Edit tour

Windows Analysis Report
S12.exe

Overview

General Information

Sample name:	S12.exe
Analysis ID:	1562140
MD5:	ffd8b14a461473ffc4f11bcfcc5455c0
SHA1:	decdfeb89ce19547d312b0bd3f905a21d11dac8f
SHA256:	02a5fca125cbaa58a96ad120e3fc159dc9db2b5e5eaa724fa749734ed75546ab
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Renames NTDLL to bypass HIPS

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables driver privileges

Enables security privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

S12.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\S12.exe" MD5: FFD8B14A461473FFC4F11BCFCC5455C0)

S12.exe (PID: 2700 cmdline: "C:\Users\user\Desktop\S12.exe" MD5: FFD8B14A461473FFC4F11BCFCC5455C0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: S12.exe PID: 5624	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: S12.exe PID: 2700	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\S12.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\S12.exe, ProcessId: 5624, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\QQWER.dll

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\QQWER.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: S12.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 0.2.S12.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 5.2.S12.exe.10000000.2.unpack

Source: S12.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: devco n.pdbo source: S12.exe
Source:	Binary string: wntdll.pdbUGP source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: wntdll.pdb source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: DrvInDM U.pdbe source: S12.exe
Source:	Binary string: wuser32.pdb source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr
Source:	Binary string: devc@on.pdb source: S12.exe
Source:	Binary string: wuser32.pdbUGP source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr

Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018EEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10018801
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_10017804
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10013C18
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10011C1A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A031
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10024C38
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001385A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10002461
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000F472
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1001847E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10022882
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_10006495
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006C96
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FCB0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_100198CC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100188E1
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A4E7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_1000B90D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10003116
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FD4D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10001D56
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10025977
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10010199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008DA3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100111A7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007DB8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	0_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_100259D9
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100189E6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000FDEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100101FB
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10014203
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000B61E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A236
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008E40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FA6F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10022A80
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10011E89
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A6C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_10017ECA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10008EDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001BADE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100246E4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FF10
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008B27
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001BB29
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_10015B34
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000833D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	0_2_10012B40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1000634E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000B353
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10026356
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017B68
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1000A7A2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100137A3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000F7AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008BC4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10013FC8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007BCA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10005FDA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100253E7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000B3F0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10018EEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10018801
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_10017804
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10013C18
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10011C1A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A031
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10024C38
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001385A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10002461
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1000F472
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_1001847E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10022882
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	5_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_10006495
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10006C96
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FCB0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_100198CC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100188E1
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001A4E7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_1000B90D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10003116
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FD4D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10001D56
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10025977
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10010199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008DA3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100111A7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10007DB8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	5_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_100259D9
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_100189E6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1000FDEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100101FB
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10014203
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1000B61E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001A236
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008E40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FA6F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10022A80
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10011E89
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001A6C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_10017ECA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	5_2_10008EDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001BADE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_100246E4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FF10
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008B27
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001BB29
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_10015B34
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000833D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	5_2_10012B40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1000634E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000B353
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_10026356
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	5_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10017B68
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	5_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_1000A7A2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_100137A3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000F7AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008BC4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10013FC8

Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188

Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache

Source: S12.exe, 00000000.00000002.2719852664.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E5%AD%98%E6%A1%A3/
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt.
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt2658-3693405117-2476756634-1003
Source: S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt8E
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt:&B
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt=
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtbP
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txth
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://82.156.239.188/123.txt
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmP
Source: S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtwsock.dll.mui1
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty
Source: S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/-E
Source: S12.exe	String found in binary or memory: http://82.156.239.188/123.txt
Source: S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txt-2476756634-1003N
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtpP
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtu
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtxt
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtxt1P
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtz
Source: S12.exe	String found in binary or memory: http://ocsp.t
Source: S12.exe	String found in binary or memory: http://sf.symc
Source: S12.exe	String found in binary or memory: http://ts-ocsp.ws.s
Source: S12.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.
Source: S12.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: S12.exe	String found in binary or memory: https://ww(w.v

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,

0_2_1001F2ED

Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_a0b33def-1

Source: Yara match	File source: Process Memory Space: S12.exe PID: 5624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S12.exe PID: 2700, type: MEMORYSTR

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_10007FDD NtClose,	0_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001419C ReleaseMutex,NtClose,	0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001221F NtClose,	0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_10007FDD NtClose,	5_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001419C ReleaseMutex,NtClose,	5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001221F NtClose,	5_2_1001221F

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_10002628	0_2_10002628
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_100032EA	0_2_100032EA
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_10002628	5_2_10002628
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_100032EA	5_2_100032EA

Source: C:\Users\user\Desktop\S12.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Code function: String function: 10029640 appears 130 times

Source: 602d46.tmp.0.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 60bae0.tmp.5.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: 602d46.tmp.0.dr	Static PE information: No import functions for PE file found
Source: 60bae0.tmp.5.dr	Static PE information: No import functions for PE file found

Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000000.00000002.2720833506.0000000002BEC000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000000.00000002.2721133599.0000000002E24000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000000.00000003.1469901007.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000005.00000002.2721522199.0000000002E67000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000005.00000002.2721298956.0000000002D2A000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000005.00000003.1832201461.0000000002B70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe

Source: S12.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: QQWER.dll.0.dr

Static PE information: Section: .rsrc ZLIB complexity 1.0002780183550337

Source: 602d46.tmp.0.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal76.evad.winEXE@2/12@0/1

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_0040E048 GetDiskFreeSpaceExA,

0_2_0040E048

Source: C:\Users\user\Desktop\S12.exe

File created: C:\Users\user\Desktop\QQWER.dll

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\S12.exe

File created: C:\Users\user\AppData\Local\Temp\602d46.tmp

Jump to behavior

Source: S12.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\S12.exe

File read: C:\Users\user\Desktop\ .ini

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\S12.exe "C:\Users\user\Desktop\S12.exe"
Source: unknown	Process created: C:\Users\user\Desktop\S12.exe "C:\Users\user\Desktop\S12.exe"

Source: C:\Users\user\Desktop\S12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

File written: C:\Users\user\Desktop\ .ini

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Window detected: Number of UI elements: 27

Source: S12.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: S12.exe

Static file information: File size 4943872 > 1048576

Source: S12.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13b000
Source: S12.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x256000
Source: S12.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000

Source:	Binary string: devco n.pdbo source: S12.exe
Source:	Binary string: wntdll.pdbUGP source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: wntdll.pdb source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: DrvInDM U.pdbe source: S12.exe
Source:	Binary string: wuser32.pdb source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr
Source:	Binary string: devc@on.pdb source: S12.exe
Source:	Binary string: wuser32.pdbUGP source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 0.2.S12.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 5.2.S12.exe.10000000.2.unpack

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_004AB900 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004AB900

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: QQWER.dll.0.dr	Static PE information: section name: .Upack
Source: 602d46.tmp.0.dr	Static PE information: section name: RT
Source: 602d46.tmp.0.dr	Static PE information: section name: .mrdata
Source: 602d46.tmp.0.dr	Static PE information: section name: .00cfg
Source: 602da4.tmp.0.dr	Static PE information: section name: .didat
Source: 60bae0.tmp.5.dr	Static PE information: section name: RT
Source: 60bae0.tmp.5.dr	Static PE information: section name: .mrdata
Source: 60bae0.tmp.5.dr	Static PE information: section name: .00cfg
Source: 60bb2f.tmp.5.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_0051AA60 push eax; ret	0_2_0051AA8E
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_0051CCD4 push eax; ret	0_2_0051CCF2
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1002C7F8 push edi; ret	0_2_1002C7FC
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_0051AA60 push eax; ret	5_2_0051AA8E
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_0051CCD4 push eax; ret	5_2_0051CCF2
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1002C7F8 push edi; ret	5_2_1002C7FC

Source: QQWER.dll.0.dr	Static PE information: section name: .rsrc entropy: 7.999713933191419
Source: 602d46.tmp.0.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 60bae0.tmp.5.dr	Static PE information: section name: .text entropy: 6.844715065913507

Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\Desktop\QQWER.dll	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\60bb2f.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\602d46.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\60bae0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\602da4.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\S12.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run			Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run			Jump to behavior

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,		0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,		5_2_1001F2ED

Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\S12.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-22256

Renames NTDLL to bypass HIPS

Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior

Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dll	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\60bb2f.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\60bae0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\602d46.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\602da4.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\S12.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,

0_2_1000710E

Source: S12.exe, 00000005.00000002.2719959118.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(&
Source: S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: S12.exe, 00000000.00000002.2719852664.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*

Source: C:\Users\user\Desktop\S12.exe	API call chain: ExitProcess graph end node			graph_0-22370
Source: C:\Users\user\Desktop\S12.exe	API call chain: ExitProcess graph end node			graph_5-22369

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_10004B1B LdrInitializeThunk,

0_2_10004B1B

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_004AB900 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004AB900

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]	0_2_1001A4C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]	0_2_1000AE99
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001A4C7 mov eax, dword ptr fs:[00000030h]	5_2_1001A4C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1000AE99 mov eax, dword ptr fs:[00000030h]	5_2_1000AE99

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,

0_2_10027BB0

Source: C:\Users\user\Desktop\S12.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process token adjusted: Debug			Jump to behavior

Source: S12.exe, 00000005.00000002.2719959118.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow@
Source: S12.exe	Binary or memory string: Shell_TrayWnd
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: S12.exe	Binary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow3260

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_10019EDC cpuid

0_2_10019EDC

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_00536062 GetVersion,InitializeCriticalSection,

0_2_00536062

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 Registry Run Keys / Startup Folder	2 Process Injection	1 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 LSASS Driver	1 Registry Run Keys / Startup Folder	2 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	4 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
S12.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\QQWER.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\602d46.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\602da4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\60bae0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\60bb2f.tmp	0%	ReversingLabs
C:\Users\user\Desktop\QQWER.dll	73%	ReversingLabs	Win32.Infostealer.OnlineGames

Source	Detection	Scanner	Label
http://82.156.239.188/123.txt-2476756634-1003N	0%	Avira URL Cloud	safe
http://82.156.239.188/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt	0%	Avira URL Cloud	safe
http://82.156.239.188/%E5%AD%98%E6%A1%A3/	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt:&B	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt=	0%	Avira URL Cloud	safe
http://82.156.239.188/123.txtpP	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt8E	0%	Avira URL Cloud	safe
http://82.156.239.188/123.txtxt1P	0%	Avira URL Cloud	safe
http://82.156.239.188/-E	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://82.156.239.188/123.txt	0%	Avira URL Cloud	safe
http://82.156.239.188/	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt.	0%	Avira URL Cloud	safe
http://82.156.239.188/123.txtz	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt2658-3693405117-2476756634-1003	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmP	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtbP	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txth	0%	Avira URL Cloud	safe
http://82.156.239.188/123.txt	0%	Avira URL Cloud	safe
http://82.156.239.188/123.txtxt	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtwsock.dll.mui1	0%	Avira URL Cloud	safe
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0	0%	Avira URL Cloud	safe
http://82.156.239.188/123.txtu	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/123.txt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://82.156.239.188/123.txtxt1P	S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt=	S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com)DVarFileInfo$	S12.exe	false		high
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty	S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ts-ocsp.ws.s	S12.exe	false		high
http://ts-ocsp.ws.symantec.	S12.exe	false		high
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt8E	S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ww(w.v	S12.exe	false		high
http://82.156.239.188/123.txt-2476756634-1003N	S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E5%AD%98%E6%A1%A3/	S12.exe	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt:&B	S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt	S12.exe	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/123.txtpP	S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.t	S12.exe	false		high
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://82.156.239.188/123.txt	S12.exe	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt2658-3693405117-2476756634-1003	S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmP	S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sf.symc	S12.exe	false		high
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt.	S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/	S12.exe, 00000000.00000002.2719852664.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/-E	S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtbP	S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/123.txtz	S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txth	S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/123.txtxt	S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0	S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtwsock.dll.mui1	S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.156.239.188/123.txtu	S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.156.239.188	unknown	China		12513	ECLIPSEGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562140
Start date and time:	2024-11-25 08:54:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	S12.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@2/12@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: S12.exe

Simulations

Behavior and APIs

Time	Type	Description
08:55:11	Task Scheduler	Run new task: {907B6577-6119-46F8-9ED5-D8D8FCDEBAE4} path:
08:55:49	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\S12.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECLIPSEGB	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	109.176.209.168
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse	82.157.53.13
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	109.176.92.124
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	82.156.131.242
	byte.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	81.168.53.52
	byte.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	194.46.57.137
	Q4UjkaEwAS.exe	Get hash	malicious	Unknown	Browse	82.156.90.96
	SecuriteInfo.com.Win32.DropperX-gen.17897.26677.exe	Get hash	malicious	Unknown	Browse	82.156.90.96
	debug.dbg.elf	Get hash	malicious	Gafgyt, Mirai	Browse	82.156.228.94
	fCr6yd61xw.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	109.176.30.246

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\602da4.tmp	215.exe	Get hash	malicious	Unknown	Browse
	S4.exe	Get hash	malicious	Unknown	Browse
	208.exe	Get hash	malicious	Unknown	Browse
	99.exe	Get hash	malicious	Unknown	Browse
	211.exe	Get hash	malicious	Unknown	Browse
	212.exe	Get hash	malicious	Unknown	Browse
	214.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\602d46.tmp	215.exe	Get hash	malicious	Unknown	Browse
	S4.exe	Get hash	malicious	Unknown	Browse
	208.exe	Get hash	malicious	Unknown	Browse
	99.exe	Get hash	malicious	Unknown	Browse
	211.exe	Get hash	malicious	Unknown	Browse
	212.exe	Get hash	malicious	Unknown	Browse
	214.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\602d46.tmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 215.exe, Detection: malicious, Browse Filename: S4.exe, Detection: malicious, Browse Filename: 208.exe, Detection: malicious, Browse Filename: 99.exe, Detection: malicious, Browse Filename: 211.exe, Detection: malicious, Browse Filename: 212.exe, Detection: malicious, Browse Filename: 214.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\602da4.tmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 215.exe, Detection: malicious, Browse Filename: S4.exe, Detection: malicious, Browse Filename: 208.exe, Detection: malicious, Browse Filename: 99.exe, Detection: malicious, Browse Filename: 211.exe, Detection: malicious, Browse Filename: 212.exe, Detection: malicious, Browse Filename: 214.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\60bae0.tmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\60bb2f.tmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\ .bmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PC bitmap, Windows 3.x format, 88 x 30 x 24, image size 7920, cbSize 7974, bits offset 54
Category:	dropped
Size (bytes):	7974
Entropy (8bit):	5.673356453027983
Encrypted:	false
SSDEEP:	192:Ff/ZR+G5hr4gwFy2EmU8fTDAa/AUdiwcWOWNnLV:FfbEzsxUdinWDh
MD5:	7E50424DE95D765740BCE30899FA4E3B
SHA1:	306B279E18EB8830960449758C025C0F13F7A484
SHA-256:	1886332AA5F083560E14B3E7DAEF8BFBFA7BE16FBD93CC10CD84C11C87014AA6
SHA-512:	4E9349366B4A16111B47E6E78D289DC22892BA7B2E5E5A8F46C808CA268FEEE1D7483A4E43F46686DB24E4C50C4BABBD2A8722D323A25C7656F31C45D186B5A3
Malicious:	false
Preview:	BM&.......6...(...X...................................P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1....................................................................................................................................................................................\|..p.........................................................................~..~..}..}..}..{..{..{..{..z..y..y..x..x..w..w..w..v..u..u..u..t..t..s..s..r..q..q..q..q..p..o..o..n..n..m..m..l..k..k..j..j..i..i..h..h..h..h..g..f..f..e..e..o........................................................................~..~..~..}..}..{..{..{..z..z..z..y..x..x..w..w..w..

C:\Users\user\Desktop\ .bmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PC bitmap, Windows 3.x format, 113 x 35 x 24, image size 11900, cbSize 11954, bits offset 54
Category:	dropped
Size (bytes):	11954
Entropy (8bit):	5.409855539827035
Encrypted:	false
SSDEEP:	192:fZQMVQGPMZvJHDbHCWRi+vExCtcPvo+zyjDEz4D5fpDvzmJ7If8:fZQyQ+GhXb/eycPvvzyjgz49fpjzmJ8E
MD5:	C493B0AA16D37E5FEFD7B9122541CE9C
SHA1:	1C472E2C8E6D10D5B266F88EC2FD054413470D4E
SHA-256:	F98734C3B9559D549C65DCE47EE33E7037EB35055B548B7D0B4773777052FFB5
SHA-512:	1819E0B95F10BC019217B59F2540E01C6D05F10F0AF8F8EBBF5EEFC5DB0EA15E715858DF2CD0E2A23E37E415F540016174C8C7741DAAE30686FFE6E8019C449C
Malicious:	false
Preview:	BM........6...(...q...#...........\|...................) .) ..b$.+../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.+.b$) ..F4..+.#...............................................................................................~..~..}..}..\|..\|..{..\|..{..{..z..z..y..y..x..x..w..w..v..w..v..v..u..u..t..t..s..s..r..r..q..r..q..q..p..p..o..o..n..n..m..m..l..m..l..l..k..k..j..j..i..i..h..h..g..h..g..g..f..f..g..w..".+..+...................................................................................................~..~..}..~..}..}..\|..\|..{..{..z..z..y..y..x..y..x..x..w..w..v..v..u..u..t..t..s..t..s..s..r..r..q..q..p..p..o..o..n..o

C:\Users\user\Desktop\ .bmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PC bitmap, Windows 3.x format, 30 x 30 x 24, image size 2760, cbSize 2814, bits offset 54
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	6.009651948393757
Encrypted:	false
SSDEEP:	48:twMisdyOfXdCbp////K8//fPLoM7P7xN7e9oS/v/0lUpR2WC7Hn:7yO/dC1////T//fP8gu3/v/0lUpR2b7H
MD5:	BE0F9D021BF9ED2CEA9572D88BFA9E02
SHA1:	8DE179621E6E5C5DEDF5C8F5A3F917062C7ACDD4
SHA-256:	8629EDCDBA642EEECA74DD4CFBF72AA1FF61C8039D8851175017E582B25E64B8
SHA-512:	849FA4B9883800A490F558A35361FB2849D986D1917AF7FF5F45AF2E2EEC758BC33C0CF7D20BDC108D29D0FE1021B6390E12B9BB02DEDAF33C442AD633124B9E
Malicious:	false
Preview:	BM........6...(.......................................$3+&4+'6+'7,(8+':,)<+)=+)>,)?-A+)@+)A+B,+D,+D,+F++F,,I,+H,+I,,K-.L,-M,-M,-N,.O..Q./R./S..+$.$.,%0%2+%3+&4,&5+'6,(8+(9(#5# 6!.:!.;".;!.=#.<".>".>".?".?!.A#.@" A# B" C#!C&$E(I,,J..")#*$,$,+$.+$/,%1+%2+%3($0#.C)..-...../../../../../../../../../../../../.....,..(.}(D.."&)"'"()")"("#,$-+$.#.',..0..1..0..1..0..1..0..0..1..0..0..0..1..1..0..1..0..0...s.. "!#)!$!%"&#'"("),$-#.$6 .6 .6 .6 .6 .6 .6 .6..6 .6 .6..6 .6..6 .6 .6 .6 .6 .6 ./ ...)..(. ) !) !* #) #)!$)0,;Y&1G=+.>(.>(.>(.>(.>(.>(.>(.>(.>'.>(.>(.>(.>(.>(.>(.>'.>(.>(.4$...)..)..) ) ). ) )!"/x.0..8..5U.B7.F0.G0.G0.F/.G0.G0.F/.G0.F/.F/.F/.F/.F/.F/.F/.G0.G0.9).....)..)..(..)..(..(..=..>..<..S..Jd.K9.O8.O7.O7.O8.O8.O8.O8.O8.O8.O7.O8.O7.O8.O8.O8.O8.>-...)..)....)........Jjp[..c..B..D..HF.W?.W?.W?.W?.W?.W@.W@.W@.W@.V?.W@.W?.W@.W@.W@.W?.C2...)..(..)..(..)..(..)..,"!FUYQ..:..9..VN.]E.]F.]H.]J.^M.^R.^X.^V.]P.]M.]J.]G.]E.]E.]F.]E.G6...)..)..)..)..)..)..)..)..).

C:\Users\user\Desktop\ .bmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	931
Entropy (8bit):	7.686509007424359
Encrypted:	false
SSDEEP:	24:P5FBJ4EF5F6lwDXJwWtWXeStXMyNr2Y5idf3Gi7:P57PF6l4XeeuNJNr5Kf2o
MD5:	4FEDCB19004834F7720C4CD7C387F98A
SHA1:	C05E45AC4FC4DF921E8C11574DE42AA48ED21809
SHA-256:	D24F79618C29D22DEE06477554CBDA92C7C0226DF9688133271996EDF2332DD3
SHA-512:	928A32FAA980C6CCCDD4251072F3096A3194FA5D59DD03B74273D69FFF6BD0C7C882A440D7A20A3DA2807D892D1B20E4E3A624919CB21E593CC0F38E8B600878
Malicious:	false
Preview:	.PNG........IHDR..............T<.....sRGB.........gAMA......a.....pHYs..........o.d...8IDATHK..kH.Q...,..........zk+.n.y.`-0.l-5..Pi...X.i.e....Y..A.].!D%#.2*.HB+(+(..m....J.k.<...}.3s.C.:,.=!...`O...".....Rpqv...b.W.'I=k7aER8R.._.Z./....+..v.7Wg...H.9...ip.JR..........A.%...u.c..3..6,)L.3.r7..rx..>.O.2FJ.R.16R..F\...!._.5..E............r...!a.A...O.;h.+L..\|.-f.7..T3.u....Rx{z........0....M4..~s....p.-.w{...x......9-.w.~v&Jo98"C5x..8>....sL>.E~v.\|.......U.rlg.y.}....3Q)..&n}...+...O8.O..2\~..(A.........:......c.b..'%.(.....O.W..F....'j_.h4~J.2.>..1%.........2>.Z....J.Y.C4L.fk.r.u.c.f.....r:.V"..%...(FAv.(K.H.F..c..w..0p.H@..Bd...N..].....1...,.M7.....2._p.........6.`...&4......637/.!&..;i?;.@.R.$.q.5..m9..u.y>.LOk.X.s..>k?....<?....PQ............r6..E[..fX..s.:.....G.IH.?la..=_.J...8.4....F.;.yI.>.R.+O.lv..s.+.......h!.......-..,..&I=k7.......a..'dED...Y...{...>.g........IEND.B`.

C:\Users\user\Desktop\ .ini

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:Vv:Vv
MD5:	6CAEF80C0A930A24861D178A7E6BDEA6
SHA1:	BEE0E634AE94E72C73BF17B5F97D9F9BDDE2DAD0
SHA-256:	004A2BE320DC08F26F0BBB9919DDBDE7EE6A4D291A63E1C769C1A9F0F9C70286
SHA-512:	A183F3934D08AA52956A01DE9D13D83C3437E55149F153B011DA8F02E04E513F571EE334A4256829504521F667D5174D806EDC3EE251953D77F96EDD896D89DC
Malicious:	false
Preview:	[Cofig]..Z1=..Z2=..

C:\Users\user\Desktop\CF1.bmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
Category:	dropped
Size (bytes):	14774
Entropy (8bit):	4.868699837953847
Encrypted:	false
SSDEEP:	384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
MD5:	EE883808D176D23096A2D4F339C84368
SHA1:	D901775EDE136567215ABE718023C1A62F46A0A6
SHA-256:	3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
SHA-512:	F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
Malicious:	false
Preview:	BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..\|..\|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..\|..\|..\|..\|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..\|..}..\|..\|..{..{..{..{..z..z..y..z.

C:\Users\user\Desktop\QQWER.dll

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	687517
Entropy (8bit):	7.999653084247243
Encrypted:	true
SSDEEP:	12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
MD5:	4B7109E2F77FF15219B81079DF8C12B2
SHA1:	AB3BF417AF304B83CD49707E399BC06E1E10D519
SHA-256:	BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
SHA-512:	770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......\|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W\|..5P......A...c]...J..X.;/.T..\|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.

C:\Users\user\Desktop\dt3.bmp

Download File

Process:	C:\Users\user\Desktop\S12.exe
File Type:	PC bitmap, Windows 3.x format, 35 x 20 x 24, image size 2160, cbSize 2214, bits offset 54
Category:	dropped
Size (bytes):	2214
Entropy (8bit):	3.158509986026752
Encrypted:	false
SSDEEP:	48:JouFFFFFF8JuJuJuJuJuJuJuJuzQotg8UOub4FFXF2UuJuJVHuFFFFFF8JuJuJuf:yuFFFFFFAtgoFFXFZuFFFFFFf
MD5:	DF205D271276F748CEF591CBD2DB34AD
SHA1:	78CF2060CEE78621E753CADA5317CFACB81A88DD
SHA-256:	437ED3561E75CF67ADC1A44CEDBFC57874EDF85C2D84E8F1484E2CBDD4EED7EB
SHA-512:	11FA8EAAB577FB1B828187D79AA862E6AA7B1CAE55143AFC4F007DF71D0B66659AFAD26533125F2DE37FB31E57E2043265F08E7042434593DA988279FCA33538
Malicious:	false
Preview:	BM........6...(...#...............p...................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%.....%..%..%..%..%...........%..%..%..%..%..%..............%..%..%..%..%..%..%..%..%.....%..%........%..%..%........%..%..%........%.....%..%...........%.....%..%........%..%........%..%..%..%.....%..%..$..%........$..%........$..%........$........%..$..%..............%........%..............%..%..$.....%..%..%..%...........%........%..%........%........%...........%..%..............%........%..%..%..%..%.....%..%..%..%........%..%..%........%........%..%..%..%..%..%...........%............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.398229831597223
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	S12.exe
File size:	4'943'872 bytes
MD5:	ffd8b14a461473ffc4f11bcfcc5455c0
SHA1:	decdfeb89ce19547d312b0bd3f905a21d11dac8f
SHA256:	02a5fca125cbaa58a96ad120e3fc159dc9db2b5e5eaa724fa749734ed75546ab
SHA512:	33e6d090996d40f1559c6ba02f2103274414ebfe7159e422b029911fb0e0466542bd8094195d480a7bb48146469cd42dbff0050448ebee2b058192adb68f171d
SSDEEP:	98304:gX6dIcvdKoRdqPSNtQ16dOzZqtQ16dOzZv:V0ok6Al6AV
TLSH:	BF36AD133612C8A6D21027F451A1D378EA785FA43C35CA43EBF0FDA7BD326639E16589
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................q...........................A...q......................................................

File Icon


Icon Hash:	0f715cc9e765712b

Static PE Info

General

Entrypoint:	0x519469
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6740BCC2 [Fri Nov 22 17:17:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	18a1e39382b63e85ee686680a4f065d3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 007865C8h
push 0051C2D4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0053C1C4h]
xor edx, edx
mov dl, ah
mov dword ptr [007E4FE4h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [007E4FE0h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [007E4FDCh], ecx
shr eax, 10h
mov dword ptr [007E4FD8h], eax
push 00000001h
call 00007F3D24BD6366h
pop ecx
test eax, eax
jne 00007F3D24BD034Ah
push 0000001Ch
call 00007F3D24BD0408h
pop ecx
call 00007F3D24BD6111h
test eax, eax
jne 00007F3D24BD034Ah
push 00000010h
call 00007F3D24BD03F7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F3D24BD5F3Fh
call dword ptr [0053C364h]
mov dword ptr [007EA224h], eax
call 00007F3D24BD5DFDh
mov dword ptr [007E4F50h], eax
call 00007F3D24BD5BA6h
call 00007F3D24BD5AE8h
call 00007F3D24BD4A19h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0053C1DCh]
call 00007F3D24BD5A79h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F3D24BD0348h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38f3c8	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3eb000	0x10ce8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13c000	0x7b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13a4be	0x13b000	a18fc2ff445841d28d19c50c8fac8527	False	0.417320808531746	data	6.416285500152738	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13c000	0x255ca4	0x256000	28e7bace1f390df6fafbf1283bbd5bad	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x392000	0x5822a	0x18000	9f0a65ee84908d636cc5c796c743b74c	False	0.3090616861979167	data	5.045066735415853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3eb000	0x10ce8c	0x10d000	9f520b1c2a51e15027e44216028457e7	False	0.4362330099907063	data	5.139209064186789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x3ebb9c	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x3ebba8	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x3ebbc0	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0x3ebd14	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x3ebe48	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x3ebf7c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x3ec0b0	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x3ec164	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x3ec3ac	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x3ec4f0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x3ec648	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x3ec7a0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x3ec8f8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x3eca50	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x3ecba8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x3ecd00	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x3ece58	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x3ecfb0	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x3ed594	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x3ed64c	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x3ed7b8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x3ed8fc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x3edbe4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x3edd0c	0x108028	Device independent bitmap graphic, 512 x 1024 x 32, image size 2097152			0.44966602325439453
RT_MENU	0x4f5d34	0xc	data	Chinese	China	1.5
RT_MENU	0x4f5d40	0x284	data	Chinese	China	0.5
RT_DIALOG	0x4f5fc4	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x4f605c	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x4f61d8	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x4f62d4	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x4f63c0	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x4f6c70	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x4f6d24	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x4f6df0	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x4f6ea4	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x4f6f88	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x4f7114	0x50	data	Chinese	China	0.85
RT_STRING	0x4f7164	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x4f7190	0x78	data	Chinese	China	0.925
RT_STRING	0x4f7208	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x4f73cc	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x4f74f8	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x4f7640	0x40	data	Chinese	China	0.65625
RT_STRING	0x4f7680	0x64	data	Chinese	China	0.73
RT_STRING	0x4f76e4	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x4f78bc	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x4f79d0	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x4f79f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x4f7a08	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x4f7a1c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x4f7a40	0x14	Targa image data - Map 32 x 32808 x 16			1.1
RT_GROUP_ICON	0x4f7a54	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x4f7a68	0x14	data	Chinese	China	1.25
RT_VERSION	0x4f7a7c	0x240	data	Chinese	China	0.5642361111111112
RT_MANIFEST	0x4f7cbc	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
WINMM.dll	midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
WS2_32.dll	WSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
RASAPI32.dll	RasGetConnectStatusA, RasHangUpA
KERNEL32.dll	MultiByteToWideChar, SetLastError, GetTimeZoneInformation, GetVersion, lstrcmpiA, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, OpenProcess, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, InterlockedExchange, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, TerminateThread
USER32.dll	SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, WinHelpA, KillTimer, SetTimer, LoadStringA, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, CreateAcceleratorTableA, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, DispatchMessageA, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, GetForegroundWindow, RegisterWindowMessageA, GetWindowPlacement, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, TabbedTextOutA, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, FindWindowA, UnregisterClassA, GetDlgItem, GetWindowTextA, CallWindowProcA, RegisterHotKey, UnregisterHotKey, DrawTextA, SetWindowsHookExA, UnhookWindowsHookEx, EnumThreadWindows, GetWindowTextLengthA, EnumChildWindows, CallNextHookEx, GetWindowDC, GetSysColorBrush, FrameRect, SetWindowTextA, PtInRect, CreateWindowExA, CharUpperA, BeginPaint, EndPaint
GDI32.dll	GetViewportExtEx, ExtSelectClipRgn, Arc, GetTextExtentPoint32A, GetDeviceCaps, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetDIBits, RealizePalette, SelectPalette, StretchBlt, CreatePalette, GetSystemPaletteEntries, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, SetPixel, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, SetBkMode, LineTo, MoveToEx, SetTextColor, CreateEllipticRgnIndirect, GetTextMetricsA, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetROP2, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, RoundRect, GetCurrentObject, DPtoLP, LPtoDP, Rectangle, Ellipse, CreateCompatibleDC, GetPixel, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, SetPolyFillMode, RestoreDC, SaveDC, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, CreateDIBitmap, GetTextColor
MSIMG32.dll	GradientFill
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
SHELL32.dll	SHGetSpecialFolderPathA, Shell_NotifyIconA, ShellExecuteA, SHChangeNotify, DragQueryFileA, DragFinish, DragAcceptFiles
ole32.dll	CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
OLEAUT32.dll	UnRegisterTypeLib, LoadTypeLib, RegisterTypeLib
COMCTL32.dll	ImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag, _TrackMouseEvent
WININET.dll	InternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
comdlg32.dll	ChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:55:34.678817034 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:34.798908949 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:34.799133062 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:34.803435087 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:34.923018932 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:36.587385893 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:36.587527990 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:36.587563992 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:36.587596893 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:36.587624073 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:36.587631941 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:36.587698936 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:36.587726116 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:36.852756023 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:37.127736092 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:39.169121027 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:39.169208050 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:42.194469929 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:42.314230919 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:43.276657104 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:43.276724100 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:43.276765108 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:43.276803970 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:43.276833057 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:43.276885033 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:43.276933908 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:43.276983023 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:43.277040958 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:43.277188063 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:43.277544022 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:43.277960062 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:43.495735884 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:55:43.615206957 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:44.134504080 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:55:44.135492086 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:05.963061094 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:06.084899902 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:06.085011959 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:06.085340977 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:06.204878092 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:07.897269964 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:07.897327900 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:07.897336960 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:07.897440910 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:07.897442102 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:07.897458076 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:07.897500992 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:08.157107115 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:08.276720047 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:08.808504105 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:08.808648109 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:12.049168110 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:12.168869972 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:12.722774982 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:12.722865105 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:12.722971916 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:13.092422962 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:13.092483044 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:13.092575073 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:13.096709967 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:13.096884966 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:13.409723997 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:13.409769058 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:13.409959078 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:13.609325886 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:56:13.728842974 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:14.256576061 CET	80	49711	82.156.239.188	192.168.2.8
Nov 25, 2024 08:56:14.257715940 CET	49711	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:57:24.679255962 CET	49705	80	192.168.2.8	82.156.239.188
Nov 25, 2024 08:57:24.799221992 CET	80	49705	82.156.239.188	192.168.2.8
Nov 25, 2024 08:57:24.799415112 CET	49705	80	192.168.2.8	82.156.239.188

HTTP Request Dependency Graph

82.156.239.188

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	82.156.239.188	80	5624	C:\Users\user\Desktop\S12.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:55:34.803435087 CET	182	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:55:36.587385893 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 24 Nov 2024 15:27:08 GMT Accept-Ranges: bytes ETag: "9045c53853edb1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:55:36 GMT Content-Length: 5330 Data Raw: bf f1 c1 fa d0 de cf c9 b4 ab 0d 0a b5 b6 bd a3 ce de cb ab 0d 0a bd ad ba fe c6 e6 d4 b5 6f 72 70 67 0d 0a c8 da ba cf bd f8 bb af 54 44 0d 0a b5 b4 c4 a7 c2 bc 0d 0a d7 d4 b6 a8 d2 e5 ce e5 bb a2 bd ab c9 fa b4 e6 32 0d 0a c7 ac c0 a4 d2 bb d6 c0 c7 e5 d2 ec b3 a3 0d 0a cd f2 ce ef ce e5 d0 d0 0d 0a c8 ab cb e6 bb fa b6 d4 b6 d4 c5 f6 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a c6 eb cc ec b4 f3 ca a5 c9 f1 d7 b0 0d 0a ce de cf de d7 aa d6 b0 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 35 bc b6 b0 b5 d3 b0 0d 0a cc ec fd 88 b0 d4 d2 b5 0d 0a b7 b2 b3 be c9 f1 d3 f2 0d 0a c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb [TRUNCATED] Data Ascii: orpgTD225312TDII2TDBTORPG22I223ORPG
Nov 25, 2024 08:55:36.587527990 CET	1236	IN	Data Raw: b4 e6 0d 0a b0 b5 d6 ae bd e7 0d 0a ce d2 b5 c4 b5 d8 cd bc d5 e6 c5 a3 c6 a4 0d 0a d1 f2 b4 e5 c9 fa b4 e6 0d 0a bd ad c9 bd c1 ee 0d 0a b7 e8 bf f1 cd cc cd cc cd cc 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 54 35 d7 b0 b1 b8 0d 0a c3 ce d6 ae c9 f1 Data Ascii: T5ORPGTDIIT4
Nov 25, 2024 08:55:36.587563992 CET	1236	IN	Data Raw: b4 0d 0a cf c9 d6 ae e1 db 0d 0a b1 a3 bb a4 d5 bd b3 c7 32 0d 0a bc b4 bd ab cd a8 b9 d8 a2 f2 d7 a8 cb a2 c8 a8 cf de 0d 0a c4 e6 cc ec d0 de d0 d0 bc c7 0d 0a b7 b4 b5 f6 d3 e3 c9 fa b4 e6 0d 0a bc b4 bd ab cd a8 b9 d8 a2 f2 0d 0a c4 a9 c8 d5 Data Ascii: 222ORPG_2
Nov 25, 2024 08:55:36.587596893 CET	1236	IN	Data Raw: ca d8 cb ac cd bc 0d 0a d2 ec ca c0 bd e7 32 4f 52 50 47 0d 0a c3 b0 cf d5 bc d2 0d 0a bd a3 d2 e2 bd ad ba fe 0d 0a ca d8 bb a4 d1 c5 b5 e4 c4 c8 32 30 32 32 0d 0a bc d1 c4 fe d7 a8 d3 c3 32 0d 0a bc b4 bd ab cd a8 b9 d8 0d 0a bc d1 c4 fe d7 a8 Data Ascii: 2ORPG2022232TD
Nov 25, 2024 08:55:36.587631941 CET	611	IN	Data Raw: c6 f7 0d 0a c9 cf cd b7 c4 a7 cb fe 0d 0a b2 bb cb c0 d7 e5 c1 d4 c8 cb b9 d2 bb fa ca fd be dd 0d 0a c8 cc d5 df bc b2 b7 e7 b4 ab b9 d2 bb fa ca fd be dd 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a b7 e8 bf f1 b5 c4 b5 af c4 bb 0d 0a ca c7 d0 d6 b5 dc Data Ascii: 22
Nov 25, 2024 08:55:36.852756023 CET	149	OUT	GET /123.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:55:39.169121027 CET	434	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 17 Nov 2024 14:06:44 GMT Accept-Ranges: bytes ETag: "0b2aeeef938db1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:55:39 GMT Content-Length: 210 Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc Data Ascii: 32TDII
Nov 25, 2024 08:55:42.194469929 CET	182	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:55:43.276657104 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 24 Nov 2024 15:27:08 GMT Accept-Ranges: bytes ETag: "9045c53853edb1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:55:42 GMT Content-Length: 5330 Data Raw: bf f1 c1 fa d0 de cf c9 b4 ab 0d 0a b5 b6 bd a3 ce de cb ab 0d 0a bd ad ba fe c6 e6 d4 b5 6f 72 70 67 0d 0a c8 da ba cf bd f8 bb af 54 44 0d 0a b5 b4 c4 a7 c2 bc 0d 0a d7 d4 b6 a8 d2 e5 ce e5 bb a2 bd ab c9 fa b4 e6 32 0d 0a c7 ac c0 a4 d2 bb d6 c0 c7 e5 d2 ec b3 a3 0d 0a cd f2 ce ef ce e5 d0 d0 0d 0a c8 ab cb e6 bb fa b6 d4 b6 d4 c5 f6 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a c6 eb cc ec b4 f3 ca a5 c9 f1 d7 b0 0d 0a ce de cf de d7 aa d6 b0 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 35 bc b6 b0 b5 d3 b0 0d 0a cc ec fd 88 b0 d4 d2 b5 0d 0a b7 b2 b3 be c9 f1 d3 f2 0d 0a c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb [TRUNCATED] Data Ascii: orpgTD225312TDII2TDBTORPG22I223ORPG
Nov 25, 2024 08:55:43.276724100 CET	1236	IN	Data Raw: b4 e6 0d 0a b0 b5 d6 ae bd e7 0d 0a ce d2 b5 c4 b5 d8 cd bc d5 e6 c5 a3 c6 a4 0d 0a d1 f2 b4 e5 c9 fa b4 e6 0d 0a bd ad c9 bd c1 ee 0d 0a b7 e8 bf f1 cd cc cd cc cd cc 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 54 35 d7 b0 b1 b8 0d 0a c3 ce d6 ae c9 f1 Data Ascii: T5ORPGTDIIT4
Nov 25, 2024 08:55:43.276833057 CET	1236	IN	Data Raw: b4 0d 0a cf c9 d6 ae e1 db 0d 0a b1 a3 bb a4 d5 bd b3 c7 32 0d 0a bc b4 bd ab cd a8 b9 d8 a2 f2 d7 a8 cb a2 c8 a8 cf de 0d 0a c4 e6 cc ec d0 de d0 d0 bc c7 0d 0a b7 b4 b5 f6 d3 e3 c9 fa b4 e6 0d 0a bc b4 bd ab cd a8 b9 d8 a2 f2 0d 0a c4 a9 c8 d5 Data Ascii: 222ORPG_2
Nov 25, 2024 08:55:43.276933908 CET	1236	IN	Data Raw: ca d8 cb ac cd bc 0d 0a d2 ec ca c0 bd e7 32 4f 52 50 47 0d 0a c3 b0 cf d5 bc d2 0d 0a bd a3 d2 e2 bd ad ba fe 0d 0a ca d8 bb a4 d1 c5 b5 e4 c4 c8 32 30 32 32 0d 0a bc d1 c4 fe d7 a8 d3 c3 32 0d 0a bc b4 bd ab cd a8 b9 d8 0d 0a bc d1 c4 fe d7 a8 Data Ascii: 2ORPG2022232TD
Nov 25, 2024 08:55:43.277040958 CET	611	IN	Data Raw: c6 f7 0d 0a c9 cf cd b7 c4 a7 cb fe 0d 0a b2 bb cb c0 d7 e5 c1 d4 c8 cb b9 d2 bb fa ca fd be dd 0d 0a c8 cc d5 df bc b2 b7 e7 b4 ab b9 d2 bb fa ca fd be dd 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a b7 e8 bf f1 b5 c4 b5 af c4 bb 0d 0a ca c7 d0 d6 b5 dc Data Ascii: 22
Nov 25, 2024 08:55:43.277544022 CET	611	IN	Data Raw: c6 f7 0d 0a c9 cf cd b7 c4 a7 cb fe 0d 0a b2 bb cb c0 d7 e5 c1 d4 c8 cb b9 d2 bb fa ca fd be dd 0d 0a c8 cc d5 df bc b2 b7 e7 b4 ab b9 d2 bb fa ca fd be dd 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a b7 e8 bf f1 b5 c4 b5 af c4 bb 0d 0a ca c7 d0 d6 b5 dc Data Ascii: 22
Nov 25, 2024 08:55:43.495735884 CET	149	OUT	GET /123.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:55:44.134504080 CET	434	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 17 Nov 2024 14:06:44 GMT Accept-Ranges: bytes ETag: "0b2aeeef938db1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:55:44 GMT Content-Length: 210 Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc Data Ascii: 32TDII

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	82.156.239.188	80	2700	C:\Users\user\Desktop\S12.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:56:06.085340977 CET	182	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:56:07.897269964 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 24 Nov 2024 15:27:08 GMT Accept-Ranges: bytes ETag: "9045c53853edb1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:56:07 GMT Content-Length: 5330 Data Raw: bf f1 c1 fa d0 de cf c9 b4 ab 0d 0a b5 b6 bd a3 ce de cb ab 0d 0a bd ad ba fe c6 e6 d4 b5 6f 72 70 67 0d 0a c8 da ba cf bd f8 bb af 54 44 0d 0a b5 b4 c4 a7 c2 bc 0d 0a d7 d4 b6 a8 d2 e5 ce e5 bb a2 bd ab c9 fa b4 e6 32 0d 0a c7 ac c0 a4 d2 bb d6 c0 c7 e5 d2 ec b3 a3 0d 0a cd f2 ce ef ce e5 d0 d0 0d 0a c8 ab cb e6 bb fa b6 d4 b6 d4 c5 f6 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a c6 eb cc ec b4 f3 ca a5 c9 f1 d7 b0 0d 0a ce de cf de d7 aa d6 b0 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 35 bc b6 b0 b5 d3 b0 0d 0a cc ec fd 88 b0 d4 d2 b5 0d 0a b7 b2 b3 be c9 f1 d3 f2 0d 0a c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb [TRUNCATED] Data Ascii: orpgTD225312TDII2TDBTORPG22I223ORPG
Nov 25, 2024 08:56:07.897327900 CET	1236	IN	Data Raw: b4 e6 0d 0a b0 b5 d6 ae bd e7 0d 0a ce d2 b5 c4 b5 d8 cd bc d5 e6 c5 a3 c6 a4 0d 0a d1 f2 b4 e5 c9 fa b4 e6 0d 0a bd ad c9 bd c1 ee 0d 0a b7 e8 bf f1 cd cc cd cc cd cc 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 54 35 d7 b0 b1 b8 0d 0a c3 ce d6 ae c9 f1 Data Ascii: T5ORPGTDIIT4
Nov 25, 2024 08:56:07.897336960 CET	1236	IN	Data Raw: b4 0d 0a cf c9 d6 ae e1 db 0d 0a b1 a3 bb a4 d5 bd b3 c7 32 0d 0a bc b4 bd ab cd a8 b9 d8 a2 f2 d7 a8 cb a2 c8 a8 cf de 0d 0a c4 e6 cc ec d0 de d0 d0 bc c7 0d 0a b7 b4 b5 f6 d3 e3 c9 fa b4 e6 0d 0a bc b4 bd ab cd a8 b9 d8 a2 f2 0d 0a c4 a9 c8 d5 Data Ascii: 222ORPG_2
Nov 25, 2024 08:56:07.897440910 CET	1236	IN	Data Raw: ca d8 cb ac cd bc 0d 0a d2 ec ca c0 bd e7 32 4f 52 50 47 0d 0a c3 b0 cf d5 bc d2 0d 0a bd a3 d2 e2 bd ad ba fe 0d 0a ca d8 bb a4 d1 c5 b5 e4 c4 c8 32 30 32 32 0d 0a bc d1 c4 fe d7 a8 d3 c3 32 0d 0a bc b4 bd ab cd a8 b9 d8 0d 0a bc d1 c4 fe d7 a8 Data Ascii: 2ORPG2022232TD
Nov 25, 2024 08:56:07.897458076 CET	611	IN	Data Raw: c6 f7 0d 0a c9 cf cd b7 c4 a7 cb fe 0d 0a b2 bb cb c0 d7 e5 c1 d4 c8 cb b9 d2 bb fa ca fd be dd 0d 0a c8 cc d5 df bc b2 b7 e7 b4 ab b9 d2 bb fa ca fd be dd 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a b7 e8 bf f1 b5 c4 b5 af c4 bb 0d 0a ca c7 d0 d6 b5 dc Data Ascii: 22
Nov 25, 2024 08:56:08.157107115 CET	149	OUT	GET /123.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:56:08.808504105 CET	434	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 17 Nov 2024 14:06:44 GMT Accept-Ranges: bytes ETag: "0b2aeeef938db1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:56:07 GMT Content-Length: 210 Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc Data Ascii: 32TDII
Nov 25, 2024 08:56:12.049168110 CET	182	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:56:12.722774982 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 24 Nov 2024 15:27:08 GMT Accept-Ranges: bytes ETag: "9045c53853edb1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:56:12 GMT Content-Length: 5330 Data Raw: bf f1 c1 fa d0 de cf c9 b4 ab 0d 0a b5 b6 bd a3 ce de cb ab 0d 0a bd ad ba fe c6 e6 d4 b5 6f 72 70 67 0d 0a c8 da ba cf bd f8 bb af 54 44 0d 0a b5 b4 c4 a7 c2 bc 0d 0a d7 d4 b6 a8 d2 e5 ce e5 bb a2 bd ab c9 fa b4 e6 32 0d 0a c7 ac c0 a4 d2 bb d6 c0 c7 e5 d2 ec b3 a3 0d 0a cd f2 ce ef ce e5 d0 d0 0d 0a c8 ab cb e6 bb fa b6 d4 b6 d4 c5 f6 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a c6 eb cc ec b4 f3 ca a5 c9 f1 d7 b0 0d 0a ce de cf de d7 aa d6 b0 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 35 bc b6 b0 b5 d3 b0 0d 0a cc ec fd 88 b0 d4 d2 b5 0d 0a b7 b2 b3 be c9 f1 d3 f2 0d 0a c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb [TRUNCATED] Data Ascii: orpgTD225312TDII2TDBTORPG22I223ORPG
Nov 25, 2024 08:56:12.722865105 CET	188	IN	Data Raw: b4 e6 0d 0a b0 b5 d6 ae bd e7 0d 0a ce d2 b5 c4 b5 d8 cd bc d5 e6 c5 a3 c6 a4 0d 0a d1 f2 b4 e5 c9 fa b4 e6 0d 0a bd ad c9 bd c1 ee 0d 0a b7 e8 bf f1 cd cc cd cc cd cc 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 54 35 d7 b0 b1 b8 0d 0a c3 ce d6 ae c9 f1 Data Ascii: T5ORPGTDII
Nov 25, 2024 08:56:13.092422962 CET	1236	IN	Data Raw: ca c2 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 Data Ascii: T4
Nov 25, 2024 08:56:13.092483044 CET	1236	IN	Data Raw: f8 bb af 0d 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d Data Ascii: 2III32
Nov 25, 2024 08:56:13.096709967 CET	376	IN	Data Raw: d7 c5 bd a9 ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa Data Ascii: ORPG2
Nov 25, 2024 08:56:13.409723997 CET	1236	IN	Data Raw: c9 fa 0d 0a c4 a9 c8 d5 d6 ae b9 ad 0d 0a d3 d0 d6 b0 d7 aa c9 fa 0d 0a b7 e7 b1 a9 d5 bd bc c7 0d 0a d2 bb b0 d1 b9 ad 0d 0a cd f2 bb ea be f5 d0 d1 0d 0a d7 ee bf ec b5 c4 b5 b6 0d 0a ca d8 c1 cb b8 f6 cb fe 0d 0a d0 c2 d5 da cc ec d6 ae e1 db Data Ascii: X
Nov 25, 2024 08:56:13.409769058 CET	47	IN	Data Raw: c8 a6 cd e2 b4 ab 0d 0a c2 cc c9 ab d1 ad bb b7 c8 a6 ba a3 c1 bf b0 e6 0d 0a d0 c2 c9 f1 bd e7 ce a3 bb fa 0d 0a d0 fe cc ec c9 f1 c2 bc 32 Data Ascii: 2
Nov 25, 2024 08:56:13.609325886 CET	149	OUT	GET /123.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 82.156.239.188 Cache-Control: no-cache
Nov 25, 2024 08:56:14.256576061 CET	434	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Sun, 17 Nov 2024 14:06:44 GMT Accept-Ranges: bytes ETag: "0b2aeeef938db1:0" Server: Microsoft-IIS/8.5 Date: Mon, 25 Nov 2024 07:56:14 GMT Content-Length: 210 Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc Data Ascii: 32TDII

Target ID:	0
Start time:	02:55:21
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\S12.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S12.exe"
Imagebase:	0x400000
File size:	4'943'872 bytes
MD5 hash:	FFD8B14A461473FFC4F11BCFCC5455C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:55:57
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\S12.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S12.exe"
Imagebase:	0x400000
File size:	4'943'872 bytes
MD5 hash:	FFD8B14A461473FFC4F11BCFCC5455C0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	58.3%
Signature Coverage:	31.2%
Total number of Nodes:	587
Total number of Limit Nodes:	25

Executed Functions

Function 004AB900 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 281
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,007A59F4), ref: 004AB967
LoadLibraryA.KERNEL32(?,?,007B60F8), ref: 004ABA57
LoadLibraryA.KERNEL32(?,?), ref: 004ABA9D
LoadLibraryA.KERNEL32(?,?,007B6000,?), ref: 004ABAE5
LoadLibraryA.KERNEL32(?), ref: 004ABAFB
GetProcAddress.KERNEL32(00000000,?), ref: 004ABB0D
FreeLibrary.KERNEL32(00000000), ref: 004ABBA0

Strings

|Zy, xrefs: 004ABB2F

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID: |Zy
API String ID: 3120990465-3408344160
Opcode ID: 61b6b9daa07b246d124c0a139ab8a9d8fb3883cb81ebfc801211c624a59d3a5c
Instruction ID: c3518b32ba2be56fa16c62acadcef31c842283b1b911c52ccc547bc094c7ab36
Opcode Fuzzy Hash: 61b6b9daa07b246d124c0a139ab8a9d8fb3883cb81ebfc801211c624a59d3a5c
Instruction Fuzzy Hash: BFA1B2B1600712ABD710DF64C885FABB7A8FF9A314F04461EF85597342DB38A905CBE5

Function 10027BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
RtlAllocateHeap.NTDLL(00C40000,00000008,?,?,10028674), ref: 10027BCD
MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

Strings

error, xrefs: 10027BDB

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

Function 100193C2 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF

Strings

@, xrefs: 10019521

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
String ID: @
API String ID: 183890193-2766056989
Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

Function 1000710E Relevance: 5.1, APIs: 3, Instructions: 556
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Version$InfoNumbersSystem
String ID:
API String ID: 995872648-0
Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

Function 10007FDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00000000), ref: 1000806F

Strings

`+Fw, xrefs: 1000806F

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Close
String ID: `+Fw
API String ID: 3535843008-1178111234
Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

Function 10018AD3 Relevance: 3.3, APIs: 2, Instructions: 304
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51

Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Create$Heap$ComputeCrc32Mutex
String ID:
API String ID: 3311811139-0
Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52

Function 10004B1B Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789

Function 1001A199 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92

Function 10018EEA Relevance: 1.5, APIs: 1, Instructions: 23synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

Function 0040E048 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12144857fab742aa2fb53b430b81dee82ef61ba4afe0496ffaf9ceac8e25413
Instruction ID: cd55c5a9f04fa47e614e59606ba7ef377761991a258a78a8d209d5e9c3ad48fa
Opcode Fuzzy Hash: c12144857fab742aa2fb53b430b81dee82ef61ba4afe0496ffaf9ceac8e25413
Instruction Fuzzy Hash: F131F970900A0DEBCF01DF95E5C5AADBBB0FF08300F5180D5E9A47A259DB355A34DB26

Function 00535049 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(007E4BD8,007E4BAC,00000000,?,007E4BBC,007E4BBC,005353E4,?,00000000,00534E37,00534726,00534E53,00530257,005314FF,?,00000000), ref: 00535058
GlobalAlloc.KERNEL32(00002002,00000000,?,?,007E4BBC,007E4BBC,005353E4,?,00000000,00534E37,00534726,00534E53,00530257,005314FF,?,00000000), ref: 005350AD
GlobalHandle.KERNEL32(00C528C8), ref: 005350B6
GlobalUnlock.KERNEL32(00000000), ref: 005350BF
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 005350D1
GlobalHandle.KERNEL32(00C528C8), ref: 005350E8
GlobalLock.KERNEL32(00000000), ref: 005350EF
LeaveCriticalSection.KERNEL32(00519549,?,?,007E4BBC,007E4BBC,005353E4,?,00000000,00534E37,00534726,00534E53,00530257,005314FF,?,00000000), ref: 005350F5
GlobalLock.KERNEL32(00000000), ref: 00535104
LeaveCriticalSection.KERNEL32(?), ref: 0053514D

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: cecdb72f3c0fc0aa639791d8fe7ffa28d50368e75c1507160a4c1949cfd975af
Instruction ID: 4d0aa7751e6820c00618dacccc41a4af576bd5daa2e652948920a5211e8bd625
Opcode Fuzzy Hash: cecdb72f3c0fc0aa639791d8fe7ffa28d50368e75c1507160a4c1949cfd975af
Instruction Fuzzy Hash: 21314F752007069FD7259F68DC89A2ABFE9FB44301F004A2DF992D7761E772E848CB50

Function 100294C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
GetTickCount.KERNEL32 ref: 10029543
wsprintfA.USER32 ref: 10029558
PathFileExistsA.SHLWAPI(?), ref: 10029565

Strings

%s%x.tmp, xrefs: 10029552

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Path$CountExistsFileTempTickwsprintf
String ID: %s%x.tmp
API String ID: 3843276195-78920241
Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

Function 10028D40 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C

Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00C40000,00000008,?,?,10028674), ref: 10027BCD
Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
String ID:
API String ID: 749537981-0
Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

Function 00530267 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0053027A
SetWindowsHookExA.USER32(000000FF,VcH,00000000,00000000), ref: 0053028A

Part of subcall function 00535445: __EH_prolog.LIBCMT ref: 0053544A

Strings

VcH, xrefs: 00530283

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: VcH
API String ID: 2183259885-2144458766
Opcode ID: 26ae4b5d02357e9032cc93866d054df197b957df947c5323d772dd64dec4f0fb
Instruction ID: 12166ec2f4ebeacd6565a39929b7850e963006a91aefb28de775dfb01f460d65
Opcode Fuzzy Hash: 26ae4b5d02357e9032cc93866d054df197b957df947c5323d772dd64dec4f0fb
Instruction Fuzzy Hash: D6F0E5324417516FCB207BB0AC0EB5A3F90BB44721F051B14B5025B1E1DA74AC849B62

Function 00535C79 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000000,00000000,0053151E,00000000,00000000,00000000,00000000,?,00000000,?,00528DE3,00000000,00000000,00000000,00000000,00519549), ref: 00535C82
SetErrorMode.KERNEL32(00000000,?,00000000,?,00528DE3,00000000,00000000,00000000,00000000,00519549,00000000), ref: 00535C89

Part of subcall function 00535CDC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00535D0D
Part of subcall function 00535CDC: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00535DAE
Part of subcall function 00535CDC: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00535DDB

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: c58268b1bdf6dc00b6f1f85c5841c424c06de85cb16d6a219f2ee62ab5de4c7e
Instruction ID: cf6aebceb156f2f3e3c321224a214481e463f921931fdba17cb6c8cc3daf28b7
Opcode Fuzzy Hash: c58268b1bdf6dc00b6f1f85c5841c424c06de85cb16d6a219f2ee62ab5de4c7e
Instruction Fuzzy Hash: 5CF049759143158FD714FF24E449A097FE8BF88711F06988AF444AB3A2CB70E840CF96

Function 0051F4E8 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,005194C7,00000001), ref: 0051F4F9

Part of subcall function 0051F3A0: GetVersionExA.KERNEL32 ref: 0051F3BF

HeapDestroy.KERNEL32 ref: 0051F538

Part of subcall function 00522DB5: HeapAlloc.KERNEL32(00000000,00000140,0051F521,000003F8), ref: 00522DC2

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 351c973de355d66a2786ebd0a9e4c15859040b08f4a7aa84e9c9870f93375557
Instruction ID: 27a51710603559a20d0dc9222ec46377259388cae48331ce9531929b4d86f144
Opcode Fuzzy Hash: 351c973de355d66a2786ebd0a9e4c15859040b08f4a7aa84e9c9870f93375557
Instruction Fuzzy Hash: 98F065B1601301ABFB601F307D867A93DE1BF48B41F118836F404CC1E5EAA489C1A712

Function 10027C40 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
RtlFreeHeap.NTDLL(00C40000,00000000,00000000), ref: 10027C80

Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: FreeHandleHeapModuleRead
String ID:
API String ID: 627478288-0
Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2

Function 0051ADA5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0051AE8C

Part of subcall function 00521BA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BE1
Part of subcall function 00521BA4: EnterCriticalSection.KERNEL32(?,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BFC

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 94c592e1592fe3f47624781f9c3d0e6e85ffc4f5c3ed36d6f892048621c7fcb0
Instruction ID: 9d97f739a8f55d9de0420870bdc23fd432b746feda82729841aca70b0bb14267
Opcode Fuzzy Hash: 94c592e1592fe3f47624781f9c3d0e6e85ffc4f5c3ed36d6f892048621c7fcb0
Instruction Fuzzy Hash: 0621F432A41215ABEB12EFA8DC46BDEBF68FB40B20F144315F424EB1C1D7789D818796

Function 0051AC7E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074), ref: 0051AD52

Part of subcall function 00521BA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BE1
Part of subcall function 00521BA4: EnterCriticalSection.KERNEL32(?,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BFC

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 2a21fcd6282e5d7eff6bd463c3c1f0cb1e612a3d6c73154ea999e10f629456da
Instruction ID: 94e8297c40d31218c7d7cf8d1b91c47e893fd24e7613fb7245e04226f7228259
Opcode Fuzzy Hash: 2a21fcd6282e5d7eff6bd463c3c1f0cb1e612a3d6c73154ea999e10f629456da
Instruction Fuzzy Hash: F021F276842619ABEF129BA4EC06BDE7F78FF05721F140116F410BA5D0DB388D809BA6

Function 00530DDA Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 00530DF1

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 88857409dea8c24d14581a6ea9df69f28274f3c16f5456558f7775f9e3e2d523
Instruction ID: 195d21de89ece048b9a6a47670d1a794e0097adb981b5dd2bf56f85bbfe71d5f
Opcode Fuzzy Hash: 88857409dea8c24d14581a6ea9df69f28274f3c16f5456558f7775f9e3e2d523
Instruction Fuzzy Hash: F0D0A7720083629BCB02DF608808D4FBFE8BF65311F058C4DF58053211C320D418DB62

Function 10028E50 Relevance: 1.5, APIs: 1, Instructions: 4fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21

Non-executed Functions

Function 1001F2ED Relevance: 27.7, APIs: 17, Instructions: 2156windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1001F57C
IsIconic.USER32(00000000), ref: 1001F86F
GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
GetWindowRect.USER32(00000000,?), ref: 100201EB
CreateCompatibleDC.GDI32(00000000), ref: 100205D5
CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
SelectObject.GDI32(00000000,00000000), ref: 10020798
CreateCompatibleDC.GDI32(00000000), ref: 100207D7
SelectObject.GDI32(00000000,00000000), ref: 1002086C
PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
SelectObject.GDI32(00000000,00000000), ref: 10020ADE
GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4

Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8

Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
String ID:
API String ID: 3140154463-0
Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25

Function 10014289 Relevance: 23.7, APIs: 15, Instructions: 1193COMMON

Download Yara Rule

APIs

PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: FileFindNamePath
String ID:
API String ID: 1422272338-0
Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52

Function 1000C655 Relevance: 17.0, APIs: 9, Instructions: 3537threadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA

Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73

GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked$CodeProcessThreadWindow
String ID:
API String ID: 1323220708-0
Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15

Function 1002129C Relevance: 14.7, APIs: 9, Instructions: 1172COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000001,00000001), ref: 1002140D
GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
CreateCompatibleDC.GDI32(00000000), ref: 100218DC
SelectObject.GDI32(00000000,00000000), ref: 1002195D
PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
SelectObject.GDI32(00000000,00000000), ref: 100220CA
ReleaseDC.USER32(00000000,00000000), ref: 10022153

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
String ID:
API String ID: 2343085801-0
Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26

Function 10017804 Relevance: 7.8, Strings: 6, Instructions: 270COMMON

Download Yara Rule

Strings

\REGISTRY\USER, xrefs: 10017A52
_Classes, xrefs: 10017AA0
\, xrefs: 10017871
\REGISTRY\MACHINE, xrefs: 10017A0C
\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT, xrefs: 1001796A
?, xrefs: 10017833

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
API String ID: 0-1655980394
Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62

Function 100221E2 Relevance: 6.3, APIs: 4, Instructions: 331fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59

Function 1001A8BE Relevance: 6.3, APIs: 4, Instructions: 265COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1001A976
SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ObjectSelect$Release
String ID:
API String ID: 3581861777-0
Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96

Function 1001A6F8 Relevance: 6.1, APIs: 4, Instructions: 133windowthreadCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 1001A773
IsWindowVisible.USER32(00000000), ref: 1001A7AC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
GetWindow.USER32(00000000,00000002), ref: 1001A872

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Window$ProcessThreadVisible
String ID:
API String ID: 569392824-0
Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96

Function 1001221F Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 630nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00000000), ref: 10012990

Strings

(, xrefs: 10012244
`+Fw, xrefs: 10012990

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Close
String ID: ($`+Fw
API String ID: 3535843008-151059746
Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61

Function 100151BD Relevance: 5.3, APIs: 3, Instructions: 822COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
UnloadKeyboardLayout.USER32(00000000), ref: 100159A5

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: InfoParametersSystem$KeyboardLayoutUnload
String ID:
API String ID: 1487128349-0
Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62

Function 1001419C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34nativesynchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
NtClose.NTDLL(?), ref: 100141D7

Strings

`+Fw, xrefs: 100141D7

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: CloseMutexRelease
String ID: `+Fw
API String ID: 2985832019-1178111234
Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A

Function 100198CC Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 434stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06

Strings

w, xrefs: 10019BBE
Z, xrefs: 10019B7F

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: lstrlen
String ID: Z$w
API String ID: 1659193697-2716038989
Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55

Function 1002378A Relevance: 4.6, APIs: 3, Instructions: 104COMMON

Download Yara Rule

APIs

WindowFromDC.USER32(00000000), ref: 100237BF
GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: CurrentFromObjectWindow
String ID:
API String ID: 1970099965-0
Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96

Function 1001AC51 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 700COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 1001ACD1

Strings

, xrefs: 1001B0E1

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ObjectStock
String ID:
API String ID: 3428563643-3916222277
Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22

Function 10025484 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 423COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544

Strings

Thread, xrefs: 10025515

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: Thread
API String ID: 367298776-915163573
Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65

Function 10024781 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841

Strings

Process, xrefs: 10024812

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: Process
API String ID: 367298776-1235230986
Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61

Function 10026356 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 587stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700

Strings

#, xrefs: 1002641F

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: lstrlen
String ID: #
API String ID: 1659193697-1885708031
Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14

Function 10007E55 Relevance: 3.1, APIs: 2, Instructions: 119COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55

Function 1001363D Relevance: 3.1, APIs: 2, Instructions: 110COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55

Function 10017D41 Relevance: 3.1, APIs: 2, Instructions: 108COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55

Function 10011653 Relevance: 3.1, APIs: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32(1001176C), ref: 100116D4
CallWindowProcA.USER32(?,?,?,?), ref: 10011714

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: CallDispatchMessageProcWindow
String ID:
API String ID: 3568206097-0
Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52

Function 00536062 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00536105,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53,00530257,005314FF), ref: 00536075
InitializeCriticalSection.KERNEL32(007E4D70,?,00536105,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53,00530257), ref: 0053609A

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: CriticalInitializeSectionVersion
String ID:
API String ID: 385228656-0
Opcode ID: db3f122a7b5d9b3c1d0920e8273e2a94725cd2091444c0204d68c0600030a1ad
Instruction ID: a39afcb56e62d8a6348f2b4652840b96c8d8d33fdc14f7cdb3b85823a9a9a11e
Opcode Fuzzy Hash: db3f122a7b5d9b3c1d0920e8273e2a94725cd2091444c0204d68c0600030a1ad
Instruction Fuzzy Hash: 3BE08C36083250EFEB268B05FE8D3983BA0B31CF16F08C009F442581A4C3F86441DB4C

Function 100032EA Relevance: 2.8, Strings: 1, Instructions: 1588COMMON

Download Yara Rule

Strings

, xrefs: 100034D2

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56

Function 1000210D Relevance: 2.7, APIs: 2, Instructions: 237COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55

Function 1001DB5C Relevance: 2.4, APIs: 1, Instructions: 857COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51

Function 1001BFA0 Relevance: 2.4, APIs: 1, Instructions: 850COMMON

Download Yara Rule

APIs

PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: FileFindNamePath
String ID:
API String ID: 1422272338-0
Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66

Function 100259D9 Relevance: 2.2, APIs: 1, Instructions: 733COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65

Function 1001D1C4 Relevance: 2.2, APIs: 1, Instructions: 693libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E

Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: CodeLibraryLoad
String ID:
API String ID: 4269728939-0
Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55

Function 10008EDD Relevance: 2.0, APIs: 1, Instructions: 541COMMON

Download Yara Rule

APIs

Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E

RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: MemoryMoveatoi
String ID:
API String ID: 2867837884-0
Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22

Function 10006495 Relevance: 1.8, APIs: 1, Instructions: 318COMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(00000000), ref: 1000665A

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: MemoryMove
String ID:
API String ID: 1951056069-0
Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21

Function 10015B34 Relevance: 1.8, APIs: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: KeyboardLayoutList
String ID:
API String ID: 4253248152-0
Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62

Function 10006051 Relevance: 1.6, APIs: 1, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62

Function 1000B61E Relevance: 1.6, APIs: 1, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62

Function 1000FF10 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ComputeCrc32
String ID:
API String ID: 660108262-0
Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51

Function 100188E1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756

Function 10001D56 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

IsBadCodePtr.KERNEL32(00000000), ref: 10001D73

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Code
String ID:
API String ID: 3609698214-0
Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85

Function 10013C18 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92

Function 1001A031 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792

Function 10022882 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91

Function 10006C96 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92

Function 1000FCB0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92

Function 10003116 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92

Function 1000FD4D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92

Function 10008DA3 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92

Function 10007DB8 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92

Function 10008E40 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92

Function 1000FA6F Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92

Function 10022A80 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92

Function 10011E89 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92

Function 100246E4 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92

Function 10008B27 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92

Function 1000833D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92

Function 1000B353 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92

Function 100137A3 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92

Function 10008BC4 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6

Function 10013FC8 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92

Function 10007BCA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92

Function 100253E7 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96

Function 1000B3F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92

Function 100236FF Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Ancestor
String ID:
API String ID: 4063365101-0
Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A

Function 10010199 Relevance: 1.5, APIs: 1, Instructions: 29synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95

Function 1000634E Relevance: 1.5, APIs: 1, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: MutexRelease
String ID:
API String ID: 1638419-0
Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA

Function 1000F7AC Relevance: 1.3, APIs: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5

Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: AllocExchangeHeapInterlocked
String ID:
API String ID: 3051970009-0
Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55

Function 10002461 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87

Function 1000B90D Relevance: 1.0, Instructions: 984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25

Function 10012B40 Relevance: .9, Instructions: 871COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14

Function 10010255 Relevance: .7, Instructions: 748COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61

Function 10010AD6 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21

Function 10002628 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90

Function 1000A7A2 Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65

Function 10017ECA Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51

Function 1001847E Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65

Function 10025977 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25

Function 10024C38 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21

Function 1001A236 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ObjectSelect
String ID:
API String ID: 1517587568-0
Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52

Function 1001121A Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ComputeCrc32CreateMutex
String ID:
API String ID: 2647859408-0
Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96

Function 1001385A Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92

Function 10017B68 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62

Function 1001A4E7 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62

Function 100024AC Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A

Function 1000F472 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52

Function 1000FDEA Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52

Function 1001A6C7 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62

Function 10014096 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42

Function 1000AE99 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754

Function 10018801 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91

Function 100189E6 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91

Function 10011C1A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1

Function 10011772 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95

Function 10014203 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85

Function 100111A7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96

Function 10019EDC Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51

Function 100101FB Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96

Function 1001BADE Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A

Function 1001BB29 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA

Function 10005FDA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA

Function 1001A4C7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494

Function 10029640 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113librarywindowstringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 10029652
LoadLibraryA.KERNEL32(?), ref: 1002965F
wsprintfA.USER32 ref: 10029676
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C

Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25

atoi.MSVCRT(?), ref: 100296CB
strchr.MSVCRT ref: 10029703
GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
wsprintfA.USER32 ref: 10029739
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F

Strings

DLL ERROR, xrefs: 10029685, 10029748

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5

Function 10028E60 Relevance: 16.7, APIs: 11, Instructions: 162registrystringCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
strrchr.MSVCRT ref: 10028EC7
RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
??2@YAPAXI@Z.MSVCRT ref: 10028F03
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
String ID:
API String ID: 1380196384-0
Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2

Function 0051F57E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0051F5EB
GetStdHandle.KERNEL32(000000F4,00786A5C,00000000,00000000,00000000,?), ref: 0051F6C1
WriteFile.KERNEL32(00000000), ref: 0051F6C8

Strings

(kz, xrefs: 0051F58C
<program name unknown>, xrefs: 0051F5FB
Runtime Error!Program: , xrefs: 0051F651
..., xrefs: 0051F63D
Microsoft Visual C++ Runtime Library, xrefs: 0051F697

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: (kz$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-1971142798
Opcode ID: c4aad4e9165fe58202ad666af26f40bb066f3b615555eb8432823a7dc864f246
Instruction ID: 516800a0ce5799fa7367ab7962fea57ce27b2d417093ed144e78ed9b73e063a4
Opcode Fuzzy Hash: c4aad4e9165fe58202ad666af26f40bb066f3b615555eb8432823a7dc864f246
Instruction Fuzzy Hash: 8731F7B2A002196FEF20EB60DC89FDA7FADFF86300F144566F544E6090D674A9848F61

Function 00526D25 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0051F6A2,?,Microsoft Visual C++ Runtime Library,00012010,?,00786A5C,?,00786AAC,?,?,?,Runtime Error!Program: ), ref: 00526D37
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00526D4F
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00526D60
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00526D6D

Strings

user32.dll, xrefs: 00526D32
MessageBoxA, xrefs: 00526D49
GetLastActivePopup, xrefs: 00526D62
GetActiveWindow, xrefs: 00526D5A

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 5bbd788bc0f1d66c6f9d84f3c59142d9a9ee6941fc8ae51482670f9374c33120
Instruction ID: 1fd05ab323f4c05feef7c5f5cf9d309fc29ae15c927f24a29cb3e80a4223dd78
Opcode Fuzzy Hash: 5bbd788bc0f1d66c6f9d84f3c59142d9a9ee6941fc8ae51482670f9374c33120
Instruction Fuzzy Hash: D701B1B1706669AFCB119FB4ACC491B3EECBB9E7553148429B202D6162D678C800CB60

Function 00522AA4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00786CEC,00000001,00000000,00000000,7556E860,007E8E84,?,?,?,0051B21D,?,?,?,00000000), ref: 00522AE6
LCMapStringA.KERNEL32(00000000,00000100,00786CE8,00000001,00000000,00000000,?,?,0051B21D,?,?,?,00000000,00000001), ref: 00522B02
LCMapStringA.KERNEL32(?,?,?,0051B21D,?,?,7556E860,007E8E84,?,?,?,0051B21D,?,?,?,00000000), ref: 00522B4B
MultiByteToWideChar.KERNEL32(?,007E8E85,?,0051B21D,00000000,00000000,7556E860,007E8E84,?,?,?,0051B21D,?,?,?,00000000), ref: 00522B83
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0051B21D,?,00000000,?,?,0051B21D,?), ref: 00522BDB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0051B21D,?), ref: 00522BF1
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0051B21D,?), ref: 00522C24
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0051B21D,?), ref: 00522C8C

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: dacb0c1051471cf6fd388c50aed219f8201c7cbd0bb8061088de9064b2f5c7a0
Instruction ID: d0cc948c84140acb98b6bd45ca910a9c16a9811662686141c64fdafea2aaeb11
Opcode Fuzzy Hash: dacb0c1051471cf6fd388c50aed219f8201c7cbd0bb8061088de9064b2f5c7a0
Instruction Fuzzy Hash: 05517B36500259BFCF228F95EC85AEE7FB8FF5AB50F208519F810A11A0C3768D50EB61

Function 100283F0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

%lf, xrefs: 10028618
%I64d, xrefs: 100285E2

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID:
String ID: %I64d$%lf
API String ID: 0-1545097854
Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392

Function 0051EFB7 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051EFD2
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051EFE6
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051F012
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005194FF), ref: 0051F04A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005194FF), ref: 0051F06C
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,005194FF), ref: 0051F085
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051F098
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0051F0D6

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 02e009e722cb92e025544a8c68ff588aa727541fdaf250bcd90f41dbbbe544cd
Instruction ID: c0589fd409f2f3df51a92e49188fb87810200bc638d711211aa39fd102873a11
Opcode Fuzzy Hash: 02e009e722cb92e025544a8c68ff588aa727541fdaf250bcd90f41dbbbe544cd
Instruction Fuzzy Hash: 8531C2765052556FF7307B786C8C8BABE9CFA8D3587160939F587D3203E6219CC093A1

Function 00526278 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00786CEC,00000001,?,7556E860,007E8E84,?,?,0051B21D,?,?,?,00000000,00000001), ref: 005262B7
GetStringTypeA.KERNEL32(00000000,00000001,00786CE8,00000001,?,?,0051B21D,?,?,?,00000000,00000001), ref: 005262D1
GetStringTypeA.KERNEL32(?,?,?,?,0051B21D,7556E860,007E8E84,?,?,0051B21D,?,?,?,00000000,00000001), ref: 00526305
MultiByteToWideChar.KERNEL32(?,007E8E85,?,?,00000000,00000000,7556E860,007E8E84,?,?,0051B21D,?,?,?,00000000,00000001), ref: 0052633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0051B21D,?), ref: 00526393
GetStringTypeW.KERNEL32(?,?,00000000,0051B21D,?,?,?,?,?,?,0051B21D,?), ref: 005263A5

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: d993aebb12c19084d88c8eb77df1a5ea15e8725339c82150330d2ce18ac7f841
Instruction ID: 4edba7cee309c19a591f88a8a3a9e3b37e324c4e7450542a6db79335f7785e18
Opcode Fuzzy Hash: d993aebb12c19084d88c8eb77df1a5ea15e8725339c82150330d2ce18ac7f841
Instruction Fuzzy Hash: E8417976541269AFCF219F94EC85AEE3F78FF1A750F104825F911E6290C7358950EBA0

Function 005351B8 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(007E4BBC,007E4BAC,00000000,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 005351C3
EnterCriticalSection.KERNEL32(007E4BD8,00000010,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 00535212
LeaveCriticalSection.KERNEL32(007E4BD8,00000000,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 00535225
LocalAlloc.KERNEL32(00000000,00000004,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 0053523B
LocalReAlloc.KERNEL32(?,00000004,00000002,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 0053524D
TlsSetValue.KERNEL32(007E4BBC,00000000), ref: 00535289

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: d2e95ae2ef2ef3d821ceebb5219c940d977e2d958ca7829ce3638881d26da321
Instruction ID: 21eade69733e7d3277c5b56e3e78339b64d90ca770f600d9d7818ec89ea6a954
Opcode Fuzzy Hash: d2e95ae2ef2ef3d821ceebb5219c940d977e2d958ca7829ce3638881d26da321
Instruction Fuzzy Hash: 1D317C79200A05AFD724DF54D849F67BBA8FB85350F008A29F456C7650E770E808CB60

Function 0051F3A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0051F3BF
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0051F3F4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0051F454

Strings

__MSVCRT_HEAP_SELECT, xrefs: 0051F3EF
__GLOBAL_HEAP_SELECTED, xrefs: 0051F42E

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 3572ed412c3de3729bc9666afe9c2b52ec3064a96b630d0086407a93b084e5ed
Instruction ID: 740eebfe5d8cb3ab2d153533bc8b108ae9bdc9ad3b51f7a8dff350b003ca6f1c
Opcode Fuzzy Hash: 3572ed412c3de3729bc9666afe9c2b52ec3064a96b630d0086407a93b084e5ed
Instruction Fuzzy Hash: CD3137729412886DFF31D674AC85ADF3F68BB16308F1448F9E085D6143E6B58ECACB11

Function 00535CDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00535D0D

Part of subcall function 00535DF9: lstrlenA.KERNEL32(00000104,00000000,?,00535D3D), ref: 00535E30

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00535DAE
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00535DDB

Strings

.INI, xrefs: 00535DD5
.HLP, xrefs: 00535DA8

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: c963b38409462e466f121ddde57f05ff8ad1770978e9df3e0d1c7463e6fdc56e
Instruction ID: eeb465950ba8c55c889ec61d356fcb768b2d3021991728b3f1ea5c113f635d5b
Opcode Fuzzy Hash: c963b38409462e466f121ddde57f05ff8ad1770978e9df3e0d1c7463e6fdc56e
Instruction Fuzzy Hash: AB3145B64047159FDB21EB74D889BC6BBFCBB14300F104D6AE19AD2151EB70AA84CF60

Function 004ACA50 Relevance: 7.9, APIs: 5, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba6db1b9f5f1b75eadc7581a07f1651c588ebb33f20b14ba471431f925f09aa
Instruction ID: 9c3fc0481d2632eefff3cfa1ca5a8782aae47521f90d3be8cb1c49ac8152dd6c
Opcode Fuzzy Hash: 9ba6db1b9f5f1b75eadc7581a07f1651c588ebb33f20b14ba471431f925f09aa
Instruction Fuzzy Hash: 9BC1A3715142069FC710DF29D88196BB7F8EF96718F04492EF856D7301EB38E906CBAA

Function 0051F0E9 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0051F147
GetFileType.KERNEL32(?,?,00000000), ref: 0051F1F2
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0051F255
GetFileType.KERNEL32(00000000,?,00000000), ref: 0051F263
SetHandleCount.KERNEL32 ref: 0051F29A

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 8804967d421623b69b9d306bc46cd38db62f1c5f72f36c0dd336e487dde062d5
Instruction ID: 322cbd2f009fa3171bacede9f164a3c486178c07cef8b92d1643dc5bb4b78316
Opcode Fuzzy Hash: 8804967d421623b69b9d306bc46cd38db62f1c5f72f36c0dd336e487dde062d5
Instruction Fuzzy Hash: 71515739604681DFE720CB68DC887A97FE1FB65324F248A38D566DB2E1DB308985C701

Function 0051F30C Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0051B812,0051E127,00000000,?,?,00000000,00000001), ref: 0051F30E
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0051F31C
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0051F368

Part of subcall function 0051BC06: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 0051BCFC

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0051F340
GetCurrentThreadId.KERNEL32 ref: 0051F351

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: ba0eee6bd67abeebd2bfe8a622b8f833cdd97f349b4afab7b6c177c9f86c6af2
Instruction ID: da6090704ecb1498fae0a8860f9cea104ae879c4dfebedadfbba4df1cc3f9846
Opcode Fuzzy Hash: ba0eee6bd67abeebd2bfe8a622b8f833cdd97f349b4afab7b6c177c9f86c6af2
Instruction Fuzzy Hash: D9F0963A6006226BE6312B74BC0D59A3E51BF81771B244525F992E52F1DF348881A7A0

Function 005360F5 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(007E4D70,?,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53), ref: 00536130
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53), ref: 00536142
LeaveCriticalSection.KERNEL32(007E4D70,?,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53), ref: 0053614B
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53,00530257), ref: 0053615D

Part of subcall function 00536062: GetVersion.KERNEL32(?,00536105,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53,00530257,005314FF), ref: 00536075

Strings

pM~, xrefs: 0053612A

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID: pM~
API String ID: 1193629340-1507515441
Opcode ID: b160592cc84e1923a85c5fb0b19678a28b52c5988244365266bc818e4c248cdb
Instruction ID: 67943f62e31b5e5d1261fbedaf45c03437b917f364874310fb72425bab49e23c
Opcode Fuzzy Hash: b160592cc84e1923a85c5fb0b19678a28b52c5988244365266bc818e4c248cdb
Instruction Fuzzy Hash: BAF04F7650224AEFCB10DFA5ECC4956BB6DFB18316B01803AF74596021D738A465CA58

Function 10027B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10027B78
MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F

Strings

program internal error number is %d. %s, xrefs: 10027B72
error, xrefs: 10027B87

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616

Function 005238FC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,007A71D0,007A71D0,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000), ref: 0052391D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000), ref: 00523941
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000), ref: 0052395B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000,?), ref: 00523A1C
HeapFree.KERNEL32(00000000,00000000,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000,?,00000000), ref: 00523A33

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 80afa1d8db8af756db37550e04db8b69799d4bea7613117a64f4cd1e3919ed15
Instruction ID: d23a8818f8f5d15d96426a6c491ad2d715f2af2a784987dae2190a870e9d18fb
Opcode Fuzzy Hash: 80afa1d8db8af756db37550e04db8b69799d4bea7613117a64f4cd1e3919ed15
Instruction Fuzzy Hash: 6C3131716017159FD3208F28EC80B21BFE0FBC6B50F108639E895AB2D0E7B8A940CB08

Function 10029F50 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10029FB3
LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
free.MSVCRT ref: 10029FF6
free.MSVCRT ref: 1002A014

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: free$Stringmalloc
String ID:
API String ID: 3576809655-0
Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365

Function 00519469 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0051948F

Part of subcall function 0051F4E8: HeapCreate.KERNEL32(00000000,00001000,00000000,005194C7,00000001), ref: 0051F4F9
Part of subcall function 0051F4E8: HeapDestroy.KERNEL32 ref: 0051F538

GetCommandLineA.KERNEL32 ref: 005194EF
GetStartupInfoA.KERNEL32(?), ref: 0051951A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0051953D

Part of subcall function 00519596: ExitProcess.KERNEL32 ref: 005195B3

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 9ebc7757549c5b5fdd25bc12325ab7f3c421a56d948ddadbbed1891eb21730ce
Instruction ID: d48d32dc2e69bc8c380e07880079c2db0a14c01221ffb9da2e5d7503fec6d90f
Opcode Fuzzy Hash: 9ebc7757549c5b5fdd25bc12325ab7f3c421a56d948ddadbbed1891eb21730ce
Instruction Fuzzy Hash: 5D2194B59413569FFB14EFA5EC5AAED7FA8FF98700F104419F801AA291DB784980CB60

Function 10028DB0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35

Memory Dump Source

Source File: 00000000.00000002.2721914859.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_S12.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID:
API String ID: 3602564925-0
Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66

Function 0051E65F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0051E673

Strings

, xrefs: 0051E6BC
, xrefs: 0051E698

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: cc868e347b92da634eb937fafac418430455a8e68f9ad9b8e241234bebb79f45
Instruction ID: fe7fe4fd7e7806078beb07309a765864dc3cd7fbb91048f2e362ebbb3d9f8387
Opcode Fuzzy Hash: cc868e347b92da634eb937fafac418430455a8e68f9ad9b8e241234bebb79f45
Instruction Fuzzy Hash: 594136310052D85AFB168714DD8BFFA7FA9FF1A710F1404E5DA4ACB1D3C2294A849BA3

Function 00529564 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0051C3AC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00519549,00000000), ref: 0051C3DA

__EH_prolog.LIBCMT ref: 0052959B
lstrcpynA.KERNEL32(?,?,00000104), ref: 00529688

Strings

00~, xrefs: 00529581, 00529589

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: ExceptionH_prologRaiselstrcpyn
String ID: 00~
API String ID: 2915105959-3016840778
Opcode ID: 8d18cb3317a77a7cb6eee695dd16e86228a4b34e9fd1f8a737edf2e43fa56a27
Instruction ID: 81ae26cfc8df1534b0653399ba3b088088ad6ba5aee9098f81440df2e4cbac5f
Opcode Fuzzy Hash: 8d18cb3317a77a7cb6eee695dd16e86228a4b34e9fd1f8a737edf2e43fa56a27
Instruction Fuzzy Hash: C04179B1640705EFD721DF69D885B9BBFE4FF4A304F10482EE59A97281C774A904CBA1

Function 0052345A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,00523222,00000000,00000000,00000000,0051ADF3,00000000,00000000,?,00000000,00000000,00000000), ref: 00523482
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00523222,00000000,00000000,00000000,0051ADF3,00000000,00000000,?,00000000,00000000,00000000), ref: 005234B6
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 005234D0
HeapFree.KERNEL32(00000000,?), ref: 005234E7

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: f13daed7f1989bc2781c153a3d120f08413ead6a1562478e70323a1c64e8363b
Instruction ID: 173ab0d95bd09eb436b1159a2ba2215ed1ab500eaec4264db94b0425ed0c2d8e
Opcode Fuzzy Hash: f13daed7f1989bc2781c153a3d120f08413ead6a1562478e70323a1c64e8363b
Instruction Fuzzy Hash: DE11BF312013519FC7619F28EC89D227FB1FB8A7247148999F25AEE1F0CBB99845CF45

Function 00521B7B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521B88
InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521B90
InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521B98
InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521BA0

Memory Dump Source

Source File: 00000000.00000002.2718636915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2718606091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718788974.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719063294.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719090699.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719118042.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719138929.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719168402.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719195464.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719218900.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719242918.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2719379821.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S12.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: b49b871d6a7617c71ca50ceb443bb2f96f8d8360548bbaa3cdd33ca8a79aee22
Instruction ID: 5a6f4887537ab00b8a403fab33e207afd605fb238ecfa710e82116cc183222cd
Opcode Fuzzy Hash: b49b871d6a7617c71ca50ceb443bb2f96f8d8360548bbaa3cdd33ca8a79aee22
Instruction Fuzzy Hash: 40C00236805034EECA116B65FD0584A3F66EB8A2A13098063A104511B086651C10EFD4

Analysis Process: S12.exePID: 2700, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	58%
Signature Coverage:	0%
Total number of Nodes:	590
Total number of Limit Nodes:	23

Executed Functions

Function 100193C2 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF

Strings

@, xrefs: 10019521

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
String ID: @
API String ID: 183890193-2766056989
Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

Function 1000710E Relevance: 5.1, APIs: 3, Instructions: 556
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Version$InfoNumbersSystem
String ID:
API String ID: 995872648-0
Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

Function 10007FDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00000000), ref: 1000806F

Strings

`+Fw, xrefs: 1000806F

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Close
String ID: `+Fw
API String ID: 3535843008-1178111234
Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

Function 10018AD3 Relevance: 3.3, APIs: 2, Instructions: 304
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51

Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Create$Heap$ComputeCrc32Mutex
String ID:
API String ID: 3311811139-0
Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52

Function 1001A199 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92

Function 10018EEA Relevance: 1.5, APIs: 1, Instructions: 23synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

Function 004AB900 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 281
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,007A59F4), ref: 004AB967
LoadLibraryA.KERNEL32(?,?,007B60F8), ref: 004ABA57
LoadLibraryA.KERNEL32(?,?), ref: 004ABA9D
LoadLibraryA.KERNEL32(?,?,007B6000,?), ref: 004ABAE5
LoadLibraryA.KERNEL32(?), ref: 004ABAFB
GetProcAddress.KERNEL32(00000000,?), ref: 004ABB0D
FreeLibrary.KERNEL32(00000000), ref: 004ABBA0

Strings

|Zy, xrefs: 004ABB2F

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID: |Zy
API String ID: 3120990465-3408344160
Opcode ID: 61b6b9daa07b246d124c0a139ab8a9d8fb3883cb81ebfc801211c624a59d3a5c
Instruction ID: c3518b32ba2be56fa16c62acadcef31c842283b1b911c52ccc547bc094c7ab36
Opcode Fuzzy Hash: 61b6b9daa07b246d124c0a139ab8a9d8fb3883cb81ebfc801211c624a59d3a5c
Instruction Fuzzy Hash: BFA1B2B1600712ABD710DF64C885FABB7A8FF9A314F04461EF85597342DB38A905CBE5

Function 00535049 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(007E4BD8,007E4BAC,00000000,?,007E4BBC,007E4BBC,005353E4,?,00000000,00534E37,00534726,00534E53,00530257,005314FF,?,00000000), ref: 00535058
GlobalAlloc.KERNEL32(00002002,00000000,?,?,007E4BBC,007E4BBC,005353E4,?,00000000,00534E37,00534726,00534E53,00530257,005314FF,?,00000000), ref: 005350AD
GlobalHandle.KERNEL32(00A344C0), ref: 005350B6
GlobalUnlock.KERNEL32(00000000), ref: 005350BF
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 005350D1
GlobalHandle.KERNEL32(00A344C0), ref: 005350E8
GlobalLock.KERNEL32(00000000), ref: 005350EF
LeaveCriticalSection.KERNEL32(00519549,?,?,007E4BBC,007E4BBC,005353E4,?,00000000,00534E37,00534726,00534E53,00530257,005314FF,?,00000000), ref: 005350F5
GlobalLock.KERNEL32(00000000), ref: 00535104
LeaveCriticalSection.KERNEL32(?), ref: 0053514D

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: cecdb72f3c0fc0aa639791d8fe7ffa28d50368e75c1507160a4c1949cfd975af
Instruction ID: 4d0aa7751e6820c00618dacccc41a4af576bd5daa2e652948920a5211e8bd625
Opcode Fuzzy Hash: cecdb72f3c0fc0aa639791d8fe7ffa28d50368e75c1507160a4c1949cfd975af
Instruction Fuzzy Hash: 21314F752007069FD7259F68DC89A2ABFE9FB44301F004A2DF992D7761E772E848CB50

Function 00535CDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00535D0D

Part of subcall function 00535DF9: lstrlenA.KERNEL32(00000104,00000000,?,00535D3D), ref: 00535E30

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00535DAE
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00535DDB

Strings

.HLP, xrefs: 00535DA8
.INI, xrefs: 00535DD5

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: c963b38409462e466f121ddde57f05ff8ad1770978e9df3e0d1c7463e6fdc56e
Instruction ID: eeb465950ba8c55c889ec61d356fcb768b2d3021991728b3f1ea5c113f635d5b
Opcode Fuzzy Hash: c963b38409462e466f121ddde57f05ff8ad1770978e9df3e0d1c7463e6fdc56e
Instruction Fuzzy Hash: AB3145B64047159FDB21EB74D889BC6BBFCBB14300F104D6AE19AD2151EB70AA84CF60

Function 100294C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
GetTickCount.KERNEL32 ref: 10029543
wsprintfA.USER32 ref: 10029558
PathFileExistsA.SHLWAPI(?), ref: 10029565

Strings

%s%x.tmp, xrefs: 10029552

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Path$CountExistsFileTempTickwsprintf
String ID: %s%x.tmp
API String ID: 3843276195-78920241
Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

Function 10027BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
RtlAllocateHeap.NTDLL(00A30000,00000008,?,?,10028674), ref: 10027BCD
MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

Strings

error, xrefs: 10027BDB

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

Function 10028D40 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C

Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00A30000,00000008,?,?,10028674), ref: 10027BCD
Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
String ID:
API String ID: 749537981-0
Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

Function 00530267 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0053027A
SetWindowsHookExA.USER32(000000FF,VcH,00000000,00000000), ref: 0053028A

Part of subcall function 00535445: __EH_prolog.LIBCMT ref: 0053544A

Strings

VcH, xrefs: 00530283

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: VcH
API String ID: 2183259885-2144458766
Opcode ID: 26ae4b5d02357e9032cc93866d054df197b957df947c5323d772dd64dec4f0fb
Instruction ID: 12166ec2f4ebeacd6565a39929b7850e963006a91aefb28de775dfb01f460d65
Opcode Fuzzy Hash: 26ae4b5d02357e9032cc93866d054df197b957df947c5323d772dd64dec4f0fb
Instruction Fuzzy Hash: D6F0E5324417516FCB207BB0AC0EB5A3F90BB44721F051B14B5025B1E1DA74AC849B62

Function 00535C79 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000000,00000000,0053151E,00000000,00000000,00000000,00000000,?,00000000,?,00528DE3,00000000,00000000,00000000,00000000,00519549), ref: 00535C82
SetErrorMode.KERNEL32(00000000,?,00000000,?,00528DE3,00000000,00000000,00000000,00000000,00519549,00000000), ref: 00535C89

Part of subcall function 00535CDC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00535D0D
Part of subcall function 00535CDC: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00535DAE
Part of subcall function 00535CDC: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00535DDB

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: c58268b1bdf6dc00b6f1f85c5841c424c06de85cb16d6a219f2ee62ab5de4c7e
Instruction ID: cf6aebceb156f2f3e3c321224a214481e463f921931fdba17cb6c8cc3daf28b7
Opcode Fuzzy Hash: c58268b1bdf6dc00b6f1f85c5841c424c06de85cb16d6a219f2ee62ab5de4c7e
Instruction Fuzzy Hash: 5CF049759143158FD714FF24E449A097FE8BF88711F06988AF444AB3A2CB70E840CF96

Function 0051F4E8 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,005194C7,00000001), ref: 0051F4F9

Part of subcall function 0051F3A0: GetVersionExA.KERNEL32 ref: 0051F3BF

HeapDestroy.KERNEL32 ref: 0051F538

Part of subcall function 00522DB5: HeapAlloc.KERNEL32(00000000,00000140,0051F521,000003F8), ref: 00522DC2

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 351c973de355d66a2786ebd0a9e4c15859040b08f4a7aa84e9c9870f93375557
Instruction ID: 27a51710603559a20d0dc9222ec46377259388cae48331ce9531929b4d86f144
Opcode Fuzzy Hash: 351c973de355d66a2786ebd0a9e4c15859040b08f4a7aa84e9c9870f93375557
Instruction Fuzzy Hash: 98F065B1601301ABFB601F307D867A93DE1BF48B41F118836F404CC1E5EAA489C1A712

Function 10027C40 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
RtlFreeHeap.NTDLL(00A30000,00000000,00000000), ref: 10027C80

Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: FreeHandleHeapModuleRead
String ID:
API String ID: 627478288-0
Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2

Function 0051ADA5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0051AE8C

Part of subcall function 00521BA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BE1
Part of subcall function 00521BA4: EnterCriticalSection.KERNEL32(?,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BFC

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 94c592e1592fe3f47624781f9c3d0e6e85ffc4f5c3ed36d6f892048621c7fcb0
Instruction ID: 9d97f739a8f55d9de0420870bdc23fd432b746feda82729841aca70b0bb14267
Opcode Fuzzy Hash: 94c592e1592fe3f47624781f9c3d0e6e85ffc4f5c3ed36d6f892048621c7fcb0
Instruction Fuzzy Hash: 0621F432A41215ABEB12EFA8DC46BDEBF68FB40B20F144315F424EB1C1D7789D818796

Function 0051AC7E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074), ref: 0051AD52

Part of subcall function 00521BA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BE1
Part of subcall function 00521BA4: EnterCriticalSection.KERNEL32(?,?,?,0051BCBC,00000009,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 00521BFC

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 2a21fcd6282e5d7eff6bd463c3c1f0cb1e612a3d6c73154ea999e10f629456da
Instruction ID: 94e8297c40d31218c7d7cf8d1b91c47e893fd24e7613fb7245e04226f7228259
Opcode Fuzzy Hash: 2a21fcd6282e5d7eff6bd463c3c1f0cb1e612a3d6c73154ea999e10f629456da
Instruction Fuzzy Hash: F021F276842619ABEF129BA4EC06BDE7F78FF05721F140116F410BA5D0DB388D809BA6

Function 10004B1B Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789

Function 00530DDA Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 00530DF1

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 88857409dea8c24d14581a6ea9df69f28274f3c16f5456558f7775f9e3e2d523
Instruction ID: 195d21de89ece048b9a6a47670d1a794e0097adb981b5dd2bf56f85bbfe71d5f
Opcode Fuzzy Hash: 88857409dea8c24d14581a6ea9df69f28274f3c16f5456558f7775f9e3e2d523
Instruction Fuzzy Hash: F0D0A7720083629BCB02DF608808D4FBFE8BF65311F058C4DF58053211C320D418DB62

Function 10028E50 Relevance: 1.5, APIs: 1, Instructions: 4fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21

Non-executed Functions

Function 100221E2 Relevance: 6.3, APIs: 4, Instructions: 331fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59

Function 1001A8BE Relevance: 6.3, APIs: 4, Instructions: 265COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1001A976
SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: ObjectSelect$Release
String ID:
API String ID: 3581861777-0
Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96

Function 1001A6F8 Relevance: 6.1, APIs: 4, Instructions: 133windowthreadCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 1001A773
IsWindowVisible.USER32(00000000), ref: 1001A7AC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
GetWindow.USER32(00000000,00000002), ref: 1001A872

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Window$ProcessThreadVisible
String ID:
API String ID: 569392824-0
Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96

Function 1001419C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34nativesynchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
NtClose.NTDLL(?), ref: 100141D7

Strings

`+Fw, xrefs: 100141D7

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: CloseMutexRelease
String ID: `+Fw
API String ID: 2985832019-1178111234
Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A

Function 10029640 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113librarywindowstringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 10029652
LoadLibraryA.KERNEL32(?), ref: 1002965F
wsprintfA.USER32 ref: 10029676
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C

Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25

atoi.MSVCRT(?), ref: 100296CB
strchr.MSVCRT ref: 10029703
GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
wsprintfA.USER32 ref: 10029739
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F

Strings

DLL ERROR, xrefs: 10029685, 10029748

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5

Function 10028E60 Relevance: 16.7, APIs: 11, Instructions: 162registrystringCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
strrchr.MSVCRT ref: 10028EC7
RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
??2@YAPAXI@Z.MSVCRT ref: 10028F03
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
String ID:
API String ID: 1380196384-0
Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2

Function 0051F57E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0051F5EB
GetStdHandle.KERNEL32(000000F4,00786A5C,00000000,00000000,00000000,?), ref: 0051F6C1
WriteFile.KERNEL32(00000000), ref: 0051F6C8

Strings

(kz, xrefs: 0051F58C
Runtime Error!Program: , xrefs: 0051F651
Microsoft Visual C++ Runtime Library, xrefs: 0051F697
..., xrefs: 0051F63D
<program name unknown>, xrefs: 0051F5FB

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: (kz$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-1971142798
Opcode ID: c4aad4e9165fe58202ad666af26f40bb066f3b615555eb8432823a7dc864f246
Instruction ID: 516800a0ce5799fa7367ab7962fea57ce27b2d417093ed144e78ed9b73e063a4
Opcode Fuzzy Hash: c4aad4e9165fe58202ad666af26f40bb066f3b615555eb8432823a7dc864f246
Instruction Fuzzy Hash: 8731F7B2A002196FEF20EB60DC89FDA7FADFF86300F144566F544E6090D674A9848F61

Function 00526D25 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0051F6A2,?,Microsoft Visual C++ Runtime Library,00012010,?,00786A5C,?,00786AAC,?,?,?,Runtime Error!Program: ), ref: 00526D37
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00526D4F
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00526D60
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00526D6D

Strings

GetActiveWindow, xrefs: 00526D5A
user32.dll, xrefs: 00526D32
MessageBoxA, xrefs: 00526D49
GetLastActivePopup, xrefs: 00526D62

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 5bbd788bc0f1d66c6f9d84f3c59142d9a9ee6941fc8ae51482670f9374c33120
Instruction ID: 1fd05ab323f4c05feef7c5f5cf9d309fc29ae15c927f24a29cb3e80a4223dd78
Opcode Fuzzy Hash: 5bbd788bc0f1d66c6f9d84f3c59142d9a9ee6941fc8ae51482670f9374c33120
Instruction Fuzzy Hash: D701B1B1706669AFCB119FB4ACC491B3EECBB9E7553148429B202D6162D678C800CB60

Function 00522AA4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00786CEC,00000001,00000000,00000000,7556E860,007E8E84,?,?,?,0051B21D,?,?,?,00000000), ref: 00522AE6
LCMapStringA.KERNEL32(00000000,00000100,00786CE8,00000001,00000000,00000000,?,?,0051B21D,?,?,?,00000000,00000001), ref: 00522B02
LCMapStringA.KERNEL32(?,?,?,0051B21D,?,?,7556E860,007E8E84,?,?,?,0051B21D,?,?,?,00000000), ref: 00522B4B
MultiByteToWideChar.KERNEL32(?,007E8E85,?,0051B21D,00000000,00000000,7556E860,007E8E84,?,?,?,0051B21D,?,?,?,00000000), ref: 00522B83
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0051B21D,?,00000000,?,?,0051B21D,?), ref: 00522BDB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0051B21D,?), ref: 00522BF1
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0051B21D,?), ref: 00522C24
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0051B21D,?), ref: 00522C8C

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: dacb0c1051471cf6fd388c50aed219f8201c7cbd0bb8061088de9064b2f5c7a0
Instruction ID: d0cc948c84140acb98b6bd45ca910a9c16a9811662686141c64fdafea2aaeb11
Opcode Fuzzy Hash: dacb0c1051471cf6fd388c50aed219f8201c7cbd0bb8061088de9064b2f5c7a0
Instruction Fuzzy Hash: 05517B36500259BFCF228F95EC85AEE7FB8FF5AB50F208519F810A11A0C3768D50EB61

Function 100283F0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

%lf, xrefs: 10028618
%I64d, xrefs: 100285E2

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID:
String ID: %I64d$%lf
API String ID: 0-1545097854
Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392

Function 0051EFB7 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051EFD2
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051EFE6
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051F012
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005194FF), ref: 0051F04A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005194FF), ref: 0051F06C
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,005194FF), ref: 0051F085
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005194FF), ref: 0051F098
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0051F0D6

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 02e009e722cb92e025544a8c68ff588aa727541fdaf250bcd90f41dbbbe544cd
Instruction ID: c0589fd409f2f3df51a92e49188fb87810200bc638d711211aa39fd102873a11
Opcode Fuzzy Hash: 02e009e722cb92e025544a8c68ff588aa727541fdaf250bcd90f41dbbbe544cd
Instruction Fuzzy Hash: 8531C2765052556FF7307B786C8C8BABE9CFA8D3587160939F587D3203E6219CC093A1

Function 00526278 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00786CEC,00000001,?,7556E860,007E8E84,?,?,0051B21D,?,?,?,00000000,00000001), ref: 005262B7
GetStringTypeA.KERNEL32(00000000,00000001,00786CE8,00000001,?,?,0051B21D,?,?,?,00000000,00000001), ref: 005262D1
GetStringTypeA.KERNEL32(?,?,?,?,0051B21D,7556E860,007E8E84,?,?,0051B21D,?,?,?,00000000,00000001), ref: 00526305
MultiByteToWideChar.KERNEL32(?,007E8E85,?,?,00000000,00000000,7556E860,007E8E84,?,?,0051B21D,?,?,?,00000000,00000001), ref: 0052633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0051B21D,?), ref: 00526393
GetStringTypeW.KERNEL32(?,?,00000000,0051B21D,?,?,?,?,?,?,0051B21D,?), ref: 005263A5

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: d993aebb12c19084d88c8eb77df1a5ea15e8725339c82150330d2ce18ac7f841
Instruction ID: 4edba7cee309c19a591f88a8a3a9e3b37e324c4e7450542a6db79335f7785e18
Opcode Fuzzy Hash: d993aebb12c19084d88c8eb77df1a5ea15e8725339c82150330d2ce18ac7f841
Instruction Fuzzy Hash: E8417976541269AFCF219F94EC85AEE3F78FF1A750F104825F911E6290C7358950EBA0

Function 005351B8 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(007E4BBC,007E4BAC,00000000,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 005351C3
EnterCriticalSection.KERNEL32(007E4BD8,00000010,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 00535212
LeaveCriticalSection.KERNEL32(007E4BD8,00000000,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 00535225
LocalAlloc.KERNEL32(00000000,00000004,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 0053523B
LocalReAlloc.KERNEL32(?,00000004,00000002,?,007E4BBC,?,00535420,007E4BAC,00000000,?,00000000,00534E37,00534726,00534E53,00530257,005314FF), ref: 0053524D
TlsSetValue.KERNEL32(007E4BBC,00000000), ref: 00535289

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: d2e95ae2ef2ef3d821ceebb5219c940d977e2d958ca7829ce3638881d26da321
Instruction ID: 21eade69733e7d3277c5b56e3e78339b64d90ca770f600d9d7818ec89ea6a954
Opcode Fuzzy Hash: d2e95ae2ef2ef3d821ceebb5219c940d977e2d958ca7829ce3638881d26da321
Instruction Fuzzy Hash: 1D317C79200A05AFD724DF54D849F67BBA8FB85350F008A29F456C7650E770E808CB60

Function 0051F3A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0051F3BF
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0051F3F4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0051F454

Strings

__MSVCRT_HEAP_SELECT, xrefs: 0051F3EF
__GLOBAL_HEAP_SELECTED, xrefs: 0051F42E

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 3572ed412c3de3729bc9666afe9c2b52ec3064a96b630d0086407a93b084e5ed
Instruction ID: 740eebfe5d8cb3ab2d153533bc8b108ae9bdc9ad3b51f7a8dff350b003ca6f1c
Opcode Fuzzy Hash: 3572ed412c3de3729bc9666afe9c2b52ec3064a96b630d0086407a93b084e5ed
Instruction Fuzzy Hash: CD3137729412886DFF31D674AC85ADF3F68BB16308F1448F9E085D6143E6B58ECACB11

Function 004ACA50 Relevance: 7.9, APIs: 5, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba6db1b9f5f1b75eadc7581a07f1651c588ebb33f20b14ba471431f925f09aa
Instruction ID: 9c3fc0481d2632eefff3cfa1ca5a8782aae47521f90d3be8cb1c49ac8152dd6c
Opcode Fuzzy Hash: 9ba6db1b9f5f1b75eadc7581a07f1651c588ebb33f20b14ba471431f925f09aa
Instruction Fuzzy Hash: 9BC1A3715142069FC710DF29D88196BB7F8EF96718F04492EF856D7301EB38E906CBAA

Function 0051F0E9 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0051F147
GetFileType.KERNEL32(?,?,00000000), ref: 0051F1F2
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0051F255
GetFileType.KERNEL32(00000000,?,00000000), ref: 0051F263
SetHandleCount.KERNEL32 ref: 0051F29A

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 8804967d421623b69b9d306bc46cd38db62f1c5f72f36c0dd336e487dde062d5
Instruction ID: 322cbd2f009fa3171bacede9f164a3c486178c07cef8b92d1643dc5bb4b78316
Opcode Fuzzy Hash: 8804967d421623b69b9d306bc46cd38db62f1c5f72f36c0dd336e487dde062d5
Instruction Fuzzy Hash: 71515739604681DFE720CB68DC887A97FE1FB65324F248A38D566DB2E1DB308985C701

Function 0051F30C Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0051B812,0051E127,00000000,?,?,00000000,00000001), ref: 0051F30E
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0051F31C
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0051F368

Part of subcall function 0051BC06: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0051F331,00000001,00000074,?,?,00000000,00000001), ref: 0051BCFC

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0051F340
GetCurrentThreadId.KERNEL32 ref: 0051F351

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: ba0eee6bd67abeebd2bfe8a622b8f833cdd97f349b4afab7b6c177c9f86c6af2
Instruction ID: da6090704ecb1498fae0a8860f9cea104ae879c4dfebedadfbba4df1cc3f9846
Opcode Fuzzy Hash: ba0eee6bd67abeebd2bfe8a622b8f833cdd97f349b4afab7b6c177c9f86c6af2
Instruction Fuzzy Hash: D9F0963A6006226BE6312B74BC0D59A3E51BF81771B244525F992E52F1DF348881A7A0

Function 005360F5 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(007E4D70,?,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53), ref: 00536130
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53), ref: 00536142
LeaveCriticalSection.KERNEL32(007E4D70,?,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53), ref: 0053614B
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53,00530257), ref: 0053615D

Part of subcall function 00536062: GetVersion.KERNEL32(?,00536105,?,00535466,00000010,?,00000000,?,?,?,00534E4D,00534EB0,00534726,00534E53,00530257,005314FF), ref: 00536075

Strings

pM~, xrefs: 0053612A

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID: pM~
API String ID: 1193629340-1507515441
Opcode ID: b160592cc84e1923a85c5fb0b19678a28b52c5988244365266bc818e4c248cdb
Instruction ID: 67943f62e31b5e5d1261fbedaf45c03437b917f364874310fb72425bab49e23c
Opcode Fuzzy Hash: b160592cc84e1923a85c5fb0b19678a28b52c5988244365266bc818e4c248cdb
Instruction Fuzzy Hash: BAF04F7650224AEFCB10DFA5ECC4956BB6DFB18316B01803AF74596021D738A465CA58

Function 10027B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10027B78
MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F

Strings

program internal error number is %d. %s, xrefs: 10027B72
error, xrefs: 10027B87

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616

Function 005238FC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,007A71D0,007A71D0,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000), ref: 0052391D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000), ref: 00523941
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000), ref: 0052395B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000,?), ref: 00523A1C
HeapFree.KERNEL32(00000000,00000000,?,?,00523DC8,00000000,00000010,00000000,00000009,00000009,?,0051AE51,00000010,00000000,?,00000000), ref: 00523A33

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 80afa1d8db8af756db37550e04db8b69799d4bea7613117a64f4cd1e3919ed15
Instruction ID: d23a8818f8f5d15d96426a6c491ad2d715f2af2a784987dae2190a870e9d18fb
Opcode Fuzzy Hash: 80afa1d8db8af756db37550e04db8b69799d4bea7613117a64f4cd1e3919ed15
Instruction Fuzzy Hash: 6C3131716017159FD3208F28EC80B21BFE0FBC6B50F108639E895AB2D0E7B8A940CB08

Function 10029F50 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10029FB3
LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
free.MSVCRT ref: 10029FF6
free.MSVCRT ref: 1002A014

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: free$Stringmalloc
String ID:
API String ID: 3576809655-0
Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365

Function 00519469 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0051948F

Part of subcall function 0051F4E8: HeapCreate.KERNEL32(00000000,00001000,00000000,005194C7,00000001), ref: 0051F4F9
Part of subcall function 0051F4E8: HeapDestroy.KERNEL32 ref: 0051F538

GetCommandLineA.KERNEL32 ref: 005194EF
GetStartupInfoA.KERNEL32(?), ref: 0051951A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0051953D

Part of subcall function 00519596: ExitProcess.KERNEL32 ref: 005195B3

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 9ebc7757549c5b5fdd25bc12325ab7f3c421a56d948ddadbbed1891eb21730ce
Instruction ID: d48d32dc2e69bc8c380e07880079c2db0a14c01221ffb9da2e5d7503fec6d90f
Opcode Fuzzy Hash: 9ebc7757549c5b5fdd25bc12325ab7f3c421a56d948ddadbbed1891eb21730ce
Instruction Fuzzy Hash: 5D2194B59413569FFB14EFA5EC5AAED7FA8FF98700F104419F801AA291DB784980CB60

Function 10028DB0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35

Memory Dump Source

Source File: 00000005.00000002.2722214431.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_S12.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID:
API String ID: 3602564925-0
Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66

Function 0051E65F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0051E673

Strings

, xrefs: 0051E698
, xrefs: 0051E6BC

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: cc868e347b92da634eb937fafac418430455a8e68f9ad9b8e241234bebb79f45
Instruction ID: fe7fe4fd7e7806078beb07309a765864dc3cd7fbb91048f2e362ebbb3d9f8387
Opcode Fuzzy Hash: cc868e347b92da634eb937fafac418430455a8e68f9ad9b8e241234bebb79f45
Instruction Fuzzy Hash: 594136310052D85AFB168714DD8BFFA7FA9FF1A710F1404E5DA4ACB1D3C2294A849BA3

Function 00529564 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0051C3AC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00519549,00000000), ref: 0051C3DA

__EH_prolog.LIBCMT ref: 0052959B
lstrcpynA.KERNEL32(?,?,00000104), ref: 00529688

Strings

00~, xrefs: 00529581, 00529589

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: ExceptionH_prologRaiselstrcpyn
String ID: 00~
API String ID: 2915105959-3016840778
Opcode ID: 8d18cb3317a77a7cb6eee695dd16e86228a4b34e9fd1f8a737edf2e43fa56a27
Instruction ID: 81ae26cfc8df1534b0653399ba3b088088ad6ba5aee9098f81440df2e4cbac5f
Opcode Fuzzy Hash: 8d18cb3317a77a7cb6eee695dd16e86228a4b34e9fd1f8a737edf2e43fa56a27
Instruction Fuzzy Hash: C04179B1640705EFD721DF69D885B9BBFE4FF4A304F10482EE59A97281C774A904CBA1

Function 0052345A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,00523222,00000000,00000000,00000000,0051ADF3,00000000,00000000,?,00000000,00000000,00000000), ref: 00523482
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00523222,00000000,00000000,00000000,0051ADF3,00000000,00000000,?,00000000,00000000,00000000), ref: 005234B6
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 005234D0
HeapFree.KERNEL32(00000000,?), ref: 005234E7

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: f13daed7f1989bc2781c153a3d120f08413ead6a1562478e70323a1c64e8363b
Instruction ID: 173ab0d95bd09eb436b1159a2ba2215ed1ab500eaec4264db94b0425ed0c2d8e
Opcode Fuzzy Hash: f13daed7f1989bc2781c153a3d120f08413ead6a1562478e70323a1c64e8363b
Instruction Fuzzy Hash: DE11BF312013519FC7619F28EC89D227FB1FB8A7247148999F25AEE1F0CBB99845CF45

Function 00521B7B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521B88
InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521B90
InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521B98
InitializeCriticalSection.KERNEL32(?,0051F2AB,?,005194D9), ref: 00521BA0

Memory Dump Source

Source File: 00000005.00000002.2718692693.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2718638476.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000053C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000674000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.000000000076A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2718859784.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719151309.0000000000792000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719179795.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719206507.0000000000796000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719231632.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719257275.00000000007A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719287533.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719314004.00000000007A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719342814.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2719492839.00000000008ED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_S12.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: b49b871d6a7617c71ca50ceb443bb2f96f8d8360548bbaa3cdd33ca8a79aee22
Instruction ID: 5a6f4887537ab00b8a403fab33e207afd605fb238ecfa710e82116cc183222cd
Opcode Fuzzy Hash: b49b871d6a7617c71ca50ceb443bb2f96f8d8360548bbaa3cdd33ca8a79aee22
Instruction Fuzzy Hash: 40C00236805034EECA116B65FD0584A3F66EB8A2A13098063A104511B086651C10EFD4

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S12.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\602d46.tmp

C:\Users\user\AppData\Local\Temp\602da4.tmp

C:\Users\user\AppData\Local\Temp\60bae0.tmp

C:\Users\user\AppData\Local\Temp\60bb2f.tmp

C:\Users\user\Desktop\ .bmp

C:\Users\user\Desktop\ .bmp

C:\Users\user\Desktop\ .bmp

C:\Users\user\Desktop\ .bmp

C:\Users\user\Desktop\ .ini

C:\Users\user\Desktop\CF1.bmp

C:\Users\user\Desktop\QQWER.dll

C:\Users\user\Desktop\dt3.bmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
S12.exe

Function 004AB900 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 281
libraryloaderCOMMON

Function 10027BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Function 100193C2 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424
memoryfileCOMMON

Function 1000710E Relevance: 5.1, APIs: 3, Instructions: 556
COMMON

Function 10007FDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Function 10018AD3 Relevance: 3.3, APIs: 2, Instructions: 304
memoryCOMMON

Function 00535049 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Function 100294C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Function 10028D40 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Function 00530267 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Function 00535C79 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0051F4E8 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 10027C40 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON