afcdb085d4cc1245f69d3f19ce618713b31924
Instruction Fuzzy Hash: DF615771508300AFC311EF65DC85EAFBBE8FF89714F004A2EB595922A1DB749A09CB56

Function 004BAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004BAB3D
VariantCopy.OLEAUT32(?,?), ref: 004BAB46
VariantClear.OLEAUT32(?), ref: 004BAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004BAC40
__swprintf.LIBCMT ref: 004BAC70
VarR8FromDec.OLEAUT32(?,?), ref: 004BAC9C
VariantInit.OLEAUT32(?), ref: 004BAD4D
SysFreeString.OLEAUT32(00000016), ref: 004BADDF
VariantClear.OLEAUT32(?), ref: 004BAE35
VariantClear.OLEAUT32(?), ref: 004BAE44
VariantInit.OLEAUT32(00000000), ref: 004BAE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004BAC6A
Default, xrefs: 004BACFD

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: a7a1644efff19318b4a2fcf1fac99f336e373ae00e2a4feb4414b21a6ef3c27f
Instruction ID: 6cc678c61f45ea4a9c9da8c8747f259c559654c56aacbd11086e7ec6f9d1f75f
Opcode Fuzzy Hash: a7a1644efff19318b4a2fcf1fac99f336e373ae00e2a4feb4414b21a6ef3c27f
Instruction Fuzzy Hash: 72D1C131A04105DBCB109F6AC485BEEB7B5BF04700F18845BE5159B281DB78EC65DBBA

Function 004D716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D7247

Strings

GETTOTALCOUNT, xrefs: 004D722A
GETTEXT, xrefs: 004D7382
EXPAND, xrefs: 004D72E1
GETITEMCOUNT, xrefs: 004D7311
ISCHECKED, xrefs: 004D73B2
UNCHECK, xrefs: 004D740B
SELECT, xrefs: 004D73E0
EXISTS, xrefs: 004D72B0
GETSELECTED, xrefs: 004D733F
CHECK, xrefs: 004D7267
COLLAPSE, xrefs: 004D728D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 60a27181bc177b2f66fcf92f2fe6d939c819fb6ea7898c311e0addd944f088ad
Instruction ID: 8b02e241c4c2adc3d3d82137b597020baa80529be4bde69492112215ba16c2c8
Opcode Fuzzy Hash: 60a27181bc177b2f66fcf92f2fe6d939c819fb6ea7898c311e0addd944f088ad
Instruction Fuzzy Hash: E1913E346086419BCB05EF11C491A6EBBA1BF55318F00885FFC9A5B393DB38ED46CB99

Function 004ACB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,004ACF50), ref: 004ACE90

Strings

CLASSNN, xrefs: 004ACC33
4+R, xrefs: 004ACC96
T+R, xrefs: 004ACD72
CLASS, xrefs: 004ACC10
H+R, xrefs: 004ACCE8
REGEXPCLASS, xrefs: 004ACC56
P+R, xrefs: 004ACD43
INSTANCE, xrefs: 004ACD9E
TEXT, xrefs: 004ACDC7
L+R, xrefs: 004ACD14
NAME, xrefs: 004ACCC2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+R$CLASS$CLASSNN$H+R$INSTANCE$L+R$NAME$P+R$REGEXPCLASS$T+R$TEXT
API String ID: 3555792229-2236777132
Opcode ID: 109b8ab422950ded6e969c399c5b83cd3561e8302bc833092e6e892ad79f2c71
Instruction ID: dc377302aa681af9824ba358c83dc9f9f9a6d722fa6ae5babbb328f3e0b15a80
Opcode Fuzzy Hash: 109b8ab422950ded6e969c399c5b83cd3561e8302bc833092e6e892ad79f2c71
Instruction Fuzzy Hash: 9791A330900506ABDB58EF61C4C1BEBFBB5BF16304F50851BD449A7291DF38695AC7E8

Function 004DE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004DE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,004D9808,?), ref: 004DE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004DE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004DE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004DE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,004D9808,?), ref: 004DE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004DE6DF
DestroyIcon.USER32(?), ref: 004DE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004DE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004DE717

Part of subcall function 00490FA7: __wcsicmp_l.LIBCMT ref: 00491030

Strings

.exe, xrefs: 004DE541
.icl, xrefs: 004DE521
.dll, xrefs: 004DE564

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 951ccba9af6c5416c6cf62432b995b82b4461d40c4aa4234771e109eec42284e
Instruction ID: c2c6e9ca0dcbe67d5b9460f00a8f930b2bc5c9b365ce407a880bb4ddb6a9e6b6
Opcode Fuzzy Hash: 951ccba9af6c5416c6cf62432b995b82b4461d40c4aa4234771e109eec42284e
Instruction Fuzzy Hash: AB61D071900215BAEB14EF65CC52FBE7BA8BB08714F104117F915DA2D0EB78D990CB68

Function 004BD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

CharLowerBuffW.USER32(?,?), ref: 004BD292
GetDriveTypeW.KERNEL32 ref: 004BD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BD38C

Strings

close cd wait, xrefs: 004BD377
closed, xrefs: 004BD2A6, 004BD2AF
type cdaudio alias cd wait, xrefs: 004BD30A
open, xrefs: 004BD2B9
wait, xrefs: 004BD349
open , xrefs: 004BD2EE
close, xrefs: 004BD298
set cd door , xrefs: 004BD32D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: b465b8926753d12975c5c4d5d2aba6ecc35dc4fda4ce14c6ee665361c9046bfc
Instruction ID: f9a5065fced3058ae8c3b70fa832dd90b56177f191cb26ad000db76ab86ab97d
Opcode Fuzzy Hash: b465b8926753d12975c5c4d5d2aba6ecc35dc4fda4ce14c6ee665361c9046bfc
Instruction Fuzzy Hash: 1D516D715047049FC700EF11D8819AEB7E5FF99718F00886EF88967291DB39EE06CB96

Function 004B26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,004E3973,00000016,0000138C,00000016,?,00000016,0050DDB4,00000000,?), ref: 004B26F1
LoadStringW.USER32(00000000,?,004E3973,00000016), ref: 004B26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,004E3973,00000016,0000138C,00000016,?,00000016,0050DDB4,00000000,?,00000016), ref: 004B271C
LoadStringW.USER32(00000000,?,004E3973,00000016), ref: 004B271F
__swprintf.LIBCMT ref: 004B276F
__swprintf.LIBCMT ref: 004B2780
_wprintf.LIBCMT ref: 004B2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004B2840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004B2824
Line %d (File "%s"):, xrefs: 004B2769
Error: , xrefs: 004B27F7
Line %d:, xrefs: 004B277A
^ ERROR, xrefs: 004B27D5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 721716dee0997fb61a9ac38399f5e930ead809b7031ed543b5d251feb62088df
Instruction ID: 7465dea8e0e59044fed4710f326115892c0c2c21089ff7cd2b95d85b6b40f863
Opcode Fuzzy Hash: 721716dee0997fb61a9ac38399f5e930ead809b7031ed543b5d251feb62088df
Instruction Fuzzy Hash: 80417172800219BACB14FBD1DE82DEEB778EF15348F50446EB50576092DB786F09CBA8

Function 004BD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004BD0D8
__swprintf.LIBCMT ref: 004BD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 004BD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004BD15C
_memset.LIBCMT ref: 004BD17B
_wcsncpy.LIBCMT ref: 004BD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004BD1EC
CloseHandle.KERNEL32(00000000), ref: 004BD1F7
RemoveDirectoryW.KERNEL32(?), ref: 004BD200
CloseHandle.KERNEL32(00000000), ref: 004BD20A

Strings

\??\%s, xrefs: 004BD0F4
:, xrefs: 004BD11B
\, xrefs: 004BD110

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 07a3e164b6d055d510c4cd8f0ff01309e65754d82333c3b51c03cd6355342179
Instruction ID: 7e4af3f02914fc5544549279a2a71eb5ed70174fdd4c28acc366bf616c3e6eee
Opcode Fuzzy Hash: 07a3e164b6d055d510c4cd8f0ff01309e65754d82333c3b51c03cd6355342179
Instruction Fuzzy Hash: 04318EB290010AABDB21DFA5DC49FEB37BDAF89704F1040FAF909D2160E77496558B38

Function 004A87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 004A882D
___wtomb_environ.LIBCMT ref: 004A884F

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

__malloc_crt.LIBCMT ref: 004A8875
__malloc_crt.LIBCMT ref: 004A8892
_free.LIBCMT ref: 004A88C9
__recalloc_crt.LIBCMT ref: 004A8902
__recalloc_crt.LIBCMT ref: 004A8947
_strlen.LIBCMT ref: 004A8973
__calloc_crt.LIBCMT ref: 004A897D
_strlen.LIBCMT ref: 004A898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 004A89BA
_free.LIBCMT ref: 004A89D4
_free.LIBCMT ref: 004A89E1
_free.LIBCMT ref: 004A89F3
__invoke_watson.LIBCMT ref: 004A8A0D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 9c7e4b407084bfec5315b0f146d536e398a769bdde2f8861b43f1d5b43b545ac
Instruction ID: dbe731e924a88b1300735129f9159b674ab0982baaab8a63d6770edcf48f0189
Opcode Fuzzy Hash: 9c7e4b407084bfec5315b0f146d536e398a769bdde2f8861b43f1d5b43b545ac
Instruction Fuzzy Hash: D361CF72900312AFDB206F65DC4176B7BA8EF22764F21052FE801AA2D1DF3CC941D69E

Function 004DE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 004DE754
GetFileSize.KERNEL32(00000000,00000000), ref: 004DE76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 004DE776
CloseHandle.KERNEL32(00000000), ref: 004DE783
GlobalLock.KERNEL32(00000000), ref: 004DE78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004DE79B
GlobalUnlock.KERNEL32(00000000), ref: 004DE7A4
CloseHandle.KERNEL32(00000000), ref: 004DE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004DE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,004FD9BC,?), ref: 004DE7D5
GlobalFree.KERNEL32(00000000), ref: 004DE7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 004DE809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 004DE834
DeleteObject.GDI32(00000000), ref: 004DE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004DE872

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 96b0e4f4940fe8109d5656012a93dced3252e114a7eb37a8fba5c3c1928f3372
Instruction ID: 66e248685489436d9468ab7f5bc6aa2ca0997f6bd1f99ecd8ed03b69822da44b
Opcode Fuzzy Hash: 96b0e4f4940fe8109d5656012a93dced3252e114a7eb37a8fba5c3c1928f3372
Instruction Fuzzy Hash: B3414975A00204EFDB11AF65CC88EAF7BBAEF89715F104069F906DB2A0C7349951DB64

Function 004C05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 004C076F
_wcscat.LIBCMT ref: 004C0787
_wcscat.LIBCMT ref: 004C0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 004C07C2
GetFileAttributesW.KERNEL32(?), ref: 004C07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 004C07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 004C0806

Strings

*.*, xrefs: 004C0845

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: b04d8c39aec038c2ad2e1c75788a0ba59bca94d93353ffb525f81311dfca258e
Instruction ID: 256ce6c4302a6755781ff85d4b0fa33ba37de7b76564d27fa35383080705dc73
Opcode Fuzzy Hash: b04d8c39aec038c2ad2e1c75788a0ba59bca94d93353ffb525f81311dfca258e
Instruction Fuzzy Hash: 28817075604301DFCBA4EF64C445E6FB7E8AB88314F14882FF889C7251E738E9558B9A

Function 004DEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004DEF3B
GetFocus.USER32 ref: 004DEF4B
GetDlgCtrlID.USER32(00000000), ref: 004DEF56
_memset.LIBCMT ref: 004DF081
GetMenuItemInfoW.USER32 ref: 004DF0AC
GetMenuItemCount.USER32(00000000), ref: 004DF0CC
GetMenuItemID.USER32(?,00000000), ref: 004DF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 004DF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 004DF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004DF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 004DF1C8

Strings

0, xrefs: 004DF079

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 3b3cc416460b1ed039c4cc5c016540de8f6e217699805749a81ad295aaf1f3e5
Instruction ID: 5c8e519bb7f2d2ae08db06a7ddb27ca2e0ec1bd2770194bd4b4561de49f6e573
Opcode Fuzzy Hash: 3b3cc416460b1ed039c4cc5c016540de8f6e217699805749a81ad295aaf1f3e5
Instruction Fuzzy Hash: 03814670504301AFDB20DF25C894A6FBBE9BB88318F00492FF99697391D734D909CB9A

Function 004AA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004AABD7
Part of subcall function 004AABBB: GetLastError.KERNEL32(?,004AA69F,?,?,?), ref: 004AABE1
Part of subcall function 004AABBB: GetProcessHeap.KERNEL32(00000008,?,?,004AA69F,?,?,?), ref: 004AABF0
Part of subcall function 004AABBB: HeapAlloc.KERNEL32(00000000,?,004AA69F,?,?,?), ref: 004AABF7
Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004AAC0E

Part of subcall function 004AAC56: GetProcessHeap.KERNEL32(00000008,004AA6B5,00000000,00000000,?,004AA6B5,?), ref: 004AAC62
Part of subcall function 004AAC56: HeapAlloc.KERNEL32(00000000,?,004AA6B5,?), ref: 004AAC69
Part of subcall function 004AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004AA6B5,?), ref: 004AAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004AA8CB
_memset.LIBCMT ref: 004AA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004AA8FF
GetLengthSid.ADVAPI32(?), ref: 004AA910
GetAce.ADVAPI32(?,00000000,?), ref: 004AA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004AA969
GetLengthSid.ADVAPI32(?), ref: 004AA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004AA995
HeapAlloc.KERNEL32(00000000), ref: 004AA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004AA9BD
CopySid.ADVAPI32(00000000), ref: 004AA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004AA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004AAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004AAA2F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: a998618aafe4419178c62acde79633beb718fc9d1ed2689f0f2a81af5fe0d4f4
Instruction ID: d725828c861e6dd74fbec0a30e832c60b17828f403f885ae892d25d755da2f95
Opcode Fuzzy Hash: a998618aafe4419178c62acde79633beb718fc9d1ed2689f0f2a81af5fe0d4f4
Instruction Fuzzy Hash: 21517075900109AFDF00DF91DD44EEEBBBAFF15304F04812AF911A7290DB389A25CB65

Function 004C9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004C9E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004C9E42
CreateCompatibleDC.GDI32(?), ref: 004C9E4E
SelectObject.GDI32(00000000,?), ref: 004C9E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 004C9EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 004C9EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 004C9F0F
SelectObject.GDI32(00000006,?), ref: 004C9F17
DeleteObject.GDI32(?), ref: 004C9F20
DeleteDC.GDI32(00000006), ref: 004C9F27
ReleaseDC.USER32(00000000,?), ref: 004C9F32

Strings

(, xrefs: 004C9ED7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 61c2d89923c842f898d691a7a92de63d0c9c2c89e9b332c6fb910ac1cf9ae87c
Instruction ID: cace629eb48902700f48374827e02262b2ce18db647505944b83790f7e286c0b
Opcode Fuzzy Hash: 61c2d89923c842f898d691a7a92de63d0c9c2c89e9b332c6fb910ac1cf9ae87c
Instruction Fuzzy Hash: 53513B75900309EFCB14CFA8C889EAEBBB9EF48710F14842EF95997250C735AD41CB58

Function 004BCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 004BCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 004BCCC5
__swprintf.LIBCMT ref: 004BCD1E
__swprintf.LIBCMT ref: 004BCD37
_wprintf.LIBCMT ref: 004BCDED
_wprintf.LIBCMT ref: 004BCE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 004BCE06
Line %d (File "%s"):, xrefs: 004BCD18, 004BCD31
Error: , xrefs: 004BCDB5
"%s" (%d) : ==> %s:%s%s, xrefs: 004BCDE8
^ ERROR, xrefs: 004BCD8F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: ce7da5269d1dbecb3326f8010e30e7f06dc8ad77c2d87b46939868b74561b8d8
Instruction ID: eed000d30828e88dcc4c91c22988a620a90634595f06fde42474f9c8fdc362bd
Opcode Fuzzy Hash: ce7da5269d1dbecb3326f8010e30e7f06dc8ad77c2d87b46939868b74561b8d8
Instruction Fuzzy Hash: 0A51A331800109ABCF14EBE1DD86EEEB778EF05308F10416AF405761A1EB786F59DB68

Function 004BCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 004BCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004BCAB0
__swprintf.LIBCMT ref: 004BCB09
__swprintf.LIBCMT ref: 004BCB22
_wprintf.LIBCMT ref: 004BCBCD
_wprintf.LIBCMT ref: 004BCBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 004BCBE6
Line %d (File "%s"):, xrefs: 004BCB03, 004BCB1C
Error: , xrefs: 004BCB95
"%s" (%d) : ==> %s:%s%s, xrefs: 004BCBC8
^ ERROR , xrefs: 004BCB64

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 22f47dd45f536287f968969cd78deadb9a8c6197f7812460d6b47bf266a29a93
Instruction ID: 575dd487aaf21bec7f85bc4d90a15f41ac1f7fc9f61fc1b17f020f534d8820ed
Opcode Fuzzy Hash: 22f47dd45f536287f968969cd78deadb9a8c6197f7812460d6b47bf266a29a93
Instruction Fuzzy Hash: 8F51A431800519AACF14EBE1DD86EEEBB78EF15304F10406AB109721A2DB786F59DF69

Function 004D3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D

Strings

$ER, xrefs: 004D3C36
HKEY_LOCAL_MACHINE, xrefs: 004D3C6C
HKEY_CURRENT_CONFIG, xrefs: 004D3CC0
HKEY_USERS, xrefs: 004D3D04
HKCC, xrefs: 004D3CD1
HKU, xrefs: 004D3D15
HKCR, xrefs: 004D3CAB
HKEY_CLASSES_ROOT, xrefs: 004D3C96
HKEY_CURRENT_USER, xrefs: 004D3CE2
HKCU, xrefs: 004D3CF3
HKLM, xrefs: 004D3C81

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharUpper
String ID: $ER$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-1405334128
Opcode ID: 1ed4fefd684c6d66a21a72b8436ecc5d22ce4bd355e5928ff98ce04c1c413690
Instruction ID: 0046dce7b536e69ce6b494d3cedb7070d2a8c50e114b68e1d4953ff9f3ae21f3
Opcode Fuzzy Hash: 1ed4fefd684c6d66a21a72b8436ecc5d22ce4bd355e5928ff98ce04c1c413690
Instruction Fuzzy Hash: 644130316142499BDF00EF11E8616EF3766BF13345F10481BEC951B396EB78AA0ACF59

Function 004B55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 004B5664
GetMenuItemCount.USER32(00531708), ref: 004B56ED
DeleteMenu.USER32(00531708,00000005,00000000,000000F5,?,?), ref: 004B577D
DeleteMenu.USER32(00531708,00000004,00000000), ref: 004B5785
DeleteMenu.USER32(00531708,00000006,00000000), ref: 004B578D
DeleteMenu.USER32(00531708,00000003,00000000), ref: 004B5795
GetMenuItemCount.USER32(00531708), ref: 004B579D
SetMenuItemInfoW.USER32(00531708,00000004,00000000,00000030), ref: 004B57D3
GetCursorPos.USER32(?), ref: 004B57DD
SetForegroundWindow.USER32(00000000), ref: 004B57E6
TrackPopupMenuEx.USER32(00531708,00000000,?,00000000,00000000,00000000), ref: 004B57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004B5805

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 200966b486115da2531def57ff437379dafa4b8442264c318e2717f657b410a2
Instruction ID: d36472a902a19f149e368a04c9e98804eb425c6e6bb1a3a0cc1cd7e4339ebe2d
Opcode Fuzzy Hash: 200966b486115da2531def57ff437379dafa4b8442264c318e2717f657b410a2
Instruction Fuzzy Hash: 3A71F270640605BEEB209B55CC49FEAFF65FF44368F240217F518AA2D1C7785820DBA9

Function 004AA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004AA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004AA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004AA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004AA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004AA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 004AA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004AA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004AA2AB

Strings

SOFTWARE\Classes\, xrefs: 004AA17D
\IPC$, xrefs: 004AA1F3
\CLSID, xrefs: 004AA193

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: eba71e615bbb0326d37ca8767acb7a7b32bebc288a4c098c801fb98ea151f44a
Instruction ID: 6db10fe0a7b7a29fdf74ae0e969f89b6e8611ba2ba8d5d7015baccb5ad2b4048
Opcode Fuzzy Hash: eba71e615bbb0326d37ca8767acb7a7b32bebc288a4c098c801fb98ea151f44a
Instruction Fuzzy Hash: 3C411876C10229AECB15EBA5DC85DEEB778FF15304F40806AF805A7260EB74AE15CB94

Function 004B67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004B67FD
__swprintf.LIBCMT ref: 004B680A

Part of subcall function 0049172B: __woutput_l.LIBCMT ref: 00491784

FindResourceW.KERNEL32(?,?,0000000E), ref: 004B6834
LoadResource.KERNEL32(?,00000000), ref: 004B6840
LockResource.KERNEL32(00000000), ref: 004B684D
FindResourceW.KERNEL32(?,?,00000003), ref: 004B686D
LoadResource.KERNEL32(?,00000000), ref: 004B687F
SizeofResource.KERNEL32(?,00000000), ref: 004B688E
LockResource.KERNEL32(?), ref: 004B689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004B68F9

Strings

5R, xrefs: 004B67F6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5R
API String ID: 1433390588-3278202610
Opcode ID: 976d5d0b8725330a46d4388e5c82f8a701f4588da434957d6aa6758a79967bb5
Instruction ID: 3669d706317a6b39538b69ea9621a0461f7712e95956fea19f6037252cb75fe6
Opcode Fuzzy Hash: 976d5d0b8725330a46d4388e5c82f8a701f4588da434957d6aa6758a79967bb5
Instruction Fuzzy Hash: A231937190121AABDB11AFA1DD45AFF7BA9FF08341F014826F901D2250E738DA21DBB8

Function 004B25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004E36F4,00000010,?,Bad directive syntax error,0050DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004B25D6
LoadStringW.USER32(00000000,?,004E36F4,00000010), ref: 004B25DD
_wprintf.LIBCMT ref: 004B2610
__swprintf.LIBCMT ref: 004B2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004B26A1

Strings

Line %d (File "%s"):, xrefs: 004B2647
Error: , xrefs: 004B266F
%s (%d) : ==> %s.: %s %s, xrefs: 004B260B
Line %d:, xrefs: 004B262C
., xrefs: 004B2687

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 04bf88c090eda57ceca55a614adef43a09c3e5c228c0efab908805f8fcf63d03
Instruction ID: e1ce2a45e1eb5eb8b1b27fae5eae81a18e99242f221ec6d9e4f71a31d1353a2c
Opcode Fuzzy Hash: 04bf88c090eda57ceca55a614adef43a09c3e5c228c0efab908805f8fcf63d03
Instruction Fuzzy Hash: B921513180021ABFCF11AB91DC46EEE7B35FF19308F00446AF505660A2DB79A625DB65

Function 004B7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004B7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004B7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004B7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004B7B8C

Strings

alias PlayMe, xrefs: 004B7B1B
play PlayMe wait, xrefs: 004B7B76
open , xrefs: 004B7AF1
close PlayMe, xrefs: 004B7B53, 004B7B80
play PlayMe, xrefs: 004B7B87
status PlayMe mode, xrefs: 004B7B3D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 77dc3b0a942238bca30c65ae32b2700385a5992e69084e923eed2ddec8bbd8d5
Instruction ID: 045a6870d99a8fac17f670f7e3111817e9ce934044b07286816ab6e3bf9d5758
Opcode Fuzzy Hash: 77dc3b0a942238bca30c65ae32b2700385a5992e69084e923eed2ddec8bbd8d5
Instruction Fuzzy Hash: 5B11C8A0A5026979DB24B362DC8ADFF7F7CEFD2B14F04042E7415A60D1DE681B45C9B4

Function 004B778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004B7794

Part of subcall function 0048DC38: timeGetTime.WINMM(?,75C0B400,004E58AB), ref: 0048DC3C

Sleep.KERNEL32(0000000A), ref: 004B77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004B77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 004B7806
SetActiveWindow.USER32 ref: 004B7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004B7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 004B7852
Sleep.KERNEL32(000000FA), ref: 004B785D
IsWindow.USER32 ref: 004B7869
EndDialog.USER32(00000000), ref: 004B787A

Strings

BUTTON, xrefs: 004B77F8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 95006cd7fcd01b5b5d592fafd3d6d1f4c8d54b249b585085b925947ff613d643
Instruction ID: 3744457b3fdb98824aebd2104aa58c098193920834b2dda9cba89784ee7e9671
Opcode Fuzzy Hash: 95006cd7fcd01b5b5d592fafd3d6d1f4c8d54b249b585085b925947ff613d643
Instruction Fuzzy Hash: 822142B4604205AFE7016B20EC89BB63F6AFB94748B104466F50682371CF7D5D19EB3D

Function 004C02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

CoInitialize.OLE32(00000000), ref: 004C034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004C03DE
SHGetDesktopFolder.SHELL32(?), ref: 004C03F2
CoCreateInstance.OLE32(004FDA8C,00000000,00000001,00523CF8,?), ref: 004C043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004C04AD
CoTaskMemFree.OLE32(?,?), ref: 004C0505
_memset.LIBCMT ref: 004C0542
SHBrowseForFolderW.SHELL32(?), ref: 004C057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004C05A1
CoTaskMemFree.OLE32(00000000), ref: 004C05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004C05DF
CoUninitialize.OLE32(00000001,00000000), ref: 004C05E1

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b9f234d4afabba37a3f4dffe8a8fac6f67b4a40a1f9e3271d4f983531c8a4761
Instruction ID: 323e176503a0360e6b38b7d579b1a7f5a7d041275537713eeb78210fd39ce3d2
Opcode Fuzzy Hash: b9f234d4afabba37a3f4dffe8a8fac6f67b4a40a1f9e3271d4f983531c8a4761
Instruction Fuzzy Hash: 82B1CB75A00109EFDB54DFA5C888EAEBBB9FF48304B1484AAE909EB251D734ED41CF54

Function 004B2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004B2ED6
SetKeyboardState.USER32(?), ref: 004B2F41
GetAsyncKeyState.USER32(000000A0), ref: 004B2F61
GetKeyState.USER32(000000A0), ref: 004B2F78
GetAsyncKeyState.USER32(000000A1), ref: 004B2FA7
GetKeyState.USER32(000000A1), ref: 004B2FB8
GetAsyncKeyState.USER32(00000011), ref: 004B2FE4
GetKeyState.USER32(00000011), ref: 004B2FF2
GetAsyncKeyState.USER32(00000012), ref: 004B301B
GetKeyState.USER32(00000012), ref: 004B3029
GetAsyncKeyState.USER32(0000005B), ref: 004B3052
GetKeyState.USER32(0000005B), ref: 004B3060

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2bb1b52ba2f14125c09dd232d4d402b5e7fad2559563941e974ed148f7702e62
Instruction ID: ab4c44cf338e59b664318891cfcb39d644f66f5774cbabe85fee8a45b1cadafb
Opcode Fuzzy Hash: 2bb1b52ba2f14125c09dd232d4d402b5e7fad2559563941e974ed148f7702e62
Instruction Fuzzy Hash: 1B51E720A0878429FB35EBA589507EBBFF45F11344F08459FD5C25A2C2DA9C9B8CC77A

Function 004AED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004AED1E
GetWindowRect.USER32(00000000,?), ref: 004AED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 004AED8E
GetDlgItem.USER32(?,00000002), ref: 004AED99
GetWindowRect.USER32(00000000,?), ref: 004AEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 004AEE01
GetDlgItem.USER32(?,000003E9), ref: 004AEE0F
GetWindowRect.USER32(00000000,?), ref: 004AEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 004AEE63
GetDlgItem.USER32(?,000003EA), ref: 004AEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004AEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 004AEE9B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6bb64293039bf70f74ee7e512148aa1f40570270281e32b131170c7eac74dba9
Instruction ID: d7b63ea7c4fd7bf894d7fdcaf70b72b1a40377300da46483fc663352bad395de
Opcode Fuzzy Hash: 6bb64293039bf70f74ee7e512148aa1f40570270281e32b131170c7eac74dba9
Instruction Fuzzy Hash: C9510EB1B00205AFDB18CF69DD89AAEBBBAFB99701F148139F519D7290D7749D00CB14

Function 0048B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0048B759,?,00000000,?,?,?,?,0048B72B,00000000,?), ref: 0048BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0048B72B), ref: 0048B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 0048B88D
DestroyAcceleratorTable.USER32(00000000), ref: 004ED8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 004ED8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 004ED8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 004ED90A
DeleteObject.GDI32(00000000), ref: 004ED91C

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 268fa37ab0fe41d8d8953c91bf2fd485a706e7ad198cbac54677a933c68e770c
Instruction ID: 6225feb164f02ed5758b3c1577845bbf360c0928211591d591c30b7d806a8e2b
Opcode Fuzzy Hash: 268fa37ab0fe41d8d8953c91bf2fd485a706e7ad198cbac54677a933c68e770c
Instruction Fuzzy Hash: D2618E30901B40DFDB26AF65DC89B2A77F5FB54316F14092EE04286B60CB38A895DB8D

Function 0048B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0048B526: GetWindowLongW.USER32(?,000000EB), ref: 0048B537

GetSysColor.USER32(0000000F), ref: 0048B438

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c648b7b4a093f81368650867b2efb7c852786b6c38bb4efd99fced69c100b01d
Instruction ID: b09a1d8e3d5ce2f12153bcb1cd04b86a3cb49a8164f789479431150d25a1bd4d
Opcode Fuzzy Hash: c648b7b4a093f81368650867b2efb7c852786b6c38bb4efd99fced69c100b01d
Instruction Fuzzy Hash: 5341B730400540AFDB216F28DC4ABBE3B66EB06B31F144666FDA58E2E6D7348C52D769

Function 004B690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 004B6923
_wcscpy.LIBCMT ref: 004B6934
__wsplitpath.LIBCMT ref: 004B6958
__wsplitpath.LIBCMT ref: 004B6979
_wcscpy.LIBCMT ref: 004B699B
_wcscpy.LIBCMT ref: 004B69B9
_wcscpy.LIBCMT ref: 004B69C7
_wcscat.LIBCMT ref: 004B69D6
_wcscat.LIBCMT ref: 004B6A2B
_wcscat.LIBCMT ref: 004B6A61
_wcscat.LIBCMT ref: 004B6A73

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 72a6806e065a55134bf29cdb4ea7525ac7cee1eabd548a54cd0aa5e1f94b7c7d
Instruction ID: 0bd62e9489edd4cc7f56898387120bbc69719b2cc7fec71fe57248e5add34e9a
Opcode Fuzzy Hash: 72a6806e065a55134bf29cdb4ea7525ac7cee1eabd548a54cd0aa5e1f94b7c7d
Instruction Fuzzy Hash: DA41817688511CAECF61DB95CC41CCF77BCEF44310F0041A7B649A2051EA38ABE48F68

Function 004BD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0050DC00,0050DC00,0050DC00), ref: 004BD7CE
GetDriveTypeW.KERNEL32(?,00523A70,00000061), ref: 004BD898
_wcscpy.LIBCMT ref: 004BD8C2

Strings

removable, xrefs: 004BD800
ramdisk, xrefs: 004BD842
cdrom, xrefs: 004BD7EA
network, xrefs: 004BD82C
unknown, xrefs: 004BD859
all, xrefs: 004BD7D4
fixed, xrefs: 004BD816

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: d48646ba8cb40db6bfeafa9607aacade0f856c5f332afe843f4d22967aeae0d6
Instruction ID: b99668da54f8937fe7ecc74a044b78b5fdaf0b1cffce4613f733682aaea79ce6
Opcode Fuzzy Hash: d48646ba8cb40db6bfeafa9607aacade0f856c5f332afe843f4d22967aeae0d6
Instruction Fuzzy Hash: 745182319042009FC700FF15D881AAFB7A5FF85318F10886EF4A957292EB39DD05CB5A

Function 0047936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004793AB
__itow.LIBCMT ref: 004793DF

Part of subcall function 00491557: _xtow@16.LIBCMT ref: 00491578

Strings

%.15g, xrefs: 004793A5
True, xrefs: 004E4C8C
False, xrefs: 004E4C93
0x%p, xrefs: 004E4CAD

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: ad8f3a0d6dac98c2e65bdd610d8744f5c1964b94abf229c85ebf0a62125518ff
Instruction ID: 97ff93e2461f9b33db3fa4c5d398df94892a64cecb1e3f5c4cd418f608a1cd5c
Opcode Fuzzy Hash: ad8f3a0d6dac98c2e65bdd610d8744f5c1964b94abf229c85ebf0a62125518ff
Instruction Fuzzy Hash: EA41F531500205AFEB24AB75D942EAA77E4EF88314F20846FE54DC72D1EA39AD42CB19

Function 004DA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004DA259
CreateCompatibleDC.GDI32(00000000), ref: 004DA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004DA273
SelectObject.GDI32(00000000,00000000), ref: 004DA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 004DA286
DeleteDC.GDI32(00000000), ref: 004DA28F
GetWindowLongW.USER32(?,000000EC), ref: 004DA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004DA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004DA2B9

Strings

static, xrefs: 004DA1F1

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7700213f0130ae2915d89d3914ffdc04b8709e793bc58da99c76ad6a5a847125
Instruction ID: cf36318178eacfb12f98245d5c009f11a17c06b6c9f00da90cf5fd1e56fd6e68
Opcode Fuzzy Hash: 7700213f0130ae2915d89d3914ffdc04b8709e793bc58da99c76ad6a5a847125
Instruction Fuzzy Hash: 75319E31500114AFDF115FA5DC49FEB3B69FF0E364F100226FA19A62A0C739D821DBA9

Function 004B6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004B6F1D
gethostname.WSOCK32(?,00000100), ref: 004B6F37
gethostbyname.WSOCK32(?), ref: 004B6F44
_wcscpy.LIBCMT ref: 004B6F6C
inet_ntoa.WSOCK32(?), ref: 004B6F8A
_strcat.LIBCMT ref: 004B6F98
_wcscpy.LIBCMT ref: 004B6FAF
WSACleanup.WSOCK32 ref: 004B6FBD
_wcscpy.LIBCMT ref: 004B6FCB

Strings

0.0.0.0, xrefs: 004B6F66

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 3a19e48a3387ce45a37619839fae5fad1812c298b5e94874cb07589c3934f8aa
Instruction ID: d24e4d98f8b74fb1bab8176533d7159b693d1d511cc5dcdb912d6a62994433d2
Opcode Fuzzy Hash: 3a19e48a3387ce45a37619839fae5fad1812c298b5e94874cb07589c3934f8aa
Instruction Fuzzy Hash: 1D11D571904114AFDB147B65AC0AEFE7BACEF40714F05017AF10596181EE7C9A85DB68

Function 0049500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00495047

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

__gmtime64_s.LIBCMT ref: 004950E0
__gmtime64_s.LIBCMT ref: 00495116
__gmtime64_s.LIBCMT ref: 00495133
__allrem.LIBCMT ref: 00495189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004951A5
__allrem.LIBCMT ref: 004951BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004951DA
__allrem.LIBCMT ref: 004951F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0049520F
__invoke_watson.LIBCMT ref: 00495280

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: ad09b0678c3b99b7d685f3f75a9ef16fb6c7706fa8d38d0e1280ef3accc85d2a
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 68710472A00B16ABDF159F69CC42B5B7BA8AF11768F24423BE410D6281E778D9408BD8

Function 004B4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B4DF8
GetMenuItemInfoW.USER32(00531708,000000FF,00000000,00000030), ref: 004B4E59
SetMenuItemInfoW.USER32(00531708,00000004,00000000,00000030), ref: 004B4E8F
Sleep.KERNEL32(000001F4), ref: 004B4EA1
GetMenuItemCount.USER32(?), ref: 004B4EE5
GetMenuItemID.USER32(?,00000000), ref: 004B4F01
GetMenuItemID.USER32(?,-00000001), ref: 004B4F2B
GetMenuItemID.USER32(?,?), ref: 004B4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004B4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B4FEB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: cc9592df97da5de02e6c0782dd047bc1923227cba74367fe5514fbd73fd26ef8
Instruction ID: 997a9e466f8722d1eda264f979d6beb9b63b2043dda08b6ecb53fd6eb9b77978
Opcode Fuzzy Hash: cc9592df97da5de02e6c0782dd047bc1923227cba74367fe5514fbd73fd26ef8
Instruction Fuzzy Hash: 58618E71900249AFDB21CFA4D888AFF7BB9EB85308F14015AF441A7252D738ED15DB39

Function 004D9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004D9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004D9C9B
GetWindowLongW.USER32(?,000000F0), ref: 004D9CBF
_memset.LIBCMT ref: 004D9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004D9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004D9D5A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: d36fc15d0324125b7e2869307d8fda0a42c09f591d71b57fd7637b2792e1a9bb
Instruction ID: f1122a21fd5ecadca1f92adf0960128fb406df86c9e9bebb8a61e684b6616c93
Opcode Fuzzy Hash: d36fc15d0324125b7e2869307d8fda0a42c09f591d71b57fd7637b2792e1a9bb
Instruction Fuzzy Hash: B3617A75A00208AFDB10DFA8CC91EEE77B8EB09704F14415AFA05EB3A1D774AD46DB58

Function 004A94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004A94FE
SafeArrayAllocData.OLEAUT32(?), ref: 004A9549
VariantInit.OLEAUT32(?), ref: 004A955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 004A957B
VariantCopy.OLEAUT32(?,?), ref: 004A95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 004A95D2
VariantClear.OLEAUT32(?), ref: 004A95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 004A95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004A95FD
VariantClear.OLEAUT32(?), ref: 004A960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004A961A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: aa00e6f021ecdb5f10a2d0963dfdb81d130f3a49db237e7205eee4d6e15ef207
Instruction ID: 61180e639df3ecf250c9b39a258c390a863b2ff6e7c6ed4f5878037ca2bb6670
Opcode Fuzzy Hash: aa00e6f021ecdb5f10a2d0963dfdb81d130f3a49db237e7205eee4d6e15ef207
Instruction Fuzzy Hash: FC416031D00219AFCB01EFA4DC849EEBBB9FF19354F00846AF501A7251DB34EA55CBA9

Function 004CBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004CBB5C
VariantInit.OLEAUT32(?), ref: 004CBC2D
VariantInit.OLEAUT32(?), ref: 004CBD2E
VariantClear.OLEAUT32(?), ref: 004CBD38
VariantClear.OLEAUT32(?), ref: 004CBD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 004CBD11
h?R, xrefs: 004CBB2D
|?R, xrefs: 004CBB34
Null Object assignment in FOR..IN loop, xrefs: 004CBBBD, 004CBCEB, 004CBDA7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?R$|?R
API String ID: 2862541840-2264138851
Opcode ID: a53d87315c3ab6ff426b304170859e24f85837dfe32c9ff21d3eba5a354fadf0
Instruction ID: 5b11abe58c54d6779694adc5ddf13d2fdfca7332111b551396742c5e2758da6f
Opcode Fuzzy Hash: a53d87315c3ab6ff426b304170859e24f85837dfe32c9ff21d3eba5a354fadf0
Instruction Fuzzy Hash: 0591BE75A00219ABDF60CF95D845FAFBBB8EF85310F10812EF516AB280D7789941CBE4

Function 004CADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

CoInitialize.OLE32 ref: 004CADF6
CoUninitialize.OLE32 ref: 004CAE01
CoCreateInstance.OLE32(?,00000000,00000017,004FD8FC,?), ref: 004CAE61
IIDFromString.OLE32(?,?), ref: 004CAED4
VariantInit.OLEAUT32(?), ref: 004CAF6E
VariantClear.OLEAUT32(?), ref: 004CAFCF

Strings

Failed to create object, xrefs: 004CAE6C, 004CAF22
Invalid parameter, xrefs: 004CAEED
NULL Pointer assignment, xrefs: 004CAEA6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: c651f56bdc15ebc8e93dd245c55980f0f8d979b8294b383da98a5b84f3eb97e8
Instruction ID: 27db50d015de79f202dd7f9a3210beea4a9c75ae11c9406aac9c24642a20b3ac
Opcode Fuzzy Hash: c651f56bdc15ebc8e93dd245c55980f0f8d979b8294b383da98a5b84f3eb97e8
Instruction Fuzzy Hash: F2619874608215AFC710EF64C848F6BBBE8AF49718F00441EF9859B291C778ED58CB9B

Function 004C8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004C8168
inet_addr.WSOCK32(?,?,?), ref: 004C81AD
gethostbyname.WSOCK32(?), ref: 004C81B9
IcmpCreateFile.IPHLPAPI ref: 004C81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004C8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004C824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004C82C2
WSACleanup.WSOCK32 ref: 004C82C8

Strings

Ping, xrefs: 004C81EB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 099e08b9e1c7e677554c66982a675ba043e504be4115385813885069df79c1b9
Instruction ID: d9286cc64250aaa602c9c6b65e300c61eafe307908b3b3d434d94dc07e53a0bd
Opcode Fuzzy Hash: 099e08b9e1c7e677554c66982a675ba043e504be4115385813885069df79c1b9
Instruction Fuzzy Hash: D851A1356046009FD760EF25CC89F6AB7E5EF48314F04886EF959DB2A1DB78E901CB4A

Function 004BE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004BE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004BE40C
GetLastError.KERNEL32 ref: 004BE416
SetErrorMode.KERNEL32(00000000,READY), ref: 004BE483

Strings

NOTREADY, xrefs: 004BE442
INVALID, xrefs: 004BE455
READONLY, xrefs: 004BE44E
READY, xrefs: 004BE45C
UNKNOWN, xrefs: 004BE43B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5596304401d93cf412b2ac8caed03f282f8aaa79ab0176f438f6f715e7e04eed
Instruction ID: 6c45c27b48bdc6f961fc2642aa08058fae50b24e27faa902c794d9d8491691b7
Opcode Fuzzy Hash: 5596304401d93cf412b2ac8caed03f282f8aaa79ab0176f438f6f715e7e04eed
Instruction Fuzzy Hash: 6531C835A002059FDB00DF59D985AFEBBB4FF85304F14806BE505E7291DB789D02CB65

Function 004AB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004AB98C
GetDlgCtrlID.USER32 ref: 004AB997
GetParent.USER32 ref: 004AB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 004AB9B6
GetDlgCtrlID.USER32(?), ref: 004AB9BF
GetParent.USER32(?), ref: 004AB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 004AB9DE

Strings

ComboBox, xrefs: 004AB911
ListBox, xrefs: 004AB949

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 3b50da34b83de08411deca963df9ed9e27c7aac7dd7a8b0e31ae632d0beaacca
Instruction ID: 15aec7effe6380486227e9f793a5f6ac01510301cd6519721891a2c9aa2c357f
Opcode Fuzzy Hash: 3b50da34b83de08411deca963df9ed9e27c7aac7dd7a8b0e31ae632d0beaacca
Instruction Fuzzy Hash: 0221C4B4900104BFDB04ABA1DC85EFEBB79EF5A300F10411AF551972D2DB785825DB68

Function 004AB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004ABA73
GetDlgCtrlID.USER32 ref: 004ABA7E
GetParent.USER32 ref: 004ABA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004ABA9D
GetDlgCtrlID.USER32(?), ref: 004ABAA6
GetParent.USER32(?), ref: 004ABAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 004ABAC5

Strings

ComboBox, xrefs: 004AB9FA
ListBox, xrefs: 004ABA32

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 68d17388a97cd475d14e9f3a6311acaa3fb31cbe2585f5aacc3097647faee5a6
Instruction ID: a28b5fe0c65168efe04f7ec22aec5a69b1187fc7963b7a54349f913e3a4e521e
Opcode Fuzzy Hash: 68d17388a97cd475d14e9f3a6311acaa3fb31cbe2585f5aacc3097647faee5a6
Instruction Fuzzy Hash: 7121C574D00104BFDB01ABA4CC85EFEBB75EF56304F10401AF551D7292DBB95925DB68

Function 004ABAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004ABAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 004ABAF8
_wcscmp.LIBCMT ref: 004ABB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004ABB85

Strings

largeicons, xrefs: 004ABB19
smallicons, xrefs: 004ABB4D
SHELLDLL_DefView, xrefs: 004ABB04
list, xrefs: 004ABB67
details, xrefs: 004ABB33

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 0f69029bdcb04a56feb317c63541dea2dccc33ae44591245f1c7fce41f4ebec4
Instruction ID: 0e0123283138cd35e79cce62306d1c15132222b9bdc36314abc216c195df8707
Opcode Fuzzy Hash: 0f69029bdcb04a56feb317c63541dea2dccc33ae44591245f1c7fce41f4ebec4
Instruction Fuzzy Hash: 9211C876608302F9FA106621AC06DA63B59DF22324F100027F904E58DAFBA96951456C

Function 004CB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004CB2D5
CoInitialize.OLE32(00000000), ref: 004CB302
CoUninitialize.OLE32 ref: 004CB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 004CB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 004CB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 004CB56D
CoGetObject.OLE32(?,00000000,004FD91C,?), ref: 004CB590
SetErrorMode.KERNEL32(00000000), ref: 004CB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004CB623
VariantClear.OLEAUT32(004FD91C), ref: 004CB633

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 204e90fe3f352d6f0d253bfb1d1ef7f474ec1b9b5165598d358dc22f4a1f8937
Instruction ID: 750d58700cfc1d4a543d5d41a0a792d2065a5c9a405dacf5e6b350d3c36882e5
Opcode Fuzzy Hash: 204e90fe3f352d6f0d253bfb1d1ef7f474ec1b9b5165598d358dc22f4a1f8937
Instruction Fuzzy Hash: 9DC12375608300AFC740DF65C885A6BB7E9FF88308F00495EF98A9B251DB74ED05CB96

Function 004B4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004B4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B405B
GetWindowThreadProcessId.USER32(00000000), ref: 004B4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004B30A5,?,00000001), ref: 004B4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 004B4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004B30A5,?,00000001), ref: 004B409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004B30A5,?,00000001), ref: 004B40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B4113

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 56788841447045125e984d82b31114eceabdaf3ac5c121d7087d4c7e048e9f3a
Instruction ID: 3eb72eec730ec369cebb942fda9a38b8cd0e45caae53ef15692886d11f868da0
Opcode Fuzzy Hash: 56788841447045125e984d82b31114eceabdaf3ac5c121d7087d4c7e048e9f3a
Instruction Fuzzy Hash: DE318171900208ABEB10DB58DC49BBA77AAEFA4311F108016F904D7391CBB89D94CB78

Function 004EDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0048B496
SetTextColor.GDI32(?,000000FF), ref: 0048B4A0
SetBkMode.GDI32(?,00000001), ref: 0048B4B5
GetStockObject.GDI32(00000005), ref: 0048B4BD
GetClientRect.USER32(?), ref: 004EDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 004EDD7A
GetWindowDC.USER32(?), ref: 004EDD86
GetPixel.GDI32(00000000,?,?), ref: 004EDD95
ReleaseDC.USER32(?,00000000), ref: 004EDDA7
GetSysColor.USER32(00000005), ref: 004EDDC5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: ac56207c3e686ef11a2325903b3d87e2986305a8cdf432541a8dda3962b04945
Instruction ID: d1ead2bff98ede219cb395d07fad254a82b730d98656453b7a62fa73d34efa68
Opcode Fuzzy Hash: ac56207c3e686ef11a2325903b3d87e2986305a8cdf432541a8dda3962b04945
Instruction Fuzzy Hash: 30117F31900205BFDB116F64EC09BBE3B66EB05721F104632FA66951E2CB310961EB29

Function 00473093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004730DC
CoUninitialize.OLE32(?,00000000), ref: 00473181
UnregisterHotKey.USER32(?), ref: 004732A9
DestroyWindow.USER32(?), ref: 004E5079
FreeLibrary.KERNEL32(?), ref: 004E50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004E5125

Strings

close all, xrefs: 004730D7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 76b7fb3fcefa3fc26b6ee5c0fb0a84ef1ceeb88830b04fe4052fbcaa2eafadf8
Instruction ID: 28408262a5c7e7eb8012df088e55663596791854cef6b657a9d6e5ccda06fcfd
Opcode Fuzzy Hash: 76b7fb3fcefa3fc26b6ee5c0fb0a84ef1ceeb88830b04fe4052fbcaa2eafadf8
Instruction Fuzzy Hash: 8C914F306001428FC719EF15C995AA9F3B4FF0530AF5481AEF50A67262DF38AE56DF58

Function 0048CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0048CC15

Part of subcall function 0048CCCD: GetClientRect.USER32(?,?), ref: 0048CCF6
Part of subcall function 0048CCCD: GetWindowRect.USER32(?,?), ref: 0048CD37
Part of subcall function 0048CCCD: ScreenToClient.USER32(?,?), ref: 0048CD5F

GetDC.USER32 ref: 004ED137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004ED14A
SelectObject.GDI32(00000000,00000000), ref: 004ED158
SelectObject.GDI32(00000000,00000000), ref: 004ED16D
ReleaseDC.USER32(?,00000000), ref: 004ED175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004ED200

Strings

U, xrefs: 004ED0D5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2f71928379b9a09ba6500750e14ea478311f805389bd9b32a45b9afb49c28a09
Instruction ID: 9edcd9920543e034943485df8e240e9c3210293233f9fae5483d7ac0fc937cf1
Opcode Fuzzy Hash: 2f71928379b9a09ba6500750e14ea478311f805389bd9b32a45b9afb49c28a09
Instruction Fuzzy Hash: 89711130800244DFCF21AF65C881ABE7BB1FF48316F18466BED555A3A6C7398842DF69

Function 004C45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004C45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004C462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 004C466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004C4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004C468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004C46BF
InternetCloseHandle.WININET(00000000), ref: 004C4706

Part of subcall function 004C5052: GetLastError.KERNEL32(?,?,004C43CC,00000000,00000000,00000001), ref: 004C5067

Strings

, xrefs: 004C46B8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 19dd582c07fa51463179bb92aedf5d6689681a08ddc6118744f51145a1d4b731
Instruction ID: 25d40b352a6cebc979019575e62d3e3a070f5c80c199d3c30a5172ff1b5eb693
Opcode Fuzzy Hash: 19dd582c07fa51463179bb92aedf5d6689681a08ddc6118744f51145a1d4b731
Instruction Fuzzy Hash: 7F418EB5A01205BFEB019F50CD95FBB77ACEF49314F00402AFA019A245D7B899448BA8

Function 004CB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0050DC00), ref: 004CB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0050DC00), ref: 004CB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004CB8C1
SysFreeString.OLEAUT32(?), ref: 004CB8EB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: d5c9e297ea2fe62adf7adf895627cc3adbf8103cc5f9bf13dda04a7f1709b22b
Instruction ID: 03855488237563454892b09398c291a1cf44c42b49d7d44d5759cc6a435cf0a7
Opcode Fuzzy Hash: d5c9e297ea2fe62adf7adf895627cc3adbf8103cc5f9bf13dda04a7f1709b22b
Instruction Fuzzy Hash: 8AF13975A00209AFCF44DF94C885EAEB7B9FF48315F10845EF945AB250DB35AE42CBA4

Function 004D24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004D2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004D26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004D26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004D270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004D286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004D28A1
CloseHandle.KERNEL32(?), ref: 004D28D0
CloseHandle.KERNEL32(?), ref: 004D2947

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: e77599fceb11fb11226ea729ed6b599ace845ac9d4eefd431091c0cee0f6fd5a
Instruction ID: 125f38564b6b7304c4e0f1f62922e8f0a4d3892317d5534e0e4bc23d85cbd48d
Opcode Fuzzy Hash: e77599fceb11fb11226ea729ed6b599ace845ac9d4eefd431091c0cee0f6fd5a
Instruction Fuzzy Hash: F7D1C131604200DFCB14EF25C5A1A6EBBE1AF94314F14896FF8895B3A2DB79DC01CB5A

Function 004DB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004DB3F4

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f28b402698c744363654dc833df0c735ee492bd0d8b5abdc3bbe36d0f3403d3c
Instruction ID: 92819deb1aaf07b698e48556bd630ca830298dae7b8a6139d5bdf6b3a10c573b
Opcode Fuzzy Hash: f28b402698c744363654dc833df0c735ee492bd0d8b5abdc3bbe36d0f3403d3c
Instruction Fuzzy Hash: 7B51A330500204FBEF209F298CA9BAE3BA5EB05318F654117FA15D63E1CB79E950DBD9

Function 0048A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 004EDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004EDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004EDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 004EDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004EDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0048A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 004EDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004EDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0048A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 004EDBC8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a68a6e9ce74516c1d32d4c80605fff5873eda68241669d6865366aae8c19a21e
Instruction ID: c4e4e391e5275b675f64de60d6e23d2b8c53a9748007ef70e98754618ba9bca4
Opcode Fuzzy Hash: a68a6e9ce74516c1d32d4c80605fff5873eda68241669d6865366aae8c19a21e
Instruction Fuzzy Hash: 38517F30A00209EFEB20DF69CC81FAE37B5EB58354F10052AF94697290E7B8ED50DB59

Function 004B7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004B5FA6,?), ref: 004B6ED8

Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004B5FA6,?), ref: 004B6EF1

Part of subcall function 004B72CB: GetFileAttributesW.KERNEL32(?,004B6019), ref: 004B72CC

lstrcmpiW.KERNEL32(?,?), ref: 004B75CA
_wcscmp.LIBCMT ref: 004B75E2
MoveFileW.KERNEL32(?,?), ref: 004B75FB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 067ec70edcd8ac17be9dd484f81cdeab0fe5dfdda7dcfe2bb9e133a60797f6f3
Instruction ID: f5b7b35d1fde042b9053e49b81c5deee5ea0f352facd9a16a6b6f41840dcd27e
Opcode Fuzzy Hash: 067ec70edcd8ac17be9dd484f81cdeab0fe5dfdda7dcfe2bb9e133a60797f6f3
Instruction Fuzzy Hash: 495151B2A092195EDF54EB95D8819DE73BC9F48324F0040AFF605E3541EA78D6C5CB78

Function 0048EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 0048EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 0048EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 004EDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 004EDCF2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 76238f95f331044d3fd909e92916dd6bd97e0e8f3ed8f208dfa8a3edc8b82a7c
Instruction ID: 398021f4d24475ecbb988f034d674a270e1f08850726c10a5919e28a250cabbf
Opcode Fuzzy Hash: 76238f95f331044d3fd909e92916dd6bd97e0e8f3ed8f208dfa8a3edc8b82a7c
Instruction Fuzzy Hash: 9E41E970A046809AD739F72B8D8DA3F7AD6AB51305F290C1FE04786761C67CB841D71E

Function 004AB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,004AAEF1,00000B00,?,?), ref: 004AB26C
HeapAlloc.KERNEL32(00000000,?,004AAEF1,00000B00,?,?), ref: 004AB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004AAEF1,00000B00,?,?), ref: 004AB288
GetCurrentProcess.KERNEL32(?,00000000,?,004AAEF1,00000B00,?,?), ref: 004AB290
DuplicateHandle.KERNEL32(00000000,?,004AAEF1,00000B00,?,?), ref: 004AB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,004AAEF1,00000B00,?,?), ref: 004AB2A3
GetCurrentProcess.KERNEL32(004AAEF1,00000000,?,004AAEF1,00000B00,?,?), ref: 004AB2AB
DuplicateHandle.KERNEL32(00000000,?,004AAEF1,00000B00,?,?), ref: 004AB2AE
CreateThread.KERNEL32(00000000,00000000,004AB2D4,00000000,00000000,00000000), ref: 004AB2C8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 72844e1a769d50fe0fd44fee16e1e98cc36e4c2db5b14b1a77e96133dcac3bb2
Instruction ID: 854bd71fe61277dc9a6b390c8c87dddb960aa8051868dbfc31ee4672ed744db3
Opcode Fuzzy Hash: 72844e1a769d50fe0fd44fee16e1e98cc36e4c2db5b14b1a77e96133dcac3bb2
Instruction Fuzzy Hash: A601F6B2640308BFE710ABA5DD4DF6B3BADEB89700F018421FA04CB1A1CA749C10CB65

Function 004CC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 004CC49E
NULL Pointer assignment, xrefs: 004CC876, 004CC887

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6000c9ce450d624e34cfda5ec17cf2e039b2b2e938748e915b50bd99070e6430
Instruction ID: e9f1c15c49f26b0e9a5cb7ac70b8fd597ab53d383048f8bfe54f9f43173b3909
Opcode Fuzzy Hash: 6000c9ce450d624e34cfda5ec17cf2e039b2b2e938748e915b50bd99070e6430
Instruction Fuzzy Hash: DFE1A475A00219ABDF54DFA4C981FAF77B5EF48354F14802EE909A7380D7789D41CBA8

Function 004C16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

Part of subcall function 0048C6F4: _wcscpy.LIBCMT ref: 0048C717

_wcstok.LIBCMT ref: 004C184E
_wcscpy.LIBCMT ref: 004C18DD
_memset.LIBCMT ref: 004C1910

Strings

p2Rl2R, xrefs: 004C1920
X, xrefs: 004C1948

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2Rl2R
API String ID: 774024439-1074552182
Opcode ID: 5390de07f648790f37082b8f7ca679914af87a2da17bb688bdf2f0714b8d1c93
Instruction ID: da780f213becf2f9a32c12ce2fdb5d39fec093552b192690f1056cdc4f22e938
Opcode Fuzzy Hash: 5390de07f648790f37082b8f7ca679914af87a2da17bb688bdf2f0714b8d1c93
Instruction Fuzzy Hash: FFC180745043409FC754EF25C981E9AB7E0FF86354F00896EF889972A2DB74ED05CB9A

Function 004D9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004D9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 004D9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004D9B47
_wcscat.LIBCMT ref: 004D9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 004D9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004D9BE7

Strings

SysListView32, xrefs: 004D9AEB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 448aadb7d88dbe688f5a8f1c8845ee0054aca037bb4edfc5ffe4d0a1a29ae190
Instruction ID: 5db26ea300440ade557902d262d7065f2b653c2b57be454468c445eda2b80f7c
Opcode Fuzzy Hash: 448aadb7d88dbe688f5a8f1c8845ee0054aca037bb4edfc5ffe4d0a1a29ae190
Instruction Fuzzy Hash: 0641C271A00308ABEB219FA4CC85BEE7BA8EF08354F10042BF549E7391C7759D84CB68

Function 004D172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 004B6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004B6554
Part of subcall function 004B6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004B6564
Part of subcall function 004B6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004B65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004D179A
GetLastError.KERNEL32 ref: 004D17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004D17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 004D1855
GetLastError.KERNEL32(00000000), ref: 004D1860
CloseHandle.KERNEL32(00000000), ref: 004D1895

Strings

SeDebugPrivilege, xrefs: 004D17B8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 75c23bcdbab667dfbea86867fe37c4b3fe1e4cf42f62ec8a86eaf015c6f46f1c
Instruction ID: d89f9c3a428f253fc69fd33b53fd936332ff86db91bc0fca3ab388b18527dabf
Opcode Fuzzy Hash: 75c23bcdbab667dfbea86867fe37c4b3fe1e4cf42f62ec8a86eaf015c6f46f1c
Instruction Fuzzy Hash: A8419D71600200AFDB15EF55C9E5FBEB7A2AF54304F04845EF9069B3D2DBB8A900DB99

Function 004B5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004B58B8

Strings

info, xrefs: 004B5859
stop, xrefs: 004B5889
question, xrefs: 004B5871
warning, xrefs: 004B58A1
blank, xrefs: 004B583A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c1505c90da0ffb1fe15e44b8514811e81300731632049aa4d52d6b9aa7ff671a
Instruction ID: 90531a87c70cc0bdeecd9aca44a4bfa9f46e446a6ada15be0fa5e729682c7cd3
Opcode Fuzzy Hash: c1505c90da0ffb1fe15e44b8514811e81300731632049aa4d52d6b9aa7ff671a
Instruction Fuzzy Hash: 70112B31609742BEEB056A55AC82EEBBB9DAF15314F20003FF500E62C1E7ACAA50427D

Function 004BA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 004BA806

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 24c65685e82006dfccf56fc0832155a48052535cc9d0f6e164cc3cabbcde0088
Instruction ID: 9ef225bcb9298f4c235e3cf017f07a052ab9193a3a1ad61807ddfbdb22b53051
Opcode Fuzzy Hash: 24c65685e82006dfccf56fc0832155a48052535cc9d0f6e164cc3cabbcde0088
Instruction Fuzzy Hash: 65C16B75A0421A9FDB00DF98C481BEEB7F4EF08315F24446AE605E7241D738A956CBAA

Function 004B6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004B6B63
LoadStringW.USER32(00000000), ref: 004B6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004B6B80
LoadStringW.USER32(00000000), ref: 004B6B87
_wprintf.LIBCMT ref: 004B6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004B6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004B6BA8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5853c35e8471feec5a3b8fa18a40eb76566ad6d43d700478eede8ee2b121d752
Instruction ID: 17cf277d17af003f3a403c090c6440fb8e8f35d607aa9bf707f7accc4bfb9db1
Opcode Fuzzy Hash: 5853c35e8471feec5a3b8fa18a40eb76566ad6d43d700478eede8ee2b121d752
Instruction Fuzzy Hash: 3B0136F69002187FEB11A7949D89EFB777CE704304F0045A6B746D2041EA789E94CF79

Function 004D2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D2BF6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: afbcb351aa9405bae8d66495bd96785c3e27c27ad08b85c29c2a4f10b0cbbb6f
Instruction ID: bbfc0ec1d4a5a7715cbe2bd79c0ebfc57732bcca0a2ce24cfccb78cfc4d73727
Opcode Fuzzy Hash: afbcb351aa9405bae8d66495bd96785c3e27c27ad08b85c29c2a4f10b0cbbb6f
Instruction Fuzzy Hash: 2D917B716042009FC710EF15C991AAEB7E6FF98318F04885FF99697391DB78E905CB4A

Function 004C961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 004C9691
WSAGetLastError.WSOCK32(00000000), ref: 004C969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004C96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004C96E9
WSAGetLastError.WSOCK32(00000000), ref: 004C96F8
inet_ntoa.WSOCK32(?), ref: 004C9765
htons.WSOCK32(?,?,?,00000000,?), ref: 004C97AA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: f2519d76ab325024693f152fa2a34372f78ec15602575d04a2600adfb4285c7f
Instruction ID: 9c65d9d65d42d2124dadaa6e9fdd2aca33eee85af8d87c26975040cd3970b99e
Opcode Fuzzy Hash: f2519d76ab325024693f152fa2a34372f78ec15602575d04a2600adfb4285c7f
Instruction Fuzzy Hash: BC71AE31504200ABC314EF65CC85F6BB7E9EF85718F104A2EF5559B2A1DB38ED05CBAA

Function 0049A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0049A991

Part of subcall function 00497D7C: __FF_MSGBANNER.LIBCMT ref: 00497D91
Part of subcall function 00497D7C: __NMSG_WRITE.LIBCMT ref: 00497D98
Part of subcall function 00497D7C: __malloc_crt.LIBCMT ref: 00497DB8

__lock.LIBCMT ref: 0049A9A4
__lock.LIBCMT ref: 0049A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00526DE0,00000018,004A5E7B,?,00000000,00000109), ref: 0049AA0C
EnterCriticalSection.KERNEL32(8000000C,00526DE0,00000018,004A5E7B,?,00000000,00000109), ref: 0049AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0049AA39

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: ddf431707fc5df49ff02aa1a5675269646792fc11c919fe7a17e97fcc951713e
Instruction ID: 217f938145fcc261a37ef06f055ce5e841d12a884892c2164f6fbdd3825fe532
Opcode Fuzzy Hash: ddf431707fc5df49ff02aa1a5675269646792fc11c919fe7a17e97fcc951713e
Instruction Fuzzy Hash: 9E412371A002019BEF10DF69DA44759BFA0AF05328F11823EE425AB2D1DB7C9821CBCA

Function 004D8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004D8EE4
GetDC.USER32(00000000), ref: 004D8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D8EF7
ReleaseDC.USER32(00000000,00000000), ref: 004D8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 004D8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004D8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004DBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 004D8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004D8FAA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7d57a2b3fa9c97189f37cf862b1493f597546e02401292b5ef42154c88084a17
Instruction ID: 1c2480021a18e74ab6030edd0e840aa04a307a2907e253ce2acc1ad4b94e1c16
Opcode Fuzzy Hash: 7d57a2b3fa9c97189f37cf862b1493f597546e02401292b5ef42154c88084a17
Instruction Fuzzy Hash: 6F316D72500214BFEB118F50CC49FFB3BAAEF49715F04406AFE09DA291CA799851CB78

Function 004E0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

GetSystemMetrics.USER32(0000000F), ref: 004E016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 004E038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004E03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 004E03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004E03FF
ShowWindow.USER32(00000003,00000000), ref: 004E0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 004E0440

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 4ab762b0d3c034826cc4bdff908a3cee276702bb24d9e9739f1742dd63d8d6f8
Instruction ID: fd4a6e13492830e199562ce0a3c405fdabeb3f6b801b168b313addf08c96f05d
Opcode Fuzzy Hash: 4ab762b0d3c034826cc4bdff908a3cee276702bb24d9e9739f1742dd63d8d6f8
Instruction Fuzzy Hash: 98A1D230600656EFDB18CF69C9857BEBBB1FF04702F048156EC64AB290D7B8AD90CB94

Function 0048AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac20eadd58e4ea3a583044649e3d2fb6b1265581c0704c6398384509a6fb662
Instruction ID: 8fd17f48d32af942a20aed7579dae1fb64c4acbc41a5acd8458e34e9463d4703
Opcode Fuzzy Hash: 2ac20eadd58e4ea3a583044649e3d2fb6b1265581c0704c6398384509a6fb662
Instruction Fuzzy Hash: FA71BE70900109EFDB04DF99CC44ABFBB75FF85314F10854AFA15A6250C7789A52CFA9

Function 004D2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D225A
_memset.LIBCMT ref: 004D2323
ShellExecuteExW.SHELL32(?), ref: 004D2368

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

Part of subcall function 0048C6F4: _wcscpy.LIBCMT ref: 0048C717

CloseHandle.KERNEL32(00000000), ref: 004D242F
FreeLibrary.KERNEL32(00000000), ref: 004D243E

Strings

@, xrefs: 004D2334

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: c1918f360e2194c8d34234c2685989aaca58f1dfacadce7e26750ebe016f54a0
Instruction ID: b0a7e745e27dc34923cf4cbb6884f2eb8e7cd872288688a1b1916b304a8bf50f
Opcode Fuzzy Hash: c1918f360e2194c8d34234c2685989aaca58f1dfacadce7e26750ebe016f54a0
Instruction Fuzzy Hash: E6716C70A006199FCF04EFA5C5919AEBBF5FF48314F10846BE859AB351CB78AD41CB98

Function 004B3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004B3DE7
GetKeyboardState.USER32(?), ref: 004B3DFC
SetKeyboardState.USER32(?), ref: 004B3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 004B3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 004B3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 004B3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004B3F13

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b4541499ec57606891fe76e1aa4ce536783dacda59ccbf3030de584ecbc002d6
Instruction ID: f7174c9b3507517be06fcda885b680891a3fb83f924c394d82350f107c4baf9a
Opcode Fuzzy Hash: b4541499ec57606891fe76e1aa4ce536783dacda59ccbf3030de584ecbc002d6
Instruction Fuzzy Hash: 0E51E1A0A047D139FB364A2A8C05BFB7EA95B06305F08448BE0D5469C3D69CEE98D778

Function 004B3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004B3C02
GetKeyboardState.USER32(?), ref: 004B3C17
SetKeyboardState.USER32(?), ref: 004B3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004B3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004B3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004B3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004B3D26

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 20d136c9154be342d30fcd0fcdec1fa2e9feba26e0fa756496e6939b355c17dc
Instruction ID: 0aaf34f3ad9bb197b051d3a5ed2497e541139ac0989388669898f228c2cd0a7d
Opcode Fuzzy Hash: 20d136c9154be342d30fcd0fcdec1fa2e9feba26e0fa756496e6939b355c17dc
Instruction Fuzzy Hash: 705136A19083D13DFB328B768C45BF7BFA95B06305F08848AE0C5565C3D298EE94D778

Function 004B7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004B7DBE
_wcsncpy.LIBCMT ref: 004B7DF3
_wcsncpy.LIBCMT ref: 004B7E25
_wcsncpy.LIBCMT ref: 004B7E58
_wcsncpy.LIBCMT ref: 004B7E9A
_wcsncpy.LIBCMT ref: 004B7ED4
_wcsncpy.LIBCMT ref: 004B7F03

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 073e5438070af8121c08edbaf0cfb88bfb0eea8dafd5d479c01768def7121aaa
Instruction ID: 90e2db9c10624172e0a2058a0a7dc75e1d41d364d29c86eb3ac03da933d77e5e
Opcode Fuzzy Hash: 073e5438070af8121c08edbaf0cfb88bfb0eea8dafd5d479c01768def7121aaa
Instruction Fuzzy Hash: AA416F66C10214BACF20EBF588469CFBBAD9F45314F50897BE505E3121FA78E614C3AD

Function 004D3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 004D3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004D3DCB
FreeLibrary.KERNEL32(00000000), ref: 004D3E80

Part of subcall function 004D3D72: RegCloseKey.ADVAPI32(?), ref: 004D3DE8
Part of subcall function 004D3D72: FreeLibrary.KERNEL32(?), ref: 004D3E3A
Part of subcall function 004D3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 004D3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 004D3E25

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a5e25093b3bbab4af714883b60fb087d1fec2d1b93373ab40a3e7884aa17ab29
Instruction ID: 3078786b79f25a8d6821c7b516506cef38cc1fc198cc8c5c9e9ef3c54208334e
Opcode Fuzzy Hash: a5e25093b3bbab4af714883b60fb087d1fec2d1b93373ab40a3e7884aa17ab29
Instruction Fuzzy Hash: 833119B1D01109BFDB149F90DC99AFFB7BDEB08305F00016BE512A2290DA749F49DAA9

Function 004D8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004D8FE7
GetWindowLongW.USER32(010DD998,000000F0), ref: 004D901A
GetWindowLongW.USER32(010DD998,000000F0), ref: 004D904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004D9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004D90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 004D90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004D90D6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9b87661aced4a9db53b5c809df4fd87140d924fdcb777aed51032104e4cc75d4
Instruction ID: 94491a98af9a977e701839a6bee041ea4db9f259538b4f53e6c346a260e6cf85
Opcode Fuzzy Hash: 9b87661aced4a9db53b5c809df4fd87140d924fdcb777aed51032104e4cc75d4
Instruction Fuzzy Hash: CE3137346002149FEB228F98EC95F6637A5FB5A314F14016AF519CF3B1CB75AC44DB49

Function 004B08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B0918
SysAllocString.OLEAUT32(00000000), ref: 004B091B
SysAllocString.OLEAUT32(?), ref: 004B0939
SysFreeString.OLEAUT32(?), ref: 004B0942
StringFromGUID2.OLE32(?,?,00000028), ref: 004B0967
SysAllocString.OLEAUT32(?), ref: 004B0975

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e131d7b1607613ca233360879060e0f30a2c8182be77cf2ad607def2262c9d8d
Instruction ID: d5681f63cd2a4a599b60150484e37c362367127f0d64bf42dbea4428c7aeea02
Opcode Fuzzy Hash: e131d7b1607613ca233360879060e0f30a2c8182be77cf2ad607def2262c9d8d
Instruction Fuzzy Hash: 1521B572A01208AFAB10EF68CC88DFF73ACEB08361B008126F915DB251D774ED45CB68

Function 004B2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004B2485
__wcsnicmp.LIBCMT ref: 004B24A6
__wcsnicmp.LIBCMT ref: 004B24C0

Strings

#requireadmin, xrefs: 004B24A0
#OnAutoItStartRegister, xrefs: 004B24BA
#notrayicon, xrefs: 004B247D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ce44a658889e426ff9147fdddc765fbbf439a4eaa406256143e4f87038aa8309
Instruction ID: 5ce1c7a6a48c2e968f983423cc3d971ea42c569d78d46841d7db51c5bbccfeef
Opcode Fuzzy Hash: ce44a658889e426ff9147fdddc765fbbf439a4eaa406256143e4f87038aa8309
Instruction Fuzzy Hash: 582148321001217AC630FA259E02EEB7798EF64308F50442BF446A7182E6AD994283BD

Function 004B0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B09F1
SysAllocString.OLEAUT32(00000000), ref: 004B09F4
SysAllocString.OLEAUT32 ref: 004B0A15
SysFreeString.OLEAUT32 ref: 004B0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 004B0A38
SysAllocString.OLEAUT32(?), ref: 004B0A46

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cf427d46acce82bfeea5bbfbc34604ffe3158f09ed0cfc05e94e394250a935ec
Instruction ID: 06237cafaf685c66671a74c756ac8e26d33378f6527ba3f81b33b2f37cd2ae0e
Opcode Fuzzy Hash: cf427d46acce82bfeea5bbfbc34604ffe3158f09ed0cfc05e94e394250a935ec
Instruction Fuzzy Hash: 84215E75600204AF9B10EFA8DC89DBF77ACEF1C3617008526F909CB2A1E674ED45CB68

Function 004DA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
Part of subcall function 0048D17C: GetStockObject.GDI32(00000011), ref: 0048D1CE
Part of subcall function 0048D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004DA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004DA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004DA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004DA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004DA360

Strings

Msctls_Progress32, xrefs: 004DA2FE

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d1a2f515e1091b882926435fbd4f841fde011eac9789b00658304eb8e96d4a33
Instruction ID: 68e3a2928a25e89e7177968680e10ef01520e8a5147febc9c2c7ca914be8fac9
Opcode Fuzzy Hash: d1a2f515e1091b882926435fbd4f841fde011eac9789b00658304eb8e96d4a33
Instruction Fuzzy Hash: 4111E6B1100219BEEF105FA1CC85EEB7F6DFF08798F014116FA04A61A0C7769C21DBA8

Function 0048CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0048CCF6
GetWindowRect.USER32(?,?), ref: 0048CD37
ScreenToClient.USER32(?,?), ref: 0048CD5F
GetClientRect.USER32(?,?), ref: 0048CE8C
GetWindowRect.USER32(?,?), ref: 0048CEA5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: cb4efdc38e4bf738d3cb1d8b869ca226f17ab54e844e5f7c6216463f80016aee
Instruction ID: 6041da601ed8675f7d8993edc2e03acb4f123912201a6788b347806954c4a2f3
Opcode Fuzzy Hash: cb4efdc38e4bf738d3cb1d8b869ca226f17ab54e844e5f7c6216463f80016aee
Instruction Fuzzy Hash: 9EB15A79900249DBDF10DFA9C4807EEBBB1FF08300F14952AEC59EB250DB38A951CB69

Function 004D1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004D1C18
Process32FirstW.KERNEL32(00000000,?), ref: 004D1C26
__wsplitpath.LIBCMT ref: 004D1C54

Part of subcall function 00491DFC: __wsplitpath_helper.LIBCMT ref: 00491E3C

_wcscat.LIBCMT ref: 004D1C69
Process32NextW.KERNEL32(00000000,?), ref: 004D1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 004D1CF1

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 9708fab33ae2a893ad86701c0eb1d2cac5c4babf022d0d5fc4e85bc4f88252a8
Instruction ID: 99b04954f240e6859f25edec50b3cba63508f79284c91008c21af9326f864e7e
Opcode Fuzzy Hash: 9708fab33ae2a893ad86701c0eb1d2cac5c4babf022d0d5fc4e85bc4f88252a8
Instruction Fuzzy Hash: E7515E71504300AFD720EF25D885EABB7ECEF88758F00492FF98997251EB74A905CB96

Function 004D2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004D30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004D3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004D313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004D317E
RegCloseKey.ADVAPI32(00000000), ref: 004D318B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 4c0692b8c13c3979e90d8d8d9fbec96125f13e46772f12d6cb34e73d57af1e45
Instruction ID: 7a3dcb9b0f9eb0b23d3922af4462da936cd37b0baf435f04403037231e413e62
Opcode Fuzzy Hash: 4c0692b8c13c3979e90d8d8d9fbec96125f13e46772f12d6cb34e73d57af1e45
Instruction Fuzzy Hash: 93515A31504200AFC704EF65C895EAEBBF9FF89308F04891EF59587291DB75EA05CB5A

Function 004D84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004D8540
GetMenuItemCount.USER32(00000000), ref: 004D8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004D859F
GetMenuItemID.USER32(?,?), ref: 004D860E
GetSubMenu.USER32(?,?), ref: 004D861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 004D866D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: bb6a2f15047d4b63959a05ad587bf4e576ee708db35562a95f991f575f4f88fc
Instruction ID: e065cd0012a3a1be8693ea2198b123623c6053a918502622b5858adb5e169c00
Opcode Fuzzy Hash: bb6a2f15047d4b63959a05ad587bf4e576ee708db35562a95f991f575f4f88fc
Instruction Fuzzy Hash: 52519C31A00115AFCB01EF69C951ABEB7F5EF48314F10446FE905BB351CB78AE418B98

Function 004B4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B4B5B
IsMenu.USER32(00000000), ref: 004B4B7B
CreatePopupMenu.USER32 ref: 004B4BAF
GetMenuItemCount.USER32(000000FF), ref: 004B4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 004B4C3E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 32abc51f147916b080471e6f8e33b55689b60f84fe3237e3b2f4a985e324b0a6
Instruction ID: 2dda9bd1a2116bfc46ce1d90b0ddb85cb5ac1638cadfc96740c69ad0d0e4467e
Opcode Fuzzy Hash: 32abc51f147916b080471e6f8e33b55689b60f84fe3237e3b2f4a985e324b0a6
Instruction Fuzzy Hash: 0C51C070601209EBDF20CF68C888BEEBFF4AF84718F14415AE5159B292D3789945CB7A

Function 004C8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0050DC00), ref: 004C8E7C
WSAGetLastError.WSOCK32(00000000), ref: 004C8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 004C8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 004C8EC5
_strlen.LIBCMT ref: 004C8EF7
WSAGetLastError.WSOCK32(00000000), ref: 004C8F6A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: e78b672a557c1e743b40b6822eee63cf659f101294dc91f81ddbbf3aefc86baa
Instruction ID: e01e942b5a8fe495ee96f84d4b8569cf48d25e507879bc56fc6cb539015d5cbf
Opcode Fuzzy Hash: e78b672a557c1e743b40b6822eee63cf659f101294dc91f81ddbbf3aefc86baa
Instruction Fuzzy Hash: 3541B275900104ABCB54EBA5CD85FEEB7BAAF48314F10456EF51A97291DF38AE00CB68

Function 0048ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

BeginPaint.USER32(?,?,?), ref: 0048AC2A
GetWindowRect.USER32(?,?), ref: 0048AC8E
ScreenToClient.USER32(?,?), ref: 0048ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0048ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0048AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004EE673

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 9ec591f91ca323b8fcb5c44ab80fcfe18e75c478da0a84d846b952254f45babd
Instruction ID: 892e9b4c7ff00dad811759a8a9d03aac778099fc842537f523df75622a3fd8c3
Opcode Fuzzy Hash: 9ec591f91ca323b8fcb5c44ab80fcfe18e75c478da0a84d846b952254f45babd
Instruction Fuzzy Hash: 5B41E3705006009FD710EF65CC85F7B7BE8FB69325F040A2AF9A4872A1C7749855DB6A

Function 004DE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00531628,00000000,00531628,00000000,00000000,00531628,?,004EDC5D,00000000,?,00000000,00000000,00000000,?,004EDAD1,00000004), ref: 004DE40B
EnableWindow.USER32(00000000,00000000), ref: 004DE42F
ShowWindow.USER32(00531628,00000000), ref: 004DE48F
ShowWindow.USER32(00000000,00000004), ref: 004DE4A1
EnableWindow.USER32(00000000,00000001), ref: 004DE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004DE4E8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 49053f94687b9367a077acde2fd64dad7310ae9c0f22a7ccc23257d797476884
Instruction ID: e5b4d0078102b703882cb6d2d38c1523ad95101d3f4fa2d11d6fcf8b8cee3d9d
Opcode Fuzzy Hash: 49053f94687b9367a077acde2fd64dad7310ae9c0f22a7ccc23257d797476884
Instruction Fuzzy Hash: 92416330601140EFDB21DF26C4A9B957BE1BF05304F1881BBEA588F3A2C775E851CB55

Function 004B98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004B98D1

Part of subcall function 0048F4EA: std::exception::exception.LIBCMT ref: 0048F51E
Part of subcall function 0048F4EA: __CxxThrowException@8.LIBCMT ref: 0048F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004B9908
EnterCriticalSection.KERNEL32(?), ref: 004B9924
LeaveCriticalSection.KERNEL32(?), ref: 004B999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004B99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004B99D2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 6efb28634c6df20d3c3a80d6ae09c327e65c608fa497b4ba405b1e48f1938792
Instruction ID: 880d3fde50eeeed4d9c80c6643c33ff70f25009f4e6a8ddccb73ab15677d9162
Opcode Fuzzy Hash: 6efb28634c6df20d3c3a80d6ae09c327e65c608fa497b4ba405b1e48f1938792
Instruction Fuzzy Hash: 4431CF71900105EBDB10AFA5CD85EAFBB78FF45310B1480BAF904AB246D774DE14DBA8

Function 004C9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,004C77F4,?,?,00000000,00000001), ref: 004C9B53

Part of subcall function 004C6544: GetWindowRect.USER32(?,?), ref: 004C6557

GetDesktopWindow.USER32 ref: 004C9B7D
GetWindowRect.USER32(00000000), ref: 004C9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 004C9BB6

Part of subcall function 004B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0

GetCursorPos.USER32(?), ref: 004C9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004C9C44

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 57b0093b9c3aff7579a73db7e4d7014312df7be5f0392d2d392daeec1da80556
Instruction ID: 68f4fb945cb6c99dfa924821a6c0961b4206f90c03587b486e351ccff212170f
Opcode Fuzzy Hash: 57b0093b9c3aff7579a73db7e4d7014312df7be5f0392d2d392daeec1da80556
Instruction Fuzzy Hash: FE31BC72504315ABD710DF149849FABB7EAFF88314F00092EF595E7281DA35EE18CB96

Function 004AAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004AAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 004AAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004AAFC4
CloseHandle.KERNEL32(00000004), ref: 004AAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004AAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 004AB012

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5760301c1f62739c7febe0c6c9613c1e5e4e9e85f4725860f72df19e1bd98f02
Instruction ID: e4a89b601f380e0f4c836dd941ea915c509199dc2e55d48800531dc692b40bc7
Opcode Fuzzy Hash: 5760301c1f62739c7febe0c6c9613c1e5e4e9e85f4725860f72df19e1bd98f02
Instruction Fuzzy Hash: A0218072505209AFDF128F94DD09FAF7BA9EF46308F044026FE01A6161C3799D31EB65

Function 004DEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0048AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0048AFE3
Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048AFF2
Part of subcall function 0048AF83: BeginPath.GDI32(?), ref: 0048B009
Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 004DEC20
LineTo.GDI32(00000000,00000003,?), ref: 004DEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004DEC42
LineTo.GDI32(00000000,00000000,?), ref: 004DEC52
EndPath.GDI32(00000000), ref: 004DEC62
StrokePath.GDI32(00000000), ref: 004DEC72

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b5369c3f63b3f1e5a00448dfb45a8e3148ac6aea436e794c19374a7eb3050c7d
Instruction ID: 1c0cbe95751c9a0f640cd14a3a8e5746da88e51aa3eecccc837237eff1923945
Opcode Fuzzy Hash: b5369c3f63b3f1e5a00448dfb45a8e3148ac6aea436e794c19374a7eb3050c7d
Instruction Fuzzy Hash: E1111B7240014DBFEF129FA0DD88EEA7F6DEB08354F048122BE098A260D7719D65DBA4

Function 004AE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004AE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 004AE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004AE1D8
ReleaseDC.USER32(00000000,00000000), ref: 004AE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004AE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 004AE209

Part of subcall function 004A9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,004A9A05,00000000,00000000,?,004A9DDB), ref: 004AA53A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: e812c4f78e2a964ac66f84ee1d9620f2b61898048aebf6a11eff5b1022bd52ae
Instruction ID: 6469e660ba0ef88df759b4db18443abd5c08e3e17cb779c6d2ce3bca57570bf6
Opcode Fuzzy Hash: e812c4f78e2a964ac66f84ee1d9620f2b61898048aebf6a11eff5b1022bd52ae
Instruction Fuzzy Hash: 23018FB5E00214BFEB109BA68C49B6EBFB9EB59751F004066EA04E7390DA709C11CBA4

Function 00497B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00497B47

Part of subcall function 0049123A: __initp_misc_winsig.LIBCMT ref: 0049125E
Part of subcall function 0049123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00497F51
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00497F65
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00497F78
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00497F8B
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00497F9E
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00497FB1
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00497FC4
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00497FD7
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00497FEA
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00497FFD
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00498010
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00498023
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00498036
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00498049
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0049805C
Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0049806F

__mtinitlocks.LIBCMT ref: 00497B4C

Part of subcall function 00497E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0052AC68,00000FA0,?,?,00497B51,00495E77,00526C70,00000014), ref: 00497E41

__mtterm.LIBCMT ref: 00497B55

Part of subcall function 00497BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00497B5A,00495E77,00526C70,00000014), ref: 00497D3F
Part of subcall function 00497BBD: _free.LIBCMT ref: 00497D46
Part of subcall function 00497BBD: DeleteCriticalSection.KERNEL32(0052AC68,?,?,00497B5A,00495E77,00526C70,00000014), ref: 00497D68

__calloc_crt.LIBCMT ref: 00497B7A
GetCurrentThreadId.KERNEL32 ref: 00497BA3

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: e511608d7dc1b8ab57142567278d78f86da8d59b345e179a615c09ba7854f20b
Instruction ID: 1935c91410c14499794c608037102ef26e9f49bad2b82a3c9437dfe7fbd6df5b
Opcode Fuzzy Hash: e511608d7dc1b8ab57142567278d78f86da8d59b345e179a615c09ba7854f20b
Instruction Fuzzy Hash: D2F0623253D2121EEE2577757C0664B2F84AF0273CB2006BFF864D51E2EB2D9942476D

Function 004727EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0047281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00472825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00472830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0047283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00472843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047284B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: bcbc10fa48785b462ca892bc356f71ad7650a61a60b08d939926c1ade413fd1f
Instruction ID: 3ce1c627d9eb2cca6beda25ae1a9ff5b9ac8a6bacb10dfddada7fbc01d05c3bb
Opcode Fuzzy Hash: bcbc10fa48785b462ca892bc356f71ad7650a61a60b08d939926c1ade413fd1f
Instruction Fuzzy Hash: 520167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C87A42C7F5A864CBE5

Function 004B9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 98d0723f69459549a1dc79937195a252f36fcdda9c70b30b514cdd4914ed88d2
Instruction ID: 116592b96f6ed62687d8edb3b61853f0885a8d18c97a636f8e5f90e44ccf0447
Opcode Fuzzy Hash: 98d0723f69459549a1dc79937195a252f36fcdda9c70b30b514cdd4914ed88d2
Instruction Fuzzy Hash: CC01A932601211ABDB151B58EC48EFF776AFF8D701B15047BF60392190DB789C10DBA8

Function 004B7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004B7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004B7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 004B7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004B7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004B7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004B7C4C

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 07a6d9dce5f8ad4e3cf4a249876ef4db256c1ea7ea631021dc6fa1b76c0045b9
Instruction ID: db130de70ca549be4f25b3b6a73f75bd471b8175e1c988f1fcbc8a0cdd2eef1b
Opcode Fuzzy Hash: 07a6d9dce5f8ad4e3cf4a249876ef4db256c1ea7ea631021dc6fa1b76c0045b9
Instruction Fuzzy Hash: B9F05E72A41158BBE7215B529C0EEFF7F7DEFC6B15F000029FA01D1151DBA05A51C6B9

Function 004B9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004B9A33
EnterCriticalSection.KERNEL32(?,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A5E

Part of subcall function 004B93D1: CloseHandle.KERNEL32(?,?,004B9A6B,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 004B9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A78

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7ffdb64c4d11e381f3ca43cf12b65b42e215528ed33819d6e483e1cccc5218f1
Instruction ID: f68dfc63fa3535adb5f7bd013c1aed2d4ad1f66c62f7ecb8557ef711f5d7a8f3
Opcode Fuzzy Hash: 7ffdb64c4d11e381f3ca43cf12b65b42e215528ed33819d6e483e1cccc5218f1
Instruction Fuzzy Hash: 62F05E32941211ABD7111BA8EC89EFF776AFF89301F150476F603910A0DB799821EBA8

Function 00471CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0048F4EA: std::exception::exception.LIBCMT ref: 0048F51E
Part of subcall function 0048F4EA: __CxxThrowException@8.LIBCMT ref: 0048F533

__swprintf.LIBCMT ref: 00471EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00471D49

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: d5aa9a04872c35f5b95f4a33a9be4a50eb0c3ce14179275e8497f78d04cb029e
Instruction ID: c2044f97548e69c7219c438bb664b5d789b822765fee0b5cef27709907bd5f9c
Opcode Fuzzy Hash: d5aa9a04872c35f5b95f4a33a9be4a50eb0c3ce14179275e8497f78d04cb029e
Instruction Fuzzy Hash: 84918F71504251AFC724EF26C885CAFB7A4BF85704F00891FF889972A1DB78ED05CB9A

Function 004CAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004CB006
CharUpperBuffW.USER32(?,?), ref: 004CB115
VariantClear.OLEAUT32(?), ref: 004CB298

Part of subcall function 004B9DC5: VariantInit.OLEAUT32(00000000), ref: 004B9E05
Part of subcall function 004B9DC5: VariantCopy.OLEAUT32(?,?), ref: 004B9E0E
Part of subcall function 004B9DC5: VariantClear.OLEAUT32(?), ref: 004B9E1A

Strings

Incorrect Parameter format, xrefs: 004CB03E, 004CB20B
AUTOIT.ERROR, xrefs: 004CB11B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 5068861c72ff573f2f1bdffef49a4524ef04897220c4d5ad6df7d3dea168f212
Instruction ID: 193cedac43054cd5371d61f96263e78781e994852c15000dc15db68db15283eb
Opcode Fuzzy Hash: 5068861c72ff573f2f1bdffef49a4524ef04897220c4d5ad6df7d3dea168f212
Instruction Fuzzy Hash: D19159346043019FCB50DF25D485E9BBBE4EF89704F04886EF89A9B361DB39E905CB96

Function 004B5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048C6F4: _wcscpy.LIBCMT ref: 0048C717

_memset.LIBCMT ref: 004B5438
GetMenuItemInfoW.USER32(?), ref: 004B5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004B5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004B553D

Strings

0, xrefs: 004B5430

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 726bcc768706a13e1df469d2a288e2bd380c7f96901fa1bace2b9bc27b4e6a55
Instruction ID: 98cebddf52c6029e3ab4ad7d0bed2a8729e3db9f88490b1912a263c05472a5ac
Opcode Fuzzy Hash: 726bcc768706a13e1df469d2a288e2bd380c7f96901fa1bace2b9bc27b4e6a55
Instruction Fuzzy Hash: F451F371504701ABD7259B28C8417FBF7E9EF85315F080A2FF895D3290D768CD44876A

Function 004B0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004B027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004B02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004B02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004B0344

Strings

DllGetClassObject, xrefs: 004B02B7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 821ccc1a6dd468dd7704fb0897db1633bddd02f08c1634302db637e7d6c6beea
Instruction ID: dcfc178123f15e80a906a73fa7d1fe897a60786a205f997dc761137942816f37
Opcode Fuzzy Hash: 821ccc1a6dd468dd7704fb0897db1633bddd02f08c1634302db637e7d6c6beea
Instruction Fuzzy Hash: C8416D71600204AFDB05CF54C889BAB7BF9FF44316B1480AAED099F246D7B9D944CBA4

Function 004B5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B5075
GetMenuItemInfoW.USER32 ref: 004B5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 004B50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00531708,00000000), ref: 004B5120

Strings

0, xrefs: 004B506D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5776d3994117ec1ad9cad3ec8fa998d559cd73d77485fd9c57532b9d5a0cca09
Instruction ID: 4ed5ddde1f5e6235c8bcbbe4a477cf3b8a53e02e1f43ade5e911a9ce6fc0d8ee
Opcode Fuzzy Hash: 5776d3994117ec1ad9cad3ec8fa998d559cd73d77485fd9c57532b9d5a0cca09
Instruction Fuzzy Hash: 5441AE706047019FD720DF29D884BABBBE4AF89328F14462EF99597391D774E900CB7A

Function 004D0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 004D0587

Strings

none, xrefs: 004D0662
winapi, xrefs: 004D05F8
stdcall, xrefs: 004D0609
cdecl, xrefs: 004D05DE

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: a7433f82e5e13e282bc8b2fe37a85afca4d112f324657f2d270a0829609bf61d
Instruction ID: 462736ce1174a0a3ec3ff061064f8ed97f2dbcc2f8457ec8ebacd2124e965d80
Opcode Fuzzy Hash: a7433f82e5e13e282bc8b2fe37a85afca4d112f324657f2d270a0829609bf61d
Instruction Fuzzy Hash: C531BF30900116ABCF00EF65C851AEEB3B4FF41314F00862FA826A73D1DB79E916CB84

Function 004AB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004AB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004AB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 004AB8D1

Strings

ComboBox, xrefs: 004AB815
ListBox, xrefs: 004AB84D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: bc79d8c25a5d08ae69fab383bed26b4c9aac7e80adb48940c277ee6999ba9241
Instruction ID: ddaefc293c5da5d6ce6f4955095d896a131200f1f943d2614a8a2c5a731ab10c
Opcode Fuzzy Hash: bc79d8c25a5d08ae69fab383bed26b4c9aac7e80adb48940c277ee6999ba9241
Instruction Fuzzy Hash: 2521D275900104BFDB04ABB9D8869FF7779EF16354B10812EF015A21E2DB6C5D0A97A8

Function 004C43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004C4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004C4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004C4457
InternetCloseHandle.WININET(00000000), ref: 004C449E

Part of subcall function 004C5052: GetLastError.KERNEL32(?,?,004C43CC,00000000,00000000,00000001), ref: 004C5067

Strings

, xrefs: 004C4450

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: e46838e1bfd4ecbc62008998bac7e0474959b2e2fcb7462c53ca08b73a865657
Instruction ID: 54806f5f8138f7a97ac38e57ef09c3ddf96e81d1cb3f76a6ff3ff9fd46162852
Opcode Fuzzy Hash: e46838e1bfd4ecbc62008998bac7e0474959b2e2fcb7462c53ca08b73a865657
Instruction Fuzzy Hash: E421D0B9500208BFE751AF95CD90FBFBAECEB88758F20802FF105D6240DA689D059779

Function 004D90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0048D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
Part of subcall function 0048D17C: GetStockObject.GDI32(00000011), ref: 0048D1CE
Part of subcall function 0048D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004D915C
LoadLibraryW.KERNEL32(?), ref: 004D9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004D9178
DestroyWindow.USER32(?), ref: 004D9180

Strings

SysAnimate32, xrefs: 004D9137

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 746bce379e1d9885926d73d04321a30ee161b205ee825fe8d20f49bc7b1c10f4
Instruction ID: 85ac623641da5fdf544cff4427cbbad1f9a85c63aa8a32124fd93437dd521765
Opcode Fuzzy Hash: 746bce379e1d9885926d73d04321a30ee161b205ee825fe8d20f49bc7b1c10f4
Instruction Fuzzy Hash: 86218E71600206BBFF104E649C99EBF37A9EF99364F10461BF954D2390C735DC52A768

Function 004B9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004B9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B95B9
GetStdHandle.KERNEL32(0000000C), ref: 004B95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 004B9605

Strings

nul, xrefs: 004B9600

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fe376be8ff009bc99bbda883ab4cea9967b99a80d0709d7c04693393d714fe01
Instruction ID: a04f5546eceec1191cc5ac861e5c5fdf029fc8372442e70159c554b2081f1da5
Opcode Fuzzy Hash: fe376be8ff009bc99bbda883ab4cea9967b99a80d0709d7c04693393d714fe01
Instruction Fuzzy Hash: 4F21B071640205ABDB219F25DC04ADA7BF8AF54324F204A2AFEA1D72D0D774DD51CB78

Function 004B9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004B9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B9683
GetStdHandle.KERNEL32(000000F6), ref: 004B9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004B96CE

Strings

nul, xrefs: 004B96C9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 29b709f75cdc6d203c800073e1ea9759b8c3c94de989b21c03aeae998804d486
Instruction ID: 8b10aeed1160363ae1939e16cda86ed004aeb21d934b0aaecc92842f03429f9d
Opcode Fuzzy Hash: 29b709f75cdc6d203c800073e1ea9759b8c3c94de989b21c03aeae998804d486
Instruction Fuzzy Hash: 6921AF716002059BDB209F699C05EEA77E8AF55724F200A1AFAA1E73D0E774DC51CB78

Function 004BDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004BDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004BDB5E
__swprintf.LIBCMT ref: 004BDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0050DC00), ref: 004BDBB5

Strings

%lu, xrefs: 004BDB71

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 9b27aa295fc96005be98e8ad8470a952e4922a9546cf614c906861a312def31c
Instruction ID: 00f22d4bf91c261ae44a0769f92c36f5b8b39473d6eab9d3b57f29da11a1aef2
Opcode Fuzzy Hash: 9b27aa295fc96005be98e8ad8470a952e4922a9546cf614c906861a312def31c
Instruction Fuzzy Hash: 71217135A00108AFCB10EFA5D985DEEBBB9EF49704B0040AEF509E7251DB74EA01CB65

Function 004AC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004AC84A
Part of subcall function 004AC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004AC85D
Part of subcall function 004AC82D: GetCurrentThreadId.KERNEL32 ref: 004AC864
Part of subcall function 004AC82D: AttachThreadInput.USER32(00000000), ref: 004AC86B

GetFocus.USER32 ref: 004ACA05

Part of subcall function 004AC876: GetParent.USER32(?), ref: 004AC884

GetClassNameW.USER32(?,?,00000100), ref: 004ACA4E
EnumChildWindows.USER32(?,004ACAC4), ref: 004ACA76
__swprintf.LIBCMT ref: 004ACA90

Strings

%s%d, xrefs: 004ACA8A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: b81035153ca7e189fe3f3084384c65947541b97ff12326f221af0c0a84817742
Instruction ID: 26100c155aada57efdee0b7604ebaeeece32f4d8e49ae5f99fb15d9b450f4f36
Opcode Fuzzy Hash: b81035153ca7e189fe3f3084384c65947541b97ff12326f221af0c0a84817742
Instruction Fuzzy Hash: AD11A5759002057BDB01BF918CC5FF93769AF66708F00806BF918AA182CB789945DB78

Function 00497A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00497AD8

Part of subcall function 00497CF4: __mtinitlocknum.LIBCMT ref: 00497D06
Part of subcall function 00497CF4: EnterCriticalSection.KERNEL32(00000000,?,00497ADD,0000000D), ref: 00497D1F

InterlockedIncrement.KERNEL32(?), ref: 00497AE5
__lock.LIBCMT ref: 00497AF9
___addlocaleref.LIBCMT ref: 00497B17

Strings

`O, xrefs: 00497AA3

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `O
API String ID: 1687444384-2819024103
Opcode ID: daf3b3e9e47b77b864a86cb70c5ca98e02502b20de86ea7cc61df707b1d4957a
Instruction ID: 34255a55a3c7bc7eb4778d81b514b156397985d8b84f8d7e5545d594d3f3f468
Opcode Fuzzy Hash: daf3b3e9e47b77b864a86cb70c5ca98e02502b20de86ea7cc61df707b1d4957a
Instruction Fuzzy Hash: 1E016D71445B01EFDB20DF76D90574ABBF0AF50329F20891FA49A976A0CB78A644CB09

Function 004DE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004DE33D
_memset.LIBCMT ref: 004DE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00533D00,00533D44), ref: 004DE37B
CloseHandle.KERNEL32 ref: 004DE38D

Strings

D=S, xrefs: 004DE346

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=S
API String ID: 3277943733-274248958
Opcode ID: 06e3afa786863cf176ffb7622d8adf733f96201840cd03bf920c837b85207032
Instruction ID: 699265e3c6e4ab12ba1b7ef427293cfbe10fe04446bf3441eb78ce31396b007e
Opcode Fuzzy Hash: 06e3afa786863cf176ffb7622d8adf733f96201840cd03bf920c837b85207032
Instruction Fuzzy Hash: 80F05EF1640304BEE7102B65AC45F7B7E9CEB15794F004832BF08DA2A2D7799E1096A8

Function 004D1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004D19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004D1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 004D1B49
CloseHandle.KERNEL32(?), ref: 004D1BBF

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 21fd1b8afbde27ddd212a0ea83afb37427cd0a9e2a74a13839e1d4576a682a35
Instruction ID: 2902f1e00ac91fe9df1238bb34695716460fd67b4905f8f9d31ad060c0d92265
Opcode Fuzzy Hash: 21fd1b8afbde27ddd212a0ea83afb37427cd0a9e2a74a13839e1d4576a682a35
Instruction Fuzzy Hash: B981A670600200ABDF11EF65C896BAEBBE5EF04714F14845BFD05AF392D7B8A941CB94

Function 004B1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004B1CB4
VariantClear.OLEAUT32(00000013), ref: 004B1D26
VariantClear.OLEAUT32(00000000), ref: 004B1D81
VariantClear.OLEAUT32(?), ref: 004B1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004B1E26

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4ae04b0a3c729c7b1fd01f6bbca35b9fce69e7f5bcabbeb61960ea916044b500
Instruction ID: 09ab6842ce2312dd5edb8695c4817943b90ed4f3c3155249989f1a89d79984cf
Opcode Fuzzy Hash: 4ae04b0a3c729c7b1fd01f6bbca35b9fce69e7f5bcabbeb61960ea916044b500
Instruction Fuzzy Hash: 025169B5A00209EFCB14CF58C890AAAB7B9FF4D314B15855AED49DB310E334EA11CFA4

Function 004D0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004D06EE
GetProcAddress.KERNEL32(00000000,?), ref: 004D077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 004D079B
GetProcAddress.KERNEL32(00000000,?), ref: 004D07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 004D07FB

Part of subcall function 0048E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004BA574,?,?,00000000,00000008), ref: 0048E675
Part of subcall function 0048E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,004BA574,?,?,00000000,00000008), ref: 0048E699

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: d5bd8f58ee319f9f804b01d121d83a9f3de19bf0a5721df9084a10ad6e60ba40
Instruction ID: 69ce74d2cd980d2a995d5ebceebb6f74148a5275801e4aa312f8dbcf1ba700ef
Opcode Fuzzy Hash: d5bd8f58ee319f9f804b01d121d83a9f3de19bf0a5721df9084a10ad6e60ba40
Instruction Fuzzy Hash: 19515D75A00205DFCB00EFA9C491AADB7B5BF19314F04C06BE919AB352DB38ED42CB59

Function 004D2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004D2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004D2F75
RegCloseKey.ADVAPI32(?,?), ref: 004D2FA1
RegCloseKey.ADVAPI32(00000000), ref: 004D2FAE

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: ab025fe518c3e74df0441c8ef2a8c271ef02e7cd1e9020066f90d0264b8c20dc
Instruction ID: 0577e4b84bd58ce9e22bd40075c9efb5c3c7b0652cf3ad7829fc40d027c0a3e3
Opcode Fuzzy Hash: ab025fe518c3e74df0441c8ef2a8c271ef02e7cd1e9020066f90d0264b8c20dc
Instruction Fuzzy Hash: 35517B31608204AFC704EF55C991EABB7F9FF88308F00882EF59997291DB74E905DB5A

Function 004DCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ce68b1bebe9bb8c4641e0325063e8c1094bcf5e5db1952739b4c3b1e1808be
Instruction ID: ff9af4704bf4afc9844b972a349e5d4a2dae6b0ca025da1ed8fbb901aa2cc09a
Opcode Fuzzy Hash: 02ce68b1bebe9bb8c4641e0325063e8c1094bcf5e5db1952739b4c3b1e1808be
Instruction Fuzzy Hash: D641A675D00106ABDB14DF68CCA4FA6BB66EB09310F140267E959E73D1C738AD12D698

Function 004C1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004C12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004C12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004C131C

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004C1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004C1349

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: f0382a4f6d9807cfa53d386a379acd5be5c2f51e95b91a35d4fe8bcc77d46751
Instruction ID: 225eed964eec3944e24b100e1a4a1f271934d3e86099e0917c82d616b85479fd
Opcode Fuzzy Hash: f0382a4f6d9807cfa53d386a379acd5be5c2f51e95b91a35d4fe8bcc77d46751
Instruction Fuzzy Hash: 62411E35A00105DFDB01EF65C981AAEBBF5FF09314B14C0AAE90AAB362CB35ED11DB54

Function 0048B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0048B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0048B66C
GetAsyncKeyState.USER32(00000001), ref: 0048B691
GetAsyncKeyState.USER32(00000002), ref: 0048B69F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: dd11579d3dfdc6fb16cc10c91e156269f4628e90c945dbbe509d838b8f02f508
Instruction ID: a4a5ac1e8625283cadda1a9c4e0cf115919c4a897112c14d7e03041984fbbf08
Opcode Fuzzy Hash: dd11579d3dfdc6fb16cc10c91e156269f4628e90c945dbbe509d838b8f02f508
Instruction Fuzzy Hash: 5B418E31904115BFDF15DF65C844AEEBB74FB05324F20435BE829A6290DB38AD90EF9A

Function 004AB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004AB369
PostMessageW.USER32(?,00000201,00000001), ref: 004AB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 004AB41B
PostMessageW.USER32(?,00000202,00000000), ref: 004AB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 004AB431

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e3fc10e46999cba178fde3a451984e51cdef992e7913530b554878e30ead46a8
Instruction ID: 8f4e3b8616bd9e1564da964260862b6fbb5752ae48989b99a237b09bcbec0db3
Opcode Fuzzy Hash: e3fc10e46999cba178fde3a451984e51cdef992e7913530b554878e30ead46a8
Instruction Fuzzy Hash: 1D31C071900219EBDF04CF68DD4DAAE3BB5EB15319F10422AF821EA2D2C7B49914DB95

Function 004ADBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004ADBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004ADBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004ADC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004ADC52
_wcsstr.LIBCMT ref: 004ADC5C

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 647a3eba3e55ed10656a35fba6dc6c095d5d49820b7a1bf2c7672ff853eca657
Instruction ID: 021e3ee3f6c9b068d33026cba94978436985dfa790f89130194ef9793c0d9a53
Opcode Fuzzy Hash: 647a3eba3e55ed10656a35fba6dc6c095d5d49820b7a1bf2c7672ff853eca657
Instruction Fuzzy Hash: 7321F571A04100BBEB155B299C49E7F7BA9DF56760F10403BF80ACA191EAA9DC01D268

Function 004ABC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004ABC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004ABCC2
__itow.LIBCMT ref: 004ABCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004ABD00
__itow.LIBCMT ref: 004ABD11

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: bc305306ec1faa8f2057638da31b7055a37730ff3ff3e526f685518e7c100931
Instruction ID: 5429248e01817962febf5b4aea82be6def09f7d8d790e692ac67a8d47b1ea7bf
Opcode Fuzzy Hash: bc305306ec1faa8f2057638da31b7055a37730ff3ff3e526f685518e7c100931
Instruction Fuzzy Hash: EC21C935A003187ADB10AA658C45FDF7A69EF6B724F00402AF905EB192DB78890587E9

Function 004B6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004750E6: _wcsncpy.LIBCMT ref: 004750FA

GetFileAttributesW.KERNEL32(?,?,?,?,004B60C3), ref: 004B6369
GetLastError.KERNEL32(?,?,?,004B60C3), ref: 004B6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004B60C3), ref: 004B6388
_wcsrchr.LIBCMT ref: 004B63AA

Part of subcall function 004B6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004B60C3), ref: 004B63E0

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 72adf8a6262dd300e73f5f8cdc0399fcc8533622c4f9ef86d7356f7beca7ba99
Instruction ID: 140593ea64a9e21e786187dafbcaae25ba4bcb87aaa09afe00eeb149a05bcf8e
Opcode Fuzzy Hash: 72adf8a6262dd300e73f5f8cdc0399fcc8533622c4f9ef86d7356f7beca7ba99
Instruction Fuzzy Hash: F12101309042049ADB10AB78AC46FEE33ECAF19360F11147BF805D31C0EAAC99848A7D

Function 004C8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 004CA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004C8BD3
WSAGetLastError.WSOCK32(00000000), ref: 004C8BE2
connect.WSOCK32(00000000,?,00000010), ref: 004C8BFE

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 3b3f12df293e242d8d4dbaead8abdac2767eb1968c36cb8ff71b358be54eede8
Instruction ID: 08fb509cc47ecbaac11260ee077c1ce52023faf8b7459d7155c842476d653c56
Opcode Fuzzy Hash: 3b3f12df293e242d8d4dbaead8abdac2767eb1968c36cb8ff71b358be54eede8
Instruction Fuzzy Hash: 58219D356002149FCB10AB69C985FBE77E9AF48714F04845EF956AB392CB78AC018B69

Function 004C8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004C8441
GetForegroundWindow.USER32 ref: 004C8458
GetDC.USER32(00000000), ref: 004C8494
GetPixel.GDI32(00000000,?,00000003), ref: 004C84A0
ReleaseDC.USER32(00000000,00000003), ref: 004C84DB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 645b2b467b296d8be34ee3e0312aa82f0d460eda2d684a64e3693d78be0bc9a4
Instruction ID: c61025e0d041f316fd469a7264e2965ec15e42bdc180d1b793677ab44a0e32c0
Opcode Fuzzy Hash: 645b2b467b296d8be34ee3e0312aa82f0d460eda2d684a64e3693d78be0bc9a4
Instruction Fuzzy Hash: 1921A435A00204AFD704EFA5C944AAEB7F9EF48305F04847EE849D7351DB74AC01CB68

Function 0048AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0048AFE3
SelectObject.GDI32(?,00000000), ref: 0048AFF2
BeginPath.GDI32(?), ref: 0048B009
SelectObject.GDI32(?,00000000), ref: 0048B033

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d539d66a72fe75ef20eb885ac52864627348826dcc749b56e15054f6b15fc609
Instruction ID: 21f9c1aad17734ab3c3020c50acb2e4e162407b06e236d23f7404589295dfb8c
Opcode Fuzzy Hash: d539d66a72fe75ef20eb885ac52864627348826dcc749b56e15054f6b15fc609
Instruction Fuzzy Hash: 1921B270800704EFDB10AFE5ED497AE3B69F721355F14462BE520923A0C3744859EBAD

Function 0049217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004921A9
CreateThread.KERNEL32(?,?,004922DF,00000000,?,?), ref: 004921ED
GetLastError.KERNEL32 ref: 004921F7
_free.LIBCMT ref: 00492200
__dosmaperr.LIBCMT ref: 0049220B

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 32df624f870a6c8d1c8c4aaee0d156c61dd8a2792f3a6df108be50b5a8a33192
Instruction ID: 008f8e2488a3bf5bb935e70a0f5e53cfc5ea31591270334037565f63fae3b8f1
Opcode Fuzzy Hash: 32df624f870a6c8d1c8c4aaee0d156c61dd8a2792f3a6df108be50b5a8a33192
Instruction Fuzzy Hash: F41108321043067F9F11AFA6DD42DAB3F99EF05774710003FF91496192DBB9D8118BA9

Function 004AABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004AABD7
GetLastError.KERNEL32(?,004AA69F,?,?,?), ref: 004AABE1
GetProcessHeap.KERNEL32(00000008,?,?,004AA69F,?,?,?), ref: 004AABF0
HeapAlloc.KERNEL32(00000000,?,004AA69F,?,?,?), ref: 004AABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004AAC0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7546b07c59e4950bd4c72b90959fc41ed357c4e8d1605cb1757f03e702249540
Instruction ID: 5a33e339a2a1e8dd1b0338a43adf53843adde9bee4dd700827012f5703989c3d
Opcode Fuzzy Hash: 7546b07c59e4950bd4c72b90959fc41ed357c4e8d1605cb1757f03e702249540
Instruction Fuzzy Hash: B8011D71601204BFEB104FA5DC48D7B3BADEF8A765710042AF949C3250D7719D60DB69

Function 004B7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004B7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004B7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004B7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a80b2147ee62a99f30245b279e93acf15467fa92109efe9926a37a1475e90f7c
Instruction ID: 632984e8b63414abf721641a1e4b568c090262350b6860f2d2318980984d64b2
Opcode Fuzzy Hash: a80b2147ee62a99f30245b279e93acf15467fa92109efe9926a37a1475e90f7c
Instruction Fuzzy Hash: 95016931C08619EBCF00AFE5DD48AEEBB79FF4C701F004156E402B2250DB389660D7A9

Function 004A9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 004A9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 004A9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 004A9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 004A9B15
CLSIDFromString.OLE32(?,?), ref: 004A9B21

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 11eeb7ab18b3d508d75c366c446bb0774c7eced9f71d10c7d5f379b6017d2710
Instruction ID: 9c6631e8e22d121fb85ac6f141b24585de1918a53eed3c3ec08d82d5004d34ff
Opcode Fuzzy Hash: 11eeb7ab18b3d508d75c366c446bb0774c7eced9f71d10c7d5f379b6017d2710
Instruction Fuzzy Hash: 55018F76A00204BFDB105F54EC44BAA7AEEEB59392F244036F905D6210D774ED00DBB4

Function 004AAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004AAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004AAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004AAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004AAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004AAAAF

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 842846941998825f1b6ed404e9d6919e3db324b21947a6a76e359cf40dadc0a4
Instruction ID: 10482d6b38a1d49dd895f2d9acc3b92800df36036969187bdfaef8ea5bdf6212
Opcode Fuzzy Hash: 842846941998825f1b6ed404e9d6919e3db324b21947a6a76e359cf40dadc0a4
Instruction Fuzzy Hash: 25F0C2316003046FEB111FA4EC88E773BADFF5A754F00002AF901C7290DB609C25DB65

Function 004AAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004AAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004AAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004AAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004AAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004AAB10

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9ba5015b9f69da6531a6f191098e6056c6f8e8f394b899b6bdf707d9dfe645a7
Instruction ID: 9bcb26ee56ddf1f90594ae24b13d33b6848defb1d0ddf04735989af6fdc154b9
Opcode Fuzzy Hash: 9ba5015b9f69da6531a6f191098e6056c6f8e8f394b899b6bdf707d9dfe645a7
Instruction Fuzzy Hash: 77F04F716012086FEB110FA4EC88E773B6EFF4A754F00003AFA41C7290CB64AC21DA75

Function 004AEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004AEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 004AECAB
MessageBeep.USER32(00000000), ref: 004AECC3
KillTimer.USER32(?,0000040A), ref: 004AECDF
EndDialog.USER32(?,00000001), ref: 004AECF9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7ee202abe0ffd52dedf1e6719d8231dcdc1f65eb1a531f0d039d7740dd4f3ca0
Instruction ID: 84a9ce859d1698675f0d6cb65f5e1fa8235c8e3c4529a059377b0285a77efa1c
Opcode Fuzzy Hash: 7ee202abe0ffd52dedf1e6719d8231dcdc1f65eb1a531f0d039d7740dd4f3ca0
Instruction Fuzzy Hash: C401A430900704ABEB246B12DE4EBA677B9FF11715F00056AB593A54E1DBF8AA54CB48

Function 0048B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0048B0BA
StrokeAndFillPath.GDI32(?,?,004EE680,00000000,?,?,?), ref: 0048B0D6
SelectObject.GDI32(?,00000000), ref: 0048B0E9
DeleteObject.GDI32 ref: 0048B0FC
StrokePath.GDI32(?), ref: 0048B117

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 922704bb090f6ea521c2bf1d6758bcae89b763daa06c658334fb59417c3a6413
Instruction ID: f2d7c2689d9083f214a8653dcad4fdc8ff5c10461c40331952b61483e2e4edde
Opcode Fuzzy Hash: 922704bb090f6ea521c2bf1d6758bcae89b763daa06c658334fb59417c3a6413
Instruction Fuzzy Hash: FBF01D30000A44DFC721AFA5ED0E7693B65E7213A5F088315E425496F1C7344569EF6C

Function 004BF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004BF2DA
CoCreateInstance.OLE32(004FDA7C,00000000,00000001,004FD8EC,?), ref: 004BF2F2
CoUninitialize.OLE32 ref: 004BF555

Strings

.lnk, xrefs: 004BF28B, 004BF290, 004BF29E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: ef0504387e3cf65278a8766d0caf2bf208c1fbde11a440e28e01c749f8a21287
Instruction ID: f04e0add8bcc34273d602df6659231601f22a3eed69fc5e9d7a08e37be0a4aad
Opcode Fuzzy Hash: ef0504387e3cf65278a8766d0caf2bf208c1fbde11a440e28e01c749f8a21287
Instruction Fuzzy Hash: 07A12D71104201AFD300EF55C881EAFB7E8EF99718F00895EF55997192DB74E909CBA6

Function 004BE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0047660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004753B1,?,?,004761FF,?,00000000,00000001,00000000), ref: 0047662F

CoInitialize.OLE32(00000000), ref: 004BE85D
CoCreateInstance.OLE32(004FDA7C,00000000,00000001,004FD8EC,?), ref: 004BE876
CoUninitialize.OLE32 ref: 004BE893

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

Strings

.lnk, xrefs: 004BE83B, 004BE84D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 678baafbc39fdde2d4f47466af570f5a60002b8651936a61762d8e664a351d94
Instruction ID: e6e4496db859759274a72188f68fe4154207419ed82dd8d511e0fd0fcf2d4272
Opcode Fuzzy Hash: 678baafbc39fdde2d4f47466af570f5a60002b8651936a61762d8e664a351d94
Instruction Fuzzy Hash: 14A153756043019FCB10EF15C4849AABBE5BF88314F04899EF99A9B3A1CB35EC45CB95

Function 0049325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004932ED

Part of subcall function 0049E0D0: __87except.LIBCMT ref: 0049E10B

Strings

pow, xrefs: 004932C5, 004932E2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 9d56c567533075426f2b0b3bbaf4056728995614e97dbf77174ef70415ca9cad
Instruction ID: 3e3f0d5e32413cd7c6b90608f76f556724a2a4cf4b1b0ccb68eaa839fc41f331
Opcode Fuzzy Hash: 9d56c567533075426f2b0b3bbaf4056728995614e97dbf77174ef70415ca9cad
Instruction Fuzzy Hash: 39513A21A0820196CF21EF16C90537F2F949B52715F208DBBF895823E9DF3D8DC9A64E

Function 004B4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0050DC50,?,0000000F,0000000C,00000016,0050DC50,?), ref: 004B4645

Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004B46C5

Strings

REMOVE, xrefs: 004B4676
THIS, xrefs: 004B4703

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: ac210f47566b94eb9405867f78a73a32168c603a01c2e03842775f0dcfcd1977
Instruction ID: 467ab6664603c4535305a14a5cb7e5a0e8d9201aa4e1d6ee4630aa9a92678677
Opcode Fuzzy Hash: ac210f47566b94eb9405867f78a73a32168c603a01c2e03842775f0dcfcd1977
Instruction Fuzzy Hash: EE417534A001199FCF01DF55C881AEEB7B5FF89308F14845AE91AAB392DB38DD45CB64

Function 004AC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004ABC08,?,?,00000034,00000800,?,00000034), ref: 004B4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004AC1D3

Part of subcall function 004B42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004ABC37,?,?,00000800,?,00001073,00000000,?,?), ref: 004B4300

Part of subcall function 004B422F: GetWindowThreadProcessId.USER32(?,?), ref: 004B425A
Part of subcall function 004B422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 004B426A
Part of subcall function 004B422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 004B4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004AC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004AC28D

Strings

@, xrefs: 004AC2A5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3ccc7b3414c2cd9f4ba3dac065b24d28507126d6b8eb6c8c2e5ebd27da857c45
Instruction ID: 4b71d4efc9532e4d7e4a37446c52017eef0535804a533d697befadef33f5b451
Opcode Fuzzy Hash: 3ccc7b3414c2cd9f4ba3dac065b24d28507126d6b8eb6c8c2e5ebd27da857c45
Instruction Fuzzy Hash: 86416972A00218AFDB10DFA4CD81BEEB7B8EF59300F00409AFA45B7281DA746E45DB64

Function 004DA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0050DC00,00000000,?,?,?,?), ref: 004DA6D8
GetWindowLongW.USER32 ref: 004DA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004DA705

Strings

SysTreeView32, xrefs: 004DA6AA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cce45f3f7d047d7794468069bb3ea50551e1755c24e9504c09c399a07a3098d9
Instruction ID: f1563bc1dcd5e075490042aa5068f5ad7c94a25439c8e4aa7b3f1ad25298a655
Opcode Fuzzy Hash: cce45f3f7d047d7794468069bb3ea50551e1755c24e9504c09c399a07a3098d9
Instruction Fuzzy Hash: 8631BF31500205ABDB119E74CC51BEB7BA9FF49324F18472AF875923E0C778E8609B59

Function 004C5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004C5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004C51C6

Strings

DL, xrefs: 004C522E
|, xrefs: 004C51B5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$DL
API String ID: 1413715105-3824535098
Opcode ID: 83e8996b3185d313d714d416ea0311ab61970226e88dd8591ad028dd1cb99400
Instruction ID: cdd32d936f173fb321d329b9ed23e53a9e1db4055e3dd3e71f5dcb915e583949
Opcode Fuzzy Hash: 83e8996b3185d313d714d416ea0311ab61970226e88dd8591ad028dd1cb99400
Instruction Fuzzy Hash: 4B313971C00109ABCF01AFA5CC85EEE7FB9FF18704F00405AF809A6166DB35AA46DBA4

Function 004DA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004DA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004DA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 004DA196

Strings

SysMonthCal32, xrefs: 004DA129

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4df4975a3fca1febfdd93fdaf3423fc233dff85be2d2eb93c20a9f1e43e3ae90
Instruction ID: 5dc29bb38fff5205c0a8b1a3a952005783f9ed7b62fcad7a0d5cf28bae4e562a
Opcode Fuzzy Hash: 4df4975a3fca1febfdd93fdaf3423fc233dff85be2d2eb93c20a9f1e43e3ae90
Instruction Fuzzy Hash: 0F21D332500218ABDF119F94CC42FEE3B79FF48714F100216FA55AB2D0D6B9AC61CB94

Function 004DA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004DA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004DA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004DA956

Strings

msctls_updown32, xrefs: 004DA8BB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 17005dfa19e8c1326f91455ac1e9f147e492b821daf119e80f2d58df9bb620e5
Instruction ID: 1f437c51217a08fe71c82cea96e4e40e7382ba96db1b9321be1edf3fbe7fea69
Opcode Fuzzy Hash: 17005dfa19e8c1326f91455ac1e9f147e492b821daf119e80f2d58df9bb620e5
Instruction Fuzzy Hash: A921C4B5600209AFDB00DF65CCA2D773BADEF5A368B04045AFA049B361CB34EC21DB65

Function 004D99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004D9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004D9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004D9A65

Strings

Listbox, xrefs: 004D99FD

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 2ab1533759960ed613e8ef7d9c8d349f4f6bdbfa26c242ab8f7db7f5ba6302e1
Instruction ID: 247ff7899927eebc7b18cc727f439f17dc6df94383300140de1211cd5d193fbc
Opcode Fuzzy Hash: 2ab1533759960ed613e8ef7d9c8d349f4f6bdbfa26c242ab8f7db7f5ba6302e1
Instruction Fuzzy Hash: 4521C272610118BFEB218F54DC95FBF3BAAEF89754F01812AF9449B3A0C6759C11C7A4

Function 004DA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004DA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004DA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004DA48F

Strings

msctls_trackbar32, xrefs: 004DA444

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ca35617e17e0dcdabb2bcb167d431a9818626c59ba1027fc43c57e6863e84ac3
Instruction ID: a7f599593d143e76b15a4b9eec43fe7ab71a8acf8d6f1f4d37123b90c41bbae2
Opcode Fuzzy Hash: ca35617e17e0dcdabb2bcb167d431a9818626c59ba1027fc43c57e6863e84ac3
Instruction Fuzzy Hash: EB110A71200208BEEF209F75CC49FAB3B69FF89758F01411EFA45962D1D6B5E821DB28

Function 00492287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00492350,?), ref: 004922A1
GetProcAddress.KERNEL32(00000000), ref: 004922A8

Strings

RoInitialize, xrefs: 00492290
combase.dll, xrefs: 0049229C

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 725fe037b2f92161cdaaa14c82a319462418845c125ca150113f168f86d503b9
Instruction ID: ed9b72d3a785025b67b18d4981f1440efaf1e7f1139db1e913aca42379df166d
Opcode Fuzzy Hash: 725fe037b2f92161cdaaa14c82a319462418845c125ca150113f168f86d503b9
Instruction Fuzzy Hash: DFE01A70E94300ABDF205FB0ED4DB253A66AB21702F1050A1B202D52E0DBF84059EF0C

Function 0049235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00492276), ref: 00492376
GetProcAddress.KERNEL32(00000000), ref: 0049237D

Strings

combase.dll, xrefs: 00492371
RoUninitialize, xrefs: 00492365

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 76379f817a091c73e7b9169784295069dbf98553fbe5486ef3f54562fd8b4c08
Instruction ID: b7d5d3cab4ff8105e0ba7a92c765058a7da2d7bf2ae6424a69423fc2d5f2272a
Opcode Fuzzy Hash: 76379f817a091c73e7b9169784295069dbf98553fbe5486ef3f54562fd8b4c08
Instruction Fuzzy Hash: DAE0B670944304ABDB706F60EE1DB253A76BB20702F111425F609D22F0DBB89428FA19

Function 004EAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004EAC60
__swprintf.LIBCMT ref: 004EAC94

Strings

WIN_XPe, xrefs: 004EACD3
%.3d, xrefs: 004EAC6E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 671c14aa3f7e025b5f97401cf55c14c7d7207e1c329e2ba04743d73a60685b20
Instruction ID: 33339519de828dba82b0dd1bb312ad72f6699c3945422ac57e46d58f48e12870
Opcode Fuzzy Hash: 671c14aa3f7e025b5f97401cf55c14c7d7207e1c329e2ba04743d73a60685b20
Instruction Fuzzy Hash: CBE012B1C04659DBCB109792DD05DFA777CAB04742F2004D3F906A2050D63DABA6EB1B

Function 004D2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004D21FB,?,004D23EF), ref: 004D2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 004D2225

Strings

kernel32.dll, xrefs: 004D220E
GetProcessId, xrefs: 004D221F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: e5658362f42c6fc2ff4354adb5f9fb795de7e7698d2a137bbcc0bd5e3b1af7a7
Instruction ID: 6cf6938a0bb7c6fdeb8c455875c6480d3f29e15aa0fb4e4fdfcefd52f0da3287
Opcode Fuzzy Hash: e5658362f42c6fc2ff4354adb5f9fb795de7e7698d2a137bbcc0bd5e3b1af7a7
Instruction Fuzzy Hash: 53D0A7349007229FC7214F30FA086127AD9FF15310F00487BF895E2390E7B4D880DA54

Function 004742F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004742EC,?,004742AA,?), ref: 00474304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00474316

Strings

kernel32.dll, xrefs: 004742FF
Wow64RevertWow64FsRedirection, xrefs: 00474310

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: bbfad8aa261702e94026511695e7dff532d27bb5fbd839c39904aab231b07e11
Instruction ID: 355c209229be5de0a5de1c29a033361f89acdc910b5951b738a349c574cf69ce
Opcode Fuzzy Hash: bbfad8aa261702e94026511695e7dff532d27bb5fbd839c39904aab231b07e11
Instruction Fuzzy Hash: 75D0A730900B22AFC7204F20F80C6627AD8BF05301F00843AE949D22A4D7B4C880CA14

Function 0047434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004741BB,00474341,?,0047422F,?,004741BB,?,?,?,?,004739FE,?,00000001), ref: 00474359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0047436B

Strings

kernel32.dll, xrefs: 00474354
Wow64DisableWow64FsRedirection, xrefs: 00474365

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 8009f866b089fe4a7b3d2fc9c1d2b24e2d62db00e79898dc44b28c6f4fdf02e4
Instruction ID: 43a9197d3f931c058b0199cbd85fa3ad38930f1ca12abf6fb93fa295c0d45665
Opcode Fuzzy Hash: 8009f866b089fe4a7b3d2fc9c1d2b24e2d62db00e79898dc44b28c6f4fdf02e4
Instruction Fuzzy Hash: 60D0A730940722AFD7214F30F8486627ADCBF11715F00853AE889D2290D7B4D880CA14

Function 004B0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,004B052F,?,004B06D7), ref: 004B0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 004B0584

Strings

UnRegisterTypeLibForUser, xrefs: 004B057E
oleaut32.dll, xrefs: 004B056D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: d1d1c49c4518dbc9fc7bff599e55342ec87130ebf5914c60eb175f4123107376
Instruction ID: 7303beabd10e01d079d656541ac716a3ecdf5c5a030267badf3a9bf97bebb413
Opcode Fuzzy Hash: d1d1c49c4518dbc9fc7bff599e55342ec87130ebf5914c60eb175f4123107376
Instruction Fuzzy Hash: 4CD05E74800322AAD7309F20A909A537BE4BF05301F10882AE841D2694D674C480CA34

Function 004B0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,004B051D,?,004B05FE), ref: 004B0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 004B0559

Strings

oleaut32.dll, xrefs: 004B0542
RegisterTypeLibForUser, xrefs: 004B0553

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: d4afc18452ad52f89dbc323864d4ab351382216a7ba359687c165ad5e72c0242
Instruction ID: 7f6d01046181909fc6ba2f819973a3e11fc963cb62bea207462474b8b2fcd908
Opcode Fuzzy Hash: d4afc18452ad52f89dbc323864d4ab351382216a7ba359687c165ad5e72c0242
Instruction Fuzzy Hash: A5D0A734800722BFC730CF20F9096537AE4BF05302F10C43EE446D2694E674C880CA24

Function 004CECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004CECBE,?,004CEBBB), ref: 004CECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 004CECE8

Strings

GetSystemWow64DirectoryW, xrefs: 004CECE2
kernel32.dll, xrefs: 004CECD1

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: a3f1258934fa6f64a2cac4e17f3296a11519cf70a6a88b8486cee691f8a5aaf0
Instruction ID: 9211af953f0f0e9175f804ff38eec62349df2b731c3b31c88df771dab969521a
Opcode Fuzzy Hash: a3f1258934fa6f64a2cac4e17f3296a11519cf70a6a88b8486cee691f8a5aaf0
Instruction Fuzzy Hash: 89D0A735800733AFCB205F61F948B177AE8BF01300F00843EF846D2290DB74C880DA54

Function 004CBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004CBAD3,00000001,004CB6EE,?,0050DC00), ref: 004CBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004CBAFD

Strings

kernel32.dll, xrefs: 004CBAE6
GetModuleHandleExW, xrefs: 004CBAF7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 71451e9f0dcf4bd6772752eb5b7744d4a622d3aa05cb4ce575ac5321966aec93
Instruction ID: 561a7d4f063b204603c21ee474fcb992b9f3aeef5c1a0fba6862ac8bb697c288
Opcode Fuzzy Hash: 71451e9f0dcf4bd6772752eb5b7744d4a622d3aa05cb4ce575ac5321966aec93
Instruction Fuzzy Hash: ABD05E74C00B239EC7309F20B849F227AD8BF01300F00442EA84392694E774D880CA58

Function 004D3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,004D3BD1,?,004D3E06), ref: 004D3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004D3BFB

Strings

advapi32.dll, xrefs: 004D3BE4
RegDeleteKeyExW, xrefs: 004D3BF5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 6ced73b16ddf44628bfafef04586f12310175b5ed5b8e2cfd5a1d052c5f9a3f6
Instruction ID: 59997a66e1a97b543e7c9c8a994c4a7402285c4998c18d95ba68d824dd958fad
Opcode Fuzzy Hash: 6ced73b16ddf44628bfafef04586f12310175b5ed5b8e2cfd5a1d052c5f9a3f6
Instruction Fuzzy Hash: B4D0A771910722DFC7205F60F908617BEF5BF02715B10443BE445E2390D6B4D480CE15

Function 004A9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acef7c53798e28da6e66394525c290c31fd72af7b280d5eef9c911689456919b
Instruction ID: 6d12f9723cf2da0705ad0ffaa06fa19bd71cbecfa405157914844f96b9da91b2
Opcode Fuzzy Hash: acef7c53798e28da6e66394525c290c31fd72af7b280d5eef9c911689456919b
Instruction Fuzzy Hash: F1C17D75A0021AEFCB14CF94C884AAEB7B5FF59710F10859AE901EF291D734EE81DB94

Function 004CAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004CAAB4
CoUninitialize.OLE32 ref: 004CAABF

Part of subcall function 004B0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004B027B

VariantInit.OLEAUT32(?), ref: 004CAACA
VariantClear.OLEAUT32(?), ref: 004CAD9D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 2d081395f53531c05004b4eb9fba6bc1022df210288e971545523b814c8354b4
Instruction ID: d7dfeb771d6e5c8d8722df8d8277463f8dbc10d0ff4d81cb64b81a701d61c841
Opcode Fuzzy Hash: 2d081395f53531c05004b4eb9fba6bc1022df210288e971545523b814c8354b4
Instruction Fuzzy Hash: F9A148396047059FC750EF15C481B5AB7E5BF48718F04844EFA9A9B3A2CB38ED15CB8A

Function 004A91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004A91DD
SysAllocString.OLEAUT32(?), ref: 004A9286
VariantCopy.OLEAUT32 ref: 004A92B5
VariantClear.OLEAUT32(?), ref: 004A92DC

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 5c9c13140101b9a90e9247efb8172739215b07a5f9d94ec766d6dd5772d8df17
Instruction ID: 3f15e56a3455fe9835b2867b0c52a5934b5aed92034d4a6ac97761a933c4b1ce
Opcode Fuzzy Hash: 5c9c13140101b9a90e9247efb8172739215b07a5f9d94ec766d6dd5772d8df17
Instruction Fuzzy Hash: 23518230A04306ABDF24AF67949166EB3F5EF6A314F20881FE946CB2D1DB789C41871D

Function 0049365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004936B7
_memcpy_s.LIBCMT ref: 00493729
__filbuf.LIBCMT ref: 004937AA
_memset.LIBCMT ref: 004937EE

Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 8f15d075358429dd27e9fc29b6bd66edbf5a0a18595af90d30c35f54afd690eb
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: A351C6B0A00205ABDF349FA9888456F7FA1AF42325F24877FF825863D0D7789F518B59

Function 004DC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(010E6A50,?), ref: 004DC544
ScreenToClient.USER32(?,00000002), ref: 004DC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 004DC5DA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 57692c9d820a013c472940b4133c16989b3c0fd6f9a5c0938f9ccdc7f3690d50
Instruction ID: c168503594f982c471f4faf314667fa95e0642b1a6891cf63be0c16f2b7d4d9b
Opcode Fuzzy Hash: 57692c9d820a013c472940b4133c16989b3c0fd6f9a5c0938f9ccdc7f3690d50
Instruction Fuzzy Hash: 7D515C75900206AFCF10DF68D8E1AAE7BB6EB55320F20865BF8159B390D734ED41CB94

Function 004AC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 004AC462
__itow.LIBCMT ref: 004AC49C

Part of subcall function 004AC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 004AC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 004AC505
__itow.LIBCMT ref: 004AC55A

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: f9ed3dc69a5c6d3744d6146b169a79d0bfaf0f5dad574aac076d03215700e5d9
Instruction ID: 39db691101676c9b049741d689f91502b7e6740f6c813a85c771c9647c9abfcc
Opcode Fuzzy Hash: f9ed3dc69a5c6d3744d6146b169a79d0bfaf0f5dad574aac076d03215700e5d9
Instruction Fuzzy Hash: 35410730A00218BFDF15EF55C881BEE7BB9AF5A704F00401EF509A7281DB78AA45CB99

Function 004B390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 004B3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 004B3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004B39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 004B3A4D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2a3d331c0ea0360fb24861ad904b0382e9ff9256352b2448829d7a5f4aab1905
Instruction ID: 6b84cd16d5e23ef6e872fec3b32f1830991b970392e45dd414ecc51191b9f3b6
Opcode Fuzzy Hash: 2a3d331c0ea0360fb24861ad904b0382e9ff9256352b2448829d7a5f4aab1905
Instruction Fuzzy Hash: D441E6B0E44248AAEF208F6688057FEBBB99B59316F04015BF4C1922C1C7BC9E95D77D

Function 004BE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004BE742
GetLastError.KERNEL32(?,00000000), ref: 004BE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004BE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004BE7B9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a508c75e5708c15d91fe2e521fd7d6c7b3fc43a9b0bb5058b07d90935f578d2c
Instruction ID: 9d806443898023160532720cd65ceefa730f4349e958b08668d9f445eaa030bd
Opcode Fuzzy Hash: a508c75e5708c15d91fe2e521fd7d6c7b3fc43a9b0bb5058b07d90935f578d2c
Instruction Fuzzy Hash: 7F414A39600610DFCB11EF16C54499DBBE5BF89714B19C49AED0A9B362CB78FC00DB99

Function 004DB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004DB5D1

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ed973dbe297c62adb7b3d8751e940cf9bc7158e45db49e5b43df8d90bece298c
Instruction ID: 91d32655d43bd82d4a70e737a17c019250ecfcc9c4917c574b2c6fb68cbca452
Opcode Fuzzy Hash: ed973dbe297c62adb7b3d8751e940cf9bc7158e45db49e5b43df8d90bece298c
Instruction Fuzzy Hash: E331CE34600104FBEB208A199CB9FAE37A5EB05354F564113FA11D63E1C738E9519B9E

Function 004DD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004DD807
GetWindowRect.USER32(?,?), ref: 004DD87D
PtInRect.USER32(?,?,004DED5A), ref: 004DD88D
MessageBeep.USER32(00000000), ref: 004DD8FE

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d67be8ac56db5bd1a46e2d7add015fb414089a3f251a4502cc04af099d3931e5
Instruction ID: c42ff1c8ac29c7fdf9edc6a13f870205adccf24df640dcffc62caf8801785f68
Opcode Fuzzy Hash: d67be8ac56db5bd1a46e2d7add015fb414089a3f251a4502cc04af099d3931e5
Instruction Fuzzy Hash: 00418B70E00218DFCB12EFA9C8A5A697BB5BB45310F1881ABF4258B354D734E949EB48

Function 004B3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 004B3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 004B3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 004B3B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 004B3B92

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 23704c4e2c6f834ab1fd8918042a162651c4eb28b6516714d7cefa9ec469b4f5
Instruction ID: 60a61e11263ad364b9b4a44f749dc03845bef52fa23d16cdd596c76a89ec2bca
Opcode Fuzzy Hash: 23704c4e2c6f834ab1fd8918042a162651c4eb28b6516714d7cefa9ec469b4f5
Instruction Fuzzy Hash: 95312630908258AEEF208F6688197FF7BAA9B55316F04021BE481932D3C77CAB45D77D

Function 004A4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004A4038
__isleadbyte_l.LIBCMT ref: 004A4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004A4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004A40CA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 24fbea4493346f7e1986e746015532ad057759cdd0400917fd0433168cb6cecd
Instruction ID: dd13050f545c16d47fb08dcb6b1e4c35c2628e1f014c8b4bfd81a4ccf7fff38a
Opcode Fuzzy Hash: 24fbea4493346f7e1986e746015532ad057759cdd0400917fd0433168cb6cecd
Instruction Fuzzy Hash: A931D430508206EFDF219F35C845B7F7BA5BFD2310F15402AE6518B290D7B9D891E794

Function 004D7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004D7CB9

Part of subcall function 004B5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B5F6F
Part of subcall function 004B5F55: GetCurrentThreadId.KERNEL32 ref: 004B5F76
Part of subcall function 004B5F55: AttachThreadInput.USER32(00000000,?,004B781F), ref: 004B5F7D

GetCaretPos.USER32(?), ref: 004D7CCA
ClientToScreen.USER32(00000000,?), ref: 004D7D03
GetForegroundWindow.USER32 ref: 004D7D09

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 941efb3fd3a75cca378b14e2d73112c42255b6980a04fa218375d85893f8bdfd
Instruction ID: cfac0058d985ca1faef04743bea2f8268a4634ce7b856e5d70bc8c029202d180
Opcode Fuzzy Hash: 941efb3fd3a75cca378b14e2d73112c42255b6980a04fa218375d85893f8bdfd
Instruction Fuzzy Hash: DF310C71900108AFDB00EFAAD9859FFFBF9EF58314B10846BE815E7211DA759A05CBA4

Function 004DF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

GetCursorPos.USER32(?), ref: 004DF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004EE4C0,?,?,?,?,?), ref: 004DF226
GetCursorPos.USER32(?), ref: 004DF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004EE4C0,?,?,?), ref: 004DF2A6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 954d4569ee07dd7e6dbeb330ca31dadace55e385f365d7127c0852da7f505938
Instruction ID: 7d0da09f7e4c1bec2bf4e87e963ca851a5fae7b3d66c733450db56111a91458d
Opcode Fuzzy Hash: 954d4569ee07dd7e6dbeb330ca31dadace55e385f365d7127c0852da7f505938
Instruction Fuzzy Hash: 8521CE39500018AFCB258F94D869EFF7BB5EB0A310F0440AAF9064B7A1D3399955DB98

Function 004C431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004C4358

Part of subcall function 004C43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004C4401
Part of subcall function 004C43E2: InternetCloseHandle.WININET(00000000), ref: 004C449E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 354c3a2a70878e1d2d4d4855c16ee5ddc8f2cbd9e089cd1ffc0bfe4a2e5e73c8
Instruction ID: 380d05f478821c48a503cc14ac64d5791fa1e09e9ee54d04945fa5548095dd1b
Opcode Fuzzy Hash: 354c3a2a70878e1d2d4d4855c16ee5ddc8f2cbd9e089cd1ffc0bfe4a2e5e73c8
Instruction Fuzzy Hash: 7821FF39300601BBEB519F618D10FBBBBAAFFC4710F10402FBA0586660DB75982197A8

Function 004C8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 004C8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 004C8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 004C8AFF
WSAGetLastError.WSOCK32(00000000), ref: 004C8B16

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: cafcc90c007f4b390c815130feff5ee6ad7760bdaadf16bfe4efad18d33e9f37
Instruction ID: 2af5bfef340a7025cf53781c685e131180d33ac5dd30dd2ca194fa18adf6a706
Opcode Fuzzy Hash: cafcc90c007f4b390c815130feff5ee6ad7760bdaadf16bfe4efad18d33e9f37
Instruction Fuzzy Hash: CD219675A001249FC7119F69C985AAEBBFCEF49314F00416EF849D7291DB749D41CF94

Function 004D8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004D8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004D8ADC

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c15d96ada8cb660aa667ad45f1e9396e6083e8600b3f92f6df0472d6c2238332
Instruction ID: e34351b3dfeeed01756eb7d32dbf8e9bddd9d386d188113932521cc8aa14cef3
Opcode Fuzzy Hash: c15d96ada8cb660aa667ad45f1e9396e6083e8600b3f92f6df0472d6c2238332
Instruction Fuzzy Hash: FE11AF31605111AFDB04AB19CC15FBA77A9AF85324F14811FF81AC73E2CBB8AC11C798

Function 004B0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,004B0ABB,?,?,?,004B187A,00000000,000000EF,00000119,?,?), ref: 004B1E77
Part of subcall function 004B1E68: lstrcpyW.KERNEL32(00000000,?,?,004B0ABB,?,?,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B1E9D
Part of subcall function 004B1E68: lstrcmpiW.KERNEL32(00000000,?,004B0ABB,?,?,?,004B187A,00000000,000000EF,00000119,?,?), ref: 004B1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B0AD4
lstrcpyW.KERNEL32(00000000,?,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B0B2E

Strings

cdecl, xrefs: 004B0B25

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6a11249edacd258a8aa359bb1d61827aa709f7eec5e74e0c34193875a2a96a12
Instruction ID: 5762be077cb26b9d486c73677e37dd2dbff6e3e02031fc8d5f3f490463baa650
Opcode Fuzzy Hash: 6a11249edacd258a8aa359bb1d61827aa709f7eec5e74e0c34193875a2a96a12
Instruction Fuzzy Hash: 0A11D336200305AFDB25AF64DC15DBB77A9FF45314B80412BE806CB2A0EB75E850C7A9

Function 004A2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004A2FB5

Part of subcall function 0049395C: __FF_MSGBANNER.LIBCMT ref: 00493973
Part of subcall function 0049395C: __NMSG_WRITE.LIBCMT ref: 0049397A
Part of subcall function 0049395C: RtlAllocateHeap.NTDLL(010C0000,00000000,00000001,00000001,00000000,?,?,0048F507,?,0000000E), ref: 0049399F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 738dacc0a7ea901b83d051cd2f275cb8b90254fbb618d22868a80a681a6e0b98
Instruction ID: eefa544cb9b3b8ae1f5691d71bf132ffa8be27c70e8ae90d77b5b9da4afe3cb4
Opcode Fuzzy Hash: 738dacc0a7ea901b83d051cd2f275cb8b90254fbb618d22868a80a681a6e0b98
Instruction Fuzzy Hash: 3611E732808212AFDF213F75AC0466A3F94AF26369F20443BF9499A255DA7CC940A79D

Function 004B058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004B05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004B05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004B05DD
FreeLibrary.KERNEL32(?), ref: 004B0632

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 0b6e2f1b039ed88c1927dfe95865c82a6ef0c42878f9ccc4012b834b051bb994
Instruction ID: ca5a41a1cf294f0f43c26f27291e9a96873d6389277dcc81efc7f81be9c9566c
Opcode Fuzzy Hash: 0b6e2f1b039ed88c1927dfe95865c82a6ef0c42878f9ccc4012b834b051bb994
Instruction Fuzzy Hash: 8D217C71900209EFDB20CF95DC88AEBBBB8EF40705F0084AEE51692150D778EA65DF69

Function 004B6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004B6733
_memset.LIBCMT ref: 004B6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004B67A6
CloseHandle.KERNEL32(00000000), ref: 004B67AF

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 92295c40cf2482937e5ebea444252185445a63d7975ec79d0bb5ab7833a10b5b
Instruction ID: a191c1c82519486000425e3286a2671d83057f3222f522d614766f97caee1209
Opcode Fuzzy Hash: 92295c40cf2482937e5ebea444252185445a63d7975ec79d0bb5ab7833a10b5b
Instruction Fuzzy Hash: A111E771D012287AE72057A9AC4DFEBBABCEF44724F1141AAF904E7180D6744E80CBB9

Function 004AB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004AAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004AAA79
Part of subcall function 004AAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004AAA83
Part of subcall function 004AAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004AAA92
Part of subcall function 004AAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004AAA99
Part of subcall function 004AAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004AAAAF

GetLengthSid.ADVAPI32(?,00000000,004AADE4,?,?), ref: 004AB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004AB227
HeapAlloc.KERNEL32(00000000), ref: 004AB22E
CopySid.ADVAPI32(?,00000000,?), ref: 004AB247

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: a5ff96bb9142f16b0bc43bac263267d036520b8e6d575897907811783a85b29c
Instruction ID: 0378ad8a68d2074fea8a068106dff246a98f20d12082a51611a2cdfd88a04886
Opcode Fuzzy Hash: a5ff96bb9142f16b0bc43bac263267d036520b8e6d575897907811783a85b29c
Instruction Fuzzy Hash: 1A11E272A00204AFCB149F94CC48BBFB7A9EF9A308F14806FE54297211D739AE44CB54

Function 004AB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004AB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004AB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004AB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004AB4DB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 824aad3e2e8bbb34760a51ec1746e5481d2189f3e349b60f5795145473d724f8
Instruction ID: 826aeadebd3b61570b2df414282ba1ded2dec5d23250487a041fe15bde50b3a9
Opcode Fuzzy Hash: 824aad3e2e8bbb34760a51ec1746e5481d2189f3e349b60f5795145473d724f8
Instruction Fuzzy Hash: E011487A900218FFEB11DFA9CD81E9DBBB4FB09700F204092E604B7291D771AE11DB94

Function 0048B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0048B5A5
GetClientRect.USER32(?,?), ref: 004EE69A
GetCursorPos.USER32(?), ref: 004EE6A4
ScreenToClient.USER32(?,?), ref: 004EE6AF

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: af7a4aad87dcacb878055a67ea44745ccca1eb592154fafdeefbdea6ab4aa7da
Instruction ID: de829ba00011b7c5b7cc69215768a64422fb5618ca2903001e7e9b72aa53cd3e
Opcode Fuzzy Hash: af7a4aad87dcacb878055a67ea44745ccca1eb592154fafdeefbdea6ab4aa7da
Instruction Fuzzy Hash: 6D114C31900429BFDB11EFA5DC459FE77B9EF09309F500856F901E7240D738AA92CBA9

Function 004B732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004B7352
MessageBoxW.USER32(?,?,?,?), ref: 004B7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004B739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004B73A2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 80a803134bf660052429d5d3fde8b60369e757cbc943ba2c1f8c28768ae4c043
Instruction ID: c76a249f726a68a8fa2d8e64f67e9312c3faedaf8f83edb8951a0b50ac0a3082
Opcode Fuzzy Hash: 80a803134bf660052429d5d3fde8b60369e757cbc943ba2c1f8c28768ae4c043
Instruction Fuzzy Hash: A911E576A04204ABC7019B689C05AEF7BEE9B85310F144266FD21D3351D6748914D7B9

Function 0048D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
GetStockObject.GDI32(00000011), ref: 0048D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 59e9a08e90abc001f38090dea5a5a2bd5410f2f29fd67aeead3f2064314f04a5
Instruction ID: 816fd28ff46fe24a0ce6f670e82d3937fa6e8f5251105916f3116ac605ace82c
Opcode Fuzzy Hash: 59e9a08e90abc001f38090dea5a5a2bd5410f2f29fd67aeead3f2064314f04a5
Instruction Fuzzy Hash: 5511A172902509BFEB026F919C58EEEBB6AFF08364F040116FA0592190CB359C60EBA4

Function 004A4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004A4E16

Part of subcall function 004A54F5: __fltout2.LIBCMT ref: 004A551E

__cftog_l.LIBCMT ref: 004A4E3C
__cftoe_l.LIBCMT ref: 004A4E6E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 580c29c59e74f0ba3b38762f0ee9c22df0c5da6f38f01933d3fe5a42b6da496a
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 9D01427200014AFBCF125E84DD018EF3F22BBAE354B558456FE1859135D37ADAB1AB89

Function 00497452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00497A0D: __getptd_noexit.LIBCMT ref: 00497A0E

__lock.LIBCMT ref: 0049748F
InterlockedDecrement.KERNEL32(?), ref: 004974AC
_free.LIBCMT ref: 004974BF
InterlockedIncrement.KERNEL32(010E6000), ref: 004974D7

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: f3a093f1b9274df999377abc98fa4a0ccd50d63c2f4b79d4e4d9292bd95287ef
Instruction ID: 1aa6d5ff6cc52cad97f1669f0961b6d0e2c7ad8f5c886c2a9d53fa66cbec9877
Opcode Fuzzy Hash: f3a093f1b9274df999377abc98fa4a0ccd50d63c2f4b79d4e4d9292bd95287ef
Instruction Fuzzy Hash: 08018E31915622ABCF21AF25A80979EBF60BF05714F15412BF81467692C73C6941DBCA

Function 004DEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0048AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0048AFE3
Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048AFF2
Part of subcall function 0048AF83: BeginPath.GDI32(?), ref: 0048B009
Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004DEA8E
LineTo.GDI32(00000000,?,?), ref: 004DEA9B
EndPath.GDI32(00000000), ref: 004DEAAB
StrokePath.GDI32(00000000), ref: 004DEAB9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 30c626d8eb42bc6dccd61d804abcdce8b246063122fd7d34fae816d69e3f8598
Instruction ID: 0da2a9a498960624be48d6fab67f79e46728244fd02ebb24c97bb6b14b5f0b37
Opcode Fuzzy Hash: 30c626d8eb42bc6dccd61d804abcdce8b246063122fd7d34fae816d69e3f8598
Instruction Fuzzy Hash: CAF0E231401259BBDB12AFA4AD0EFDE3F1AAF16314F044103FB01652E18BB85521DBAD

Function 004AC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004AC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 004AC85D
GetCurrentThreadId.KERNEL32 ref: 004AC864
AttachThreadInput.USER32(00000000), ref: 004AC86B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 495a4f49b8732d36f588a969b2725aae94e973e4388e18872adb406ed55e19cd
Instruction ID: 6754905ba225cc223bd031e574bd20b36ca2970b5a51b1af27e1454827c8c5a3
Opcode Fuzzy Hash: 495a4f49b8732d36f588a969b2725aae94e973e4388e18872adb406ed55e19cd
Instruction Fuzzy Hash: 79E0657154122876EB102B62DC4DFEB7F5DEF177A1F008026B50DC4450C679C591C7E4

Function 004AB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004AB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,004AAC9D), ref: 004AB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004AAC9D), ref: 004AB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,004AAC9D), ref: 004AB0F1

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 440b80ad9892d3fb8232015bb0a9340e9cb51a3fa441bb33f4853bb64089d7cf
Instruction ID: 7a0e30bd378313125e74672dc469dafe5b4493f9e76cb03fc127a65128a779b1
Opcode Fuzzy Hash: 440b80ad9892d3fb8232015bb0a9340e9cb51a3fa441bb33f4853bb64089d7cf
Instruction Fuzzy Hash: F8E08632E01211AFD7201FB15D0CB5B3BA9EF56795F01C838F641D6080DB388411C768

Function 0048B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0048B496
SetTextColor.GDI32(?,000000FF), ref: 0048B4A0
SetBkMode.GDI32(?,00000001), ref: 0048B4B5
GetStockObject.GDI32(00000005), ref: 0048B4BD
GetWindowDC.USER32(?,00000000), ref: 004EDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 004EDE38
GetPixel.GDI32(00000000,?,00000000), ref: 004EDE51
GetPixel.GDI32(00000000,00000000,?), ref: 004EDE6A
GetPixel.GDI32(00000000,?,?), ref: 004EDE8A
ReleaseDC.USER32(?,00000000), ref: 004EDE95

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 90263245b60dcce18986e09d787bdebb50e276c557559bd5bd992dc9be8f3e4a
Instruction ID: b27f68cc1a0a35cc79bfbcfc8f803ed93c8e2cce73819dac7e4434b87e99cfa2
Opcode Fuzzy Hash: 90263245b60dcce18986e09d787bdebb50e276c557559bd5bd992dc9be8f3e4a
Instruction Fuzzy Hash: 0EE06D31900280AEDB212F68AC0DBED3F12EB12336F10C626FAA9580E2C3754590DB15

Function 004AB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004AB2DF
UnloadUserProfile.USERENV(?,?), ref: 004AB2EB
CloseHandle.KERNEL32(?), ref: 004AB2F4
CloseHandle.KERNEL32(?), ref: 004AB2FC

Part of subcall function 004AAB24: GetProcessHeap.KERNEL32(00000000,?,004AA848), ref: 004AAB2B
Part of subcall function 004AAB24: HeapFree.KERNEL32(00000000), ref: 004AAB32

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e3ffb078c8250375ce382d1f96aea2c50605b022ff2e255c03a32cbad7969c4e
Instruction ID: 5346c062901af815e40dba22b848888fd1eb89213d47a6d874ed3a489b507b15
Opcode Fuzzy Hash: e3ffb078c8250375ce382d1f96aea2c50605b022ff2e255c03a32cbad7969c4e
Instruction Fuzzy Hash: D8E0BF36504005BBCB012B95DC0886DFBA7FF993253108232F61581571CB32A471EB95

Function 004EB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004EB29A
GetDC.USER32(00000000), ref: 004EB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EB2C3
ReleaseDC.USER32 ref: 004EB2E2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 60af07703ba2a9c8665d61f33c51e3ef6e606c4b6a0904f384bcfd0c5c84fc10
Instruction ID: 8a7ab6a561b8b69281afe71f74b52b25e4a142615716b5f9a755015d3d9dad82
Opcode Fuzzy Hash: 60af07703ba2a9c8665d61f33c51e3ef6e606c4b6a0904f384bcfd0c5c84fc10
Instruction Fuzzy Hash: 4EE01AB1900204EFEB015F70884CA3E7BA6EF4C355F11882AF95ACB250CB789851DB48

Function 004EB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004EB2AE
GetDC.USER32(00000000), ref: 004EB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EB2C3
ReleaseDC.USER32 ref: 004EB2E2

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fb7fe1909ebdb4b51622deb6e3b69b43ac3a31915e5411d2e39c344d97c254fe
Instruction ID: 97e2a537be56dc6781c54fa1172953ca0e0557108b1c4d20545bf25fab9722ab
Opcode Fuzzy Hash: fb7fe1909ebdb4b51622deb6e3b69b43ac3a31915e5411d2e39c344d97c254fe
Instruction Fuzzy Hash: 6FE046B1900200EFEB016F70C84CA3D7BAAEB4C355F11882AF95ACB250CFB89811CB08

Function 004ADCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 004ADEAA

Strings

AutoIt3GUI, xrefs: 004ADE22
Container, xrefs: 004ADE29

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 1377c6f10d2d60490515aaa634c1329f79dbfc42481920eada220b04cfda7a1c
Instruction ID: 1881ead7e2b6c2e4afd1ca021908c6675bdd6edab842c07d058df04f369c9057
Opcode Fuzzy Hash: 1377c6f10d2d60490515aaa634c1329f79dbfc42481920eada220b04cfda7a1c
Instruction Fuzzy Hash: 41914874A00601AFDB14DF64C884B6ABBF5BF5A714F10846EF94ACB690DB74E841CB64

Function 004B290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004B2A72

Strings

I/N, xrefs: 004B29FC, 004B2A64, 004B2A12
I/N, xrefs: 004B297F

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscpy
String ID: I/N$I/N
API String ID: 3048848545-2393203907
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 14b72cb9adf4888a8699357692311c96ba151d09b84b3dd53305a717b733d02e
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: DF412A71A00216AACF25DF99D1819FEB770EF08314F50404FF885AB291D7B86E82C778

Function 0048BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0048BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0048BCF3

Strings

@, xrefs: 0048BCE8

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 810612dd959077ddf78e2f57f5b1d93352428cf77c85b44c75ecebf4af5e6c1f
Instruction ID: 2c7eeeb4f97e5bf4df506f918c6b3bc4e80426569b782967c5e24e083c8a6942
Opcode Fuzzy Hash: 810612dd959077ddf78e2f57f5b1d93352428cf77c85b44c75ecebf4af5e6c1f
Instruction Fuzzy Hash: 6B515672408744ABE320AF55D886BAFBBE8FF95358F414C4EF1C8410A2DF7484A9875A

Function 004BC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004744ED: __fread_nolock.LIBCMT ref: 0047450B

_wcscmp.LIBCMT ref: 004BC65D
_wcscmp.LIBCMT ref: 004BC670

Strings

FILE, xrefs: 004BC5A5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 83bf2e0e1318289970447647951b80fa89cf4a2453105c6f00b0f466b0ca3ebf
Instruction ID: 92bfadb3e2378eedd71a527c990d65e4e42eb2b7eb48fc2f38ff2a6b99ebcf3d
Opcode Fuzzy Hash: 83bf2e0e1318289970447647951b80fa89cf4a2453105c6f00b0f466b0ca3ebf
Instruction Fuzzy Hash: 91410872A0021ABADF109AA59C81FEF7BB9EF89714F00406BF615E7181D7789A04C765

Function 004DA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 004DA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004DA86F

Strings

', xrefs: 004DA7C3

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7fe5d561ca54ad7c23bfdf1548be7b951e1f6880a6728adcf32987838f9f697d
Instruction ID: 87d60e10d3cb58a29f7109d479d2beb5ea7ce2e22a7b0b2d083d167138cb36c1
Opcode Fuzzy Hash: 7fe5d561ca54ad7c23bfdf1548be7b951e1f6880a6728adcf32987838f9f697d
Instruction Fuzzy Hash: 0741F574E012099FDB14DFA8C891BEABBB9FB08304F10006BE905EB341D774A952DFA5

Function 004D975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004D980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004D984A

Strings

static, xrefs: 004D97AA

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 18b586f8cb8689149854b6cdd2ccff259a02ea57007833b6811078e65ded71c5
Instruction ID: 6f205114b044703304e21f5b0299622fe28f1c023bcef3c5d6dd52dd1b8fac4f
Opcode Fuzzy Hash: 18b586f8cb8689149854b6cdd2ccff259a02ea57007833b6811078e65ded71c5
Instruction Fuzzy Hash: FB319E71510604AAEB10AF75CC90BBB73A9FF59764F00861FF8A9D7290CB34AC81D768

Function 004B5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004B5201

Strings

0, xrefs: 004B51BF

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5aa530b0f52d48da0bc979d7c6904e2b41ca7a6bcfc21bf4fb4ae58ce3be3bc5
Instruction ID: f92841434f31668b427a709a25cb26938c64353bed5a60c13070549b450e3313
Opcode Fuzzy Hash: 5aa530b0f52d48da0bc979d7c6904e2b41ca7a6bcfc21bf4fb4ae58ce3be3bc5
Instruction Fuzzy Hash: 1731C5319016049FEB28CF99E8457DEFBF4AF45350F14445BE981A6290D7789944CF29

Function 004C658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 004C6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 004C65FA
, $, xrefs: 004C6648

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 8d2ab7a73ad3d983e1426e6b5930bb72b27e07dae5878ec1a8b077da844be530
Instruction ID: 7e7cced7577b310e0666fb89cc5453d65c744231409028b148100d50249e7fe7
Opcode Fuzzy Hash: 8d2ab7a73ad3d983e1426e6b5930bb72b27e07dae5878ec1a8b077da844be530
Instruction Fuzzy Hash: B5219135A00214ABCF10EFA5D881FED77B4BF45344F41805EF409AB181DA78EA45CBA9

Function 004D93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004D945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D9467

Strings

Combobox, xrefs: 004D9429

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 95d6a46f17b65a7dc4830f4f234c363c987afd3d78c9bc02f9f3bae27cdf5e5d
Instruction ID: e9447b01ea723bcb75d7669876113a8b86bdd1706a3f689aa54af1f3d0fba427
Opcode Fuzzy Hash: 95d6a46f17b65a7dc4830f4f234c363c987afd3d78c9bc02f9f3bae27cdf5e5d
Instruction Fuzzy Hash: 291190713002086FEF119E54DC90EBB376AEB583A4F10412BF918D73A1D6799C528BA8

Function 004DDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F

GetActiveWindow.USER32 ref: 004DDA7B
EnumChildWindows.USER32(?,004DD75F,00000000), ref: 004DDAF5

Strings

T1L, xrefs: 004DDAFB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1L
API String ID: 3814560230-767776119
Opcode ID: 0bc5cf83836b1c365ecba7eb34b8839635ccb3c129de88b3a6f5544a5a9dd915
Instruction ID: dd023729fe3266f991600f697eee9245d3481589125da9ddf1d865a76ed1b05f
Opcode Fuzzy Hash: 0bc5cf83836b1c365ecba7eb34b8839635ccb3c129de88b3a6f5544a5a9dd915
Instruction Fuzzy Hash: 2C213935604601DFC714DF78D861AA677E5FB59320F25061FE86A8B3E0DB34A805DB68

Function 004D98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0048D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
Part of subcall function 0048D17C: GetStockObject.GDI32(00000011), ref: 0048D1CE
Part of subcall function 0048D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8

GetWindowRect.USER32(00000000,?), ref: 004D9968
GetSysColor.USER32(00000012), ref: 004D9982

Strings

static, xrefs: 004D9945

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6b0959814d2d9ded3da7a60e045a0532dec68a7e01d78f858da4e82a1f721284
Instruction ID: f7458040597cde25af4761ca4b6a0c31a0c511f41286efe3b7b5a06936d1d64d
Opcode Fuzzy Hash: 6b0959814d2d9ded3da7a60e045a0532dec68a7e01d78f858da4e82a1f721284
Instruction Fuzzy Hash: C31129B2510209AFDB04DFB8CC55AFA7BA8FF09344F01562EF955E2250D738E851DB54

Function 004D9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004D9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004D96A8

Strings

edit, xrefs: 004D967D

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4c9c849215858e307a9c66b9d48ee1e050409f0aaed7367c566b97b22c221001
Instruction ID: 7c65577dc7b7d4404422d8dc899054e6177cc8531e99060e8df0782e6d0890d9
Opcode Fuzzy Hash: 4c9c849215858e307a9c66b9d48ee1e050409f0aaed7367c566b97b22c221001
Instruction Fuzzy Hash: 45116A71500108AAEF105FA4DC64AEB3B6AEB15378F104726F965D73E0C739DC51A768

Function 004B5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004B52F4

Strings

0, xrefs: 004B52CE

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9d61ecd403c24673c3ff1b1895cb2f71c5b1bbf91ff30df427d450314c989bcc
Instruction ID: 46c84e44c654738cd7dbe04d782caec403932f77bd9b273ec41a020d9d5ec42e
Opcode Fuzzy Hash: 9d61ecd403c24673c3ff1b1895cb2f71c5b1bbf91ff30df427d450314c989bcc
Instruction Fuzzy Hash: 7E11D072901A14ABDB24DAB8D904BDEF7E8AB05750F080066ED01A7390D3B4ED06CBB9

Function 004C4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004C4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004C4E1E

Strings

<local>, xrefs: 004C4DE6

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9cf5437c7b7e853a5ae7cb57638715ceca6f643c77b7580abf7ea62cdb9d2ce6
Instruction ID: 755b7424b67f5b8e8db3130b834bd95fe1b6d871453318c6b2a71d77906506ff
Opcode Fuzzy Hash: 9cf5437c7b7e853a5ae7cb57638715ceca6f643c77b7580abf7ea62cdb9d2ce6
Instruction Fuzzy Hash: 2D11CE78500221BADB649F5188A8FFBFAA9FF46351F10822FF50686240D2786941C6F4

Function 0049A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004A37A7
___raise_securityfailure.LIBCMT ref: 004A388E

Strings

(S, xrefs: 004A3889

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (S
API String ID: 3761405300-2396237897
Opcode ID: cf377e35726f4bfd668eb1646971038f42a0143289ce372d8cab311a3d9f9ecf
Instruction ID: e6efdec580cafded971f8e4912cd14e4937a72909787175a01cc072c0e2b166f
Opcode Fuzzy Hash: cf377e35726f4bfd668eb1646971038f42a0143289ce372d8cab311a3d9f9ecf
Instruction Fuzzy Hash: C52168B5200304CBE710DF55F9A56013BF8BB29310F10A86AE5048B7E0E3F4A988FF49

Function 004CA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 004CA84E
htons.WSOCK32(00000000,?,00000000), ref: 004CA88B

Strings

255.255.255.255, xrefs: 004CA866

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: f056e614d3b055f0e898019945990661956a58d0b92deaf364bb1d7c08aed18f
Instruction ID: ac325fa9320c77c8878f63aa242d1729abbc200c32ef2d288ac7e16114bb986a
Opcode Fuzzy Hash: f056e614d3b055f0e898019945990661956a58d0b92deaf364bb1d7c08aed18f
Instruction Fuzzy Hash: 5D010479200308ABCB10EF68C886FA9B364EF05718F10842FF5169B3D1C739E821C76A

Function 004AB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004AB7EF

Strings

ComboBox, xrefs: 004AB78B
ListBox, xrefs: 004AB7B9

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 82a459086beef39f9168cdc2017857ae3914477436a9560d3e22c18924a2b58b
Instruction ID: a3e23b8a4a69dd48ad2a53d98b0170194daf5ac5cc8bab4ce363ea355915b0df
Opcode Fuzzy Hash: 82a459086beef39f9168cdc2017857ae3914477436a9560d3e22c18924a2b58b
Instruction Fuzzy Hash: 72012875A00114BBDB04EBA4DC429FE336AFF27314B00061EF462932C2EB78580887A8

Function 004AB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 004AB6EB

Strings

ComboBox, xrefs: 004AB687
ListBox, xrefs: 004AB6B5

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 6f9f19c6cce7e0e58500d47bfb4092ddd08af6f69ae40f905a58e73a990169b2
Instruction ID: 776a3142131d4a9b98a7151e5a98bd7f50c88b238f92f7d7470c51c53eac2337
Opcode Fuzzy Hash: 6f9f19c6cce7e0e58500d47bfb4092ddd08af6f69ae40f905a58e73a990169b2
Instruction Fuzzy Hash: 0B018475A41004BBDB04EBA5D952BFF73A9DF27344F10401EB402A32C2EB585E1897EA

Function 004AB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 004AB76C

Strings

ComboBox, xrefs: 004AB70A
ListBox, xrefs: 004AB738

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 1085736dd6a27774c3ca5d086f27d8c2fde0ab637d1a285bc11b885d075ce628
Instruction ID: 515ef73eac813bf18956b6d8a70f5ce33345b12d8a9302c44f6ae0530cf7b1e2
Opcode Fuzzy Hash: 1085736dd6a27774c3ca5d086f27d8c2fde0ab637d1a285bc11b885d075ce628
Instruction Fuzzy Hash: CD01A779A40104BBDB00E7A4D952AFF73AD9F27344F50401EB402B3192EB985E1987F9

Function 00494D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00494D9E
__calloc_crt.LIBCMT ref: 00494DB7

Strings

"S, xrefs: 00494DCE

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: __calloc_crt
String ID: "S
API String ID: 3494438863-2984366834
Opcode ID: a2ecc2e9b70fca7badb49a7f77e19e0aaca8d1806390abc4b63a8ffa2a795b83
Instruction ID: 5474d52bac0c1be23e6bf051b228122a8d8802566c9712ea45b633971ab27e26
Opcode Fuzzy Hash: a2ecc2e9b70fca7badb49a7f77e19e0aaca8d1806390abc4b63a8ffa2a795b83
Instruction Fuzzy Hash: C0F0C879209A115AEB149B59FC51E676FD4FB64764F10023FF204CA384E738C8435B99

Function 00474024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00470000,00000063,00000001,00000010,00000010,00000000), ref: 00474048
EnumResourceNamesW.KERNEL32(00000000,0000000E,004B67E9,00000063,00000000,75C10280,?,?,00473EE1,?,?,000000FF), ref: 004E41B3

Strings

>G, xrefs: 00474028

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >G
API String ID: 1578290342-1296849874
Opcode ID: 45e21f6cae4c71a041587b1aca3572d897446e6333d2251df7d4dbd039e68508
Instruction ID: 0c568351fc0575fb710a0af91748b29c9b4658e72fdf68d49025b23229df8517
Opcode Fuzzy Hash: 45e21f6cae4c71a041587b1aca3572d897446e6333d2251df7d4dbd039e68508
Instruction Fuzzy Hash: 31F06D31640754B7E6204B2AAC4AFE23AA9E765BB5F104506F214AA2D0D3E49194EAEC

Function 004B7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004B7762
_wcscmp.LIBCMT ref: 004B7774

Strings

#32770, xrefs: 004B776E

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c0d83d273308a5156c52328c223eaec60b56710f23fbaf4948332dfe56aca2cb
Instruction ID: 5076256de13d3eb05ff916d81671356dc5e791e5288d143172f44358bf3a5b66
Opcode Fuzzy Hash: c0d83d273308a5156c52328c223eaec60b56710f23fbaf4948332dfe56aca2cb
Instruction Fuzzy Hash: 83E09277A0422527DB10AAA6AC49ED7FFACAB91764F01006AB905D3181D668A605C7E4

Function 004AA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004AA63F

Part of subcall function 004913F1: _doexit.LIBCMT ref: 004913FB

Strings

Error allocating memory., xrefs: 004AA638
AutoIt, xrefs: 004AA633

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 56b81112fa89af1d80a95150fe3142abedc5722548910c250ce587eb20127e68
Instruction ID: 9788727f4bf76b0a4e500f46e75eab2c6aa042f2a7904ae8268ca8f5034449e2
Opcode Fuzzy Hash: 56b81112fa89af1d80a95150fe3142abedc5722548910c250ce587eb20127e68
Instruction Fuzzy Hash: C8D05B313C432833E21436997C17FDD79489F15B55F04442BBF0C955D349DA969042ED

Function 004EAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 004EACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 004EAEBD

Strings

WIN_XPe, xrefs: 004EACD3

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: e8dc4ca871ea50c98923e1f3f5f1cf2ffb92e1fd52a87ce4f1a5eb90e0364113
Instruction ID: 71fe41909f48761e635a25e8e59bf1b8c1b738b0e53a10f663c3753543424ae9
Opcode Fuzzy Hash: e8dc4ca871ea50c98923e1f3f5f1cf2ffb92e1fd52a87ce4f1a5eb90e0364113
Instruction Fuzzy Hash: D2E0E570C00549DFCB11DBA6D9449EDB7B8AB58301F2480D7E112B2660D7746A95DF2A

Function 004D86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D86E2
PostMessageW.USER32(00000000), ref: 004D86E9

Part of subcall function 004B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0

Strings

Shell_TrayWnd, xrefs: 004D86DB

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 36b1708e3a8956df1d47da92078f24e39bb343a60c3af80501d684ab1bf54d2c
Instruction ID: 958b4f5651b1ce7ecfa1fdf42f6a4670c4448d1c94577d88f25bfe65e196154f
Opcode Fuzzy Hash: 36b1708e3a8956df1d47da92078f24e39bb343a60c3af80501d684ab1bf54d2c
Instruction Fuzzy Hash: 57D0C9317853247BF3656770AC0BFD67A59AB49B11F100829B649EA1D0C9A4A950C668

Function 004D8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004D86B5

Part of subcall function 004B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0

Strings

Shell_TrayWnd, xrefs: 004D869B

Memory Dump Source

Source File: 00000000.00000002.1761576351.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.1761557366.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761633022.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761674456.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761701746.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_RFQ 3100185 MAHAD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1bd3c7405a98666d4afab5f0d38d87c8a01855229576a4ff055cae6a030da5c5
Instruction ID: 464797ce15f72da5e30cf9846953eb1163eb08261301cbc93442695cf3757e96
Opcode Fuzzy Hash: 1bd3c7405a98666d4afab5f0d38d87c8a01855229576a4ff055cae6a030da5c5
Instruction Fuzzy Hash: 59D0C931784324B7E3646770AC0BFD67E59AB44B11F100829B649AA1D0C9A4A950C668

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ 3100185 MAHAD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autE378.tmp

C:\Users\user\AppData\Local\Temp\indivisibility

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
RFQ 3100185 MAHAD.exe

Function 0049B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00473D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0048DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0047406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 004BFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00473F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 004BBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00473742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00473E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 0049ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 01108240 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 004749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 004736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01107FE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON